diff --git a/defaults/main.yml b/defaults/main.yml index 29e14ae..d8325a5 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,10 +6,12 @@ preflight__timezone: UTC firewall__ssh_rule: limit # User -admin_user: "admin" -admin_group: "admin" +user: "admin" +group: "admin" # SSH Config ssh__port: 8822 ssh__password_authentication: "no" -ssh__address_family: "inet" \ No newline at end of file +ssh__address_family: "inet" + +ssh__keys: [] \ No newline at end of file diff --git a/tasks/add_user.yml b/tasks/add_user.yml index d13deaf..5d7a704 100644 --- a/tasks/add_user.yml +++ b/tasks/add_user.yml @@ -1,10 +1,10 @@ --- -- name: add_user | Add admin group +- name: linode_preflight | add_user | Add admin group group: - name: "{{ admin_group }}" + name: "{{ group }}" state: present -- name: add_user | Allow 'admin' group to have passwordless sudo +- name: linode_preflight | add_user | Allow 'admin' group to have passwordless sudo lineinfile: dest: /etc/sudoers state: present @@ -13,27 +13,28 @@ validate: 'visudo -cf %s' become: yes -- name: add_user | Add admin user +- name: linode_preflight | add_user | Add admin user user: - name: "{{ admin_user }}" - group: "{{ admin_group }}" + name: "{{ user }}" + group: "{{ group }}" state: present create_home: yes + shell: /bin/bash become: yes -- name: add_user | Ensure admin user ssh directory exists +- name: linode_preflight | add_user | Ensure admin user ssh directory exists file: - path: "/home/{{ admin_user }}/.ssh/" + path: "/home/{{ user }}/.ssh/" state: directory - owner: "{{ admin_user }}" - group: "{{ admin_group }}" + owner: "{{ user }}" + group: "{{ group }}" mode: 0700 become: yes -- name: add_user | Add SSH keys to admin user +- name: linode_preflight | add_user | Add SSH keys to admin user authorized_key: - user: "{{ admin_user }}" + user: "{{ user }}" state: present key: "{{ item.key }}" - with_items: "{{ ssh_keys }}" + with_items: "{{ ssh__keys }}" become: yes \ No newline at end of file diff --git a/tasks/ansible_dependencies.yml b/tasks/ansible_dependencies.yml index 163f9c5..36f5a62 100644 --- a/tasks/ansible_dependencies.yml +++ b/tasks/ansible_dependencies.yml @@ -1,5 +1,5 @@ --- -- name: linode-preflight | Install Python +- name: linode-preflight | ansible dependencies | Install Python raw: test -e /usr/bin/python || (sudo apt-get -y update && sudo apt-get install -y python2-minimal) register: common__pyout become: yes diff --git a/tasks/firewall.yml b/tasks/firewall.yml index 83ebdd3..66a3076 100644 --- a/tasks/firewall.yml +++ b/tasks/firewall.yml @@ -1,11 +1,11 @@ --- -- name: firewall | install ufw +- name: linode_preflight | firewall | install ufw apt: pkg: ufw state: present become: yes -- name: firewall | Open ssh port +- name: linode_preflight | firewall | Open ssh port ufw: state: enabled rule: "{{ firewall__ssh_rule }}" @@ -16,21 +16,21 @@ - 8822 become: yes -- name: firewall | deny all incoming connections +- name: linode_preflight | firewall | deny all incoming connections ufw: state: enabled policy: deny direction: incoming become: yes -- name: firewall | allow all outgoing connections +- name: linode_preflight | firewall | allow all outgoing connections ufw: state: enabled policy: allow direction: outgoing become: yes -- name: firewall | allow all connections from localhost +- name: linode_preflight | firewall | allow all connections from localhost ufw: state: enabled from: "127.0.0.1" @@ -38,12 +38,11 @@ proto: any become: yes -- name: firewall | Copy SSH config +- name: linode_preflight | firewall | Copy SSH config template: src: "etc/ssh/sshd_config.j2" dest: "/etc/ssh/sshd_config" mode: 0644 validate: '/usr/sbin/sshd -t -f %s' become: yes - notify: restart sshd - + notify: restart sshd \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index dac84ee..565b0b7 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -2,4 +2,4 @@ - include_tasks: ansible_dependencies.yml - include_tasks: preflight.yml - include_tasks: add_user.yml -- include_tasks: firewall.yml \ No newline at end of file +- include_tasks: firewall.yml # Always run last. Then swap Ansible user. \ No newline at end of file diff --git a/tasks/preflight.yml b/tasks/preflight.yml index 2bd6436..714c029 100644 --- a/tasks/preflight.yml +++ b/tasks/preflight.yml @@ -1,23 +1,23 @@ --- -- name: preflight | install ntp +- name: linode_preflight | preflight | install ntp apt: name: ntp state: present become: yes -- name: preflight | ensure ntp is running on boot +- name: linode_preflight | preflight | ensure ntp is running on boot service: name: ntp state: started enabled: yes become: yes -- name: preflight | Set Timezone +- name: linode_preflight | preflight | Set Timezone timezone: name: "{{ preflight__timezone }}" become: yes -- name: preflight | copy 10periodic unattended upgrades +- name: linode_preflight | preflight | copy 10periodic unattended upgrades template: src: "etc/apt/apt.conf.d/10periodic.j2" dest: "/etc/apt/apt.conf.d/10periodic" diff --git a/templates/etc/ssh/sshd_config.j2 b/templates/etc/ssh/sshd_config.j2 index 0f4a96c..3c6a736 100644 --- a/templates/etc/ssh/sshd_config.j2 +++ b/templates/etc/ssh/sshd_config.j2 @@ -31,7 +31,7 @@ AddressFamily {{ ssh__address_family }} # Authentication: #LoginGraceTime 2m -PermitRootLogin yes +PermitRootLogin no #StrictModes yes #MaxAuthTries 6 #MaxSessions 10