Last active
September 15, 2020 18:13
-
-
Save andrewsomething/f2307d1ea07329fd9273821d5709d15f to your computer and use it in GitHub Desktop.
My "first five minutes" on a server
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - name: Restart sshd | |
| service: | |
| name: ssh | |
| state: restarted | |
| become: yes |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - name: Update APT cache | |
| apt: update_cache=yes | |
| become: yes | |
| - name: Upgrade APT packages | |
| apt: upgrade=dist | |
| become: yes | |
| - name: Install common APT packages | |
| apt: | |
| pkg: "{{ item }}" | |
| state: installed | |
| with_items: [ 'byobu', 'fail2ban', 'git', 'htop', 'openssl', | |
| 'ssh-import-id', 'ufw', 'vim' ] | |
| become: yes | |
| - name: Use UFW with IPv6 | |
| lineinfile: | |
| dest: /etc/default/ufw | |
| regexp: "^IPV6" | |
| line: "IPV6=yes" | |
| state: present | |
| become: yes | |
| - name: UFW deny incoming | |
| ufw: | |
| direction: incoming | |
| policy: deny | |
| become: yes | |
| - name: UFW allow outgoing | |
| ufw: | |
| direction: outgoing | |
| policy: allow | |
| become: yes | |
| - name: Open port 22 | |
| ufw: | |
| rule: allow | |
| port: 22 | |
| proto: tcp | |
| become: yes | |
| - name: Enable ufw | |
| ufw: | |
| state: enabled | |
| become: yes | |
| - name: Ensure 'wheel' group exists | |
| group: | |
| name: wheel | |
| state: present | |
| - name: Allow 'wheel' group to have passwordless sudo | |
| lineinfile: | |
| dest: /etc/sudoers | |
| state: present | |
| regexp: '^%wheel' | |
| line: '%wheel ALL=(ALL) NOPASSWD: ALL' | |
| become: yes | |
| - name: Add default user with sudo access | |
| user: | |
| name: "{{ username }}" | |
| group: "wheel" | |
| shell: /bin/bash | |
| state: present | |
| become: yes | |
| - name: Add SSH keys to authorized_keys using ssh-import-id | |
| command: /usr/bin/ssh-import-id gh:{{ gh_username }} -o /home/{{ username }}/.ssh/authorized_keys | |
| args: | |
| creates: /home/{{ username }}/.ssh/authorized_keys | |
| become: yes | |
| become_user: "{{ username }}" | |
| - name: Enable byobu for default user | |
| command: byobu-enable | |
| args: | |
| creates: /home/{{ username }}/.byobu/ | |
| become: yes | |
| become_user: "{{ username }}" | |
| - name: Delete root password | |
| user: | |
| name: root | |
| password: "" | |
| become: yes | |
| - name: Remove authorized_keys file for root user | |
| file: | |
| path: /root/.ssh/authorized_keys | |
| state: absent | |
| become: yes | |
| - name: Disallow root SSH access | |
| lineinfile: | |
| dest: /etc/ssh/sshd_config | |
| regexp: "^PermitRootLogin" | |
| line: "PermitRootLogin no" | |
| state: present | |
| become: yes | |
| notify: Restart sshd | |
| - name: Disallow password authentication | |
| lineinfile: | |
| dest: /etc/ssh/sshd_config | |
| regexp: "^PasswordAuthentication" | |
| line: "PasswordAuthentication no" | |
| state: present | |
| become: yes | |
| notify: Restart sshd |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| username: asb | |
| gh_username: andrewsomething |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment