lavenderguiar
3 years ago
11 changed files with 265 additions and 1 deletions
@ -1,2 +1,2 @@ |
|||
# linode-preflight |
|||
# Linode-Preflight |
|||
A set of Ansible tasks for preflighting a Linode instance. |
|||
|
|||
@ -0,0 +1,15 @@ |
|||
--- |
|||
# Preflight |
|||
preflight__timezone: UTC |
|||
|
|||
# Firewall |
|||
firewall__ssh_rule: limit |
|||
|
|||
# User |
|||
admin_user: "admin" |
|||
admin_group: "admin" |
|||
|
|||
# SSH Config |
|||
ssh__port: 8822 |
|||
ssh__password_authentication: "no" |
|||
ssh__address_family: "inet" |
|||
@ -0,0 +1,6 @@ |
|||
--- |
|||
- name: restart sshd |
|||
service: |
|||
name: sshd |
|||
state: restarted |
|||
become: yes |
|||
@ -0,0 +1,9 @@ |
|||
galaxy-info: |
|||
author: James Lavender |
|||
description: A set of preflight tasks for any Linode Instance. |
|||
license: GPLv3 |
|||
min_ansible_version: 1.2 |
|||
galaxy-tags: |
|||
- linode-preflight |
|||
|
|||
dependencies: [] |
|||
@ -0,0 +1,25 @@ |
|||
--- |
|||
- name: add_user | Add admin user |
|||
user: |
|||
name: "{{ admin_user }}" |
|||
group: "{{ admin_group }}" |
|||
state: present |
|||
create_home: yes |
|||
become: yes |
|||
|
|||
- name: add_user | Ensure admin user ssh directory exists |
|||
file: |
|||
path: "/home/{{ admin_user }}/.ssh/" |
|||
state: directory |
|||
owner: "{{ admin_user }}" |
|||
group: "{{ admin_group }}" |
|||
mode: 0700 |
|||
become: yes |
|||
|
|||
- name: add_user | Add SSH keys to admin user |
|||
authorized_key: |
|||
user: "{{ admin_user }}" |
|||
state: "{{ item.state }}" |
|||
key: "{{ item.key }}" |
|||
with_items: "{{ authorized_keys }}" |
|||
become: yes |
|||
@ -0,0 +1,49 @@ |
|||
--- |
|||
- name: firewall | install ufw |
|||
apt: |
|||
pkg: ufw |
|||
state: present |
|||
become: yes |
|||
|
|||
- name: firewall | Open ssh port |
|||
ufw: |
|||
state: enabled |
|||
rule: "{{ firewall__ssh_rule }}" |
|||
port: "{{ item }}" |
|||
proto: tcp |
|||
loop: |
|||
- 22 |
|||
- 8822 |
|||
become: yes |
|||
|
|||
- name: firewall | deny all incoming connections |
|||
ufw: |
|||
state: enabled |
|||
policy: deny |
|||
direction: incoming |
|||
become: yes |
|||
|
|||
- name: firewall | allow all outgoing connections |
|||
ufw: |
|||
state: enabled |
|||
policy: allow |
|||
direction: outgoing |
|||
become: yes |
|||
|
|||
- name: firewall | allow all connections from localhost |
|||
ufw: |
|||
state: enabled |
|||
from: "127.0.0.1" |
|||
rule: allow |
|||
proto: any |
|||
become: yes |
|||
|
|||
- name: firewall | Copy SSH config |
|||
template: |
|||
src: "etc/ssh/sshd_config.j2" |
|||
dest: "/etc/ssh/sshd_config" |
|||
mode: 0644 |
|||
validate: '/usr/sbin/sshd -t -f %s' |
|||
become: yes |
|||
notify: restart sshd |
|||
|
|||
@ -0,0 +1,4 @@ |
|||
--- |
|||
- include_tasks: preflight.yml |
|||
- include_tasks: add_user.yml |
|||
- include_tasks: firewall.yml |
|||
@ -0,0 +1,2 @@ |
|||
--- |
|||
- name: ohmybash | Install oh-my-bash |
|||
@ -0,0 +1,27 @@ |
|||
--- |
|||
- name: preflight | install ntp |
|||
apt: |
|||
name: ntp |
|||
state: present |
|||
become: yes |
|||
|
|||
- name: preflight | ensure ntp is running on boot |
|||
service: |
|||
name: ntp |
|||
state: started |
|||
enabled: yes |
|||
become: yes |
|||
|
|||
- name: preflight | Set Timezone |
|||
timezone: |
|||
name: "{{ preflight__timezone }}" |
|||
become: yes |
|||
|
|||
- name: preflight | copy 10periodic unattended upgrades |
|||
template: |
|||
src: "etc/apt/apt.conf.d/10periodic.j2" |
|||
dest: "/etc/apt/apt.conf.d/10periodic" |
|||
owner: root |
|||
group: root |
|||
mode: 0644 |
|||
become: yes |
|||
@ -0,0 +1,4 @@ |
|||
APT::Periodic::Update-Package-Lists "1"; |
|||
APT::Periodic::Unattended-Upgrade "1"; |
|||
APT::Periodic::Download-Upgradeable-Packages "0"; |
|||
APT::Periodic::AutocleanInterval "0"; |
|||
@ -0,0 +1,123 @@ |
|||
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ |
|||
|
|||
# This is the sshd server system-wide configuration file. See |
|||
# sshd_config(5) for more information. |
|||
|
|||
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin |
|||
|
|||
# The strategy used for options in the default sshd_config shipped with |
|||
# OpenSSH is to specify options with their default value where |
|||
# possible, but leave them commented. Uncommented options override the |
|||
# default value. |
|||
|
|||
Include /etc/ssh/sshd_config.d/*.conf |
|||
|
|||
Port {{ ssh__port }} |
|||
AddressFamily {{ ssh__address_family }} |
|||
#ListenAddress 0.0.0.0 |
|||
#ListenAddress :: |
|||
|
|||
#HostKey /etc/ssh/ssh_host_rsa_key |
|||
#HostKey /etc/ssh/ssh_host_ecdsa_key |
|||
#HostKey /etc/ssh/ssh_host_ed25519_key |
|||
|
|||
# Ciphers and keying |
|||
#RekeyLimit default none |
|||
|
|||
# Logging |
|||
#SyslogFacility AUTH |
|||
#LogLevel INFO |
|||
|
|||
# Authentication: |
|||
|
|||
#LoginGraceTime 2m |
|||
PermitRootLogin yes |
|||
#StrictModes yes |
|||
#MaxAuthTries 6 |
|||
#MaxSessions 10 |
|||
|
|||
#PubkeyAuthentication yes |
|||
|
|||
# Expect .ssh/authorized_keys2 to be disregarded by default in future. |
|||
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 |
|||
|
|||
#AuthorizedPrincipalsFile none |
|||
|
|||
#AuthorizedKeysCommand none |
|||
#AuthorizedKeysCommandUser nobody |
|||
|
|||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts |
|||
#HostbasedAuthentication no |
|||
# Change to yes if you don't trust ~/.ssh/known_hosts for |
|||
# HostbasedAuthentication |
|||
#IgnoreUserKnownHosts no |
|||
# Don't read the user's ~/.rhosts and ~/.shosts files |
|||
#IgnoreRhosts yes |
|||
|
|||
# To disable tunneled clear text passwords, change to no here! |
|||
PasswordAuthentication {{ ssh__password_authentication }} |
|||
PermitEmptyPasswords no |
|||
|
|||
# Change to yes to enable challenge-response passwords (beware issues with |
|||
# some PAM modules and threads) |
|||
ChallengeResponseAuthentication no |
|||
|
|||
# Kerberos options |
|||
#KerberosAuthentication no |
|||
#KerberosOrLocalPasswd yes |
|||
#KerberosTicketCleanup yes |
|||
#KerberosGetAFSToken no |
|||
|
|||
# GSSAPI options |
|||
#GSSAPIAuthentication no |
|||
#GSSAPICleanupCredentials yes |
|||
#GSSAPIStrictAcceptorCheck yes |
|||
#GSSAPIKeyExchange no |
|||
|
|||
# Set this to 'yes' to enable PAM authentication, account processing, |
|||
# and session processing. If this is enabled, PAM authentication will |
|||
# be allowed through the ChallengeResponseAuthentication and |
|||
# PasswordAuthentication. Depending on your PAM configuration, |
|||
# PAM authentication via ChallengeResponseAuthentication may bypass |
|||
# the setting of "PermitRootLogin without-password". |
|||
# If you just want the PAM account and session checks to run without |
|||
# PAM authentication, then enable this but set PasswordAuthentication |
|||
# and ChallengeResponseAuthentication to 'no'. |
|||
UsePAM yes |
|||
|
|||
#AllowAgentForwarding yes |
|||
#AllowTcpForwarding yes |
|||
#GatewayPorts no |
|||
X11Forwarding yes |
|||
#X11DisplayOffset 10 |
|||
#X11UseLocalhost yes |
|||
#PermitTTY yes |
|||
PrintMotd no |
|||
#PrintLastLog yes |
|||
#TCPKeepAlive yes |
|||
#PermitUserEnvironment no |
|||
#Compression delayed |
|||
#ClientAliveInterval 0 |
|||
#ClientAliveCountMax 3 |
|||
#UseDNS no |
|||
#PidFile /var/run/sshd.pid |
|||
#MaxStartups 10:30:100 |
|||
#PermitTunnel no |
|||
#ChrootDirectory none |
|||
#VersionAddendum none |
|||
|
|||
# no default banner path |
|||
#Banner none |
|||
|
|||
# Allow client to pass locale environment variables |
|||
AcceptEnv LANG LC_* |
|||
|
|||
# override default of no subsystems |
|||
Subsystem sftp /usr/lib/openssh/sftp-server |
|||
|
|||
# Example of overriding settings on a per-user basis |
|||
#Match User anoncvs |
|||
# X11Forwarding no |
|||
# AllowTcpForwarding no |
|||
# PermitTTY no |
|||
# ForceCommand cvs server |
|||
Loading…
Reference in new issue