joelhans · June 24, 2022 14:17
diff --git a/provision_server.yaml b/provision_server.yaml
 #
 # provision_server.yaml
 # Author: Joel Hans, for SSD Nodes
 #
 # This script aims to accomplish a few simple tasks:
 #   * Create a new user with `sudo` access
 #   * Enable SSH key-based authentication
 #   * Harden SSH with some simple-but-logical options
 #   * Install a few packages for convenience
 #

 ---
 - hosts: ssdnodes
  remote_user: root

  vars_prompt:

    - name: "user_name"
      prompt: "Enter a name for the new user"
      private: no
      confirm: yes

    - name: "user_password"
      prompt: "Enter a password for the new user"
      private: yes
      encrypt: "sha512_crypt"
      confirm: yes
      salt_size: 7

  tasks:

    - name: Check to make sure we have a 'wheel' group
      group:
        name: wheel
        state: present

    - name: Enabling su/sudo access for wheel group
      lineinfile:
        dest: /etc/pam.d/su
        state: present
        regexp: '^#?auth       required   pam_wheel.so'
        line: 'auth       required   pam_wheel.so'
      when: ansible_os_family == "Debian"

    - name: Install the 'sudo' package
      package:
        name: sudo
        state: latest

    - name: Create the non-root user
      user:
        name: "{{ user_name }}"
        password: "{{ user_password }}"
        shell: "/bin/bash"
        groups: "wheel"

    - name: Add local public key for key-based SSH authentication
      authorized_key:
        user: "{{ user_name }}"
        key: "{{ item }}"
      with_file:
        - ~/.ssh/id_rsa.pub

    - name: Harden sshd configuration
      lineinfile:
        dest: /etc/ssh/sshd
        regexp: "{{ item.regexp }}"
        line: "{{ item.line }}"
      with_items:
        - { regexp: "^#?PermitRootLogin", line: "PermitRootLogin no" }
        - { regexp: "^^#?PasswordAuthentication", line: "PasswordAuthentication no" }
        - { regexp: "^#?AllowAgentForwarding", line: "AllowAgentForwarding no" }
        - { regexp: "^#?AllowTcpForwarding", line: "AllowTcpForwarding no" }
        - { regexp: "^#?MaxAuthTries", line: "MaxAuthTries 2" }
        - { regexp: "^#?MaxSessions", line: "MaxSessions 2" }
        - { regexp: "^#?TCPKeepAlive", line: "TCPKeepAlive no" }
        - { regexp: "^#?UseDNS", line: "UseDNS no" }
        - { regexp: "^#?AllowAgentForwarding", line: "AllowAgentForwarding no" }

    - name: Restart sshd
      systemd:
        state: restarted
        daemon_reload: yes
        name: sshd

    - name: Install a few more packages for the sake of convenience
      package: name={{item}} state=installed
      with_items:
       - nano
       - vim
       - htop
	#
	# provision_server.yaml
	# Author: Joel Hans, for SSD Nodes
	#
	# This script aims to accomplish a few simple tasks:
	# * Create a new user with `sudo` access
	# * Enable SSH key-based authentication
	# * Harden SSH with some simple-but-logical options
	# * Install a few packages for convenience
	#

	---
	- hosts: ssdnodes
	remote_user: root

	vars_prompt:

	- name: "user_name"
	prompt: "Enter a name for the new user"
	private: no
	confirm: yes

	- name: "user_password"
	prompt: "Enter a password for the new user"
	private: yes
	encrypt: "sha512_crypt"
	confirm: yes
	salt_size: 7

	tasks:

	- name: Check to make sure we have a 'wheel' group
	group:
	name: wheel
	state: present

	- name: Enabling su/sudo access for wheel group
	lineinfile:
	dest: /etc/pam.d/su
	state: present
	regexp: '^#?auth required pam_wheel.so'
	line: 'auth required pam_wheel.so'
	when: ansible_os_family == "Debian"

	- name: Install the 'sudo' package
	package:
	name: sudo
	state: latest

	- name: Create the non-root user
	user:
	name: "{{ user_name }}"
	password: "{{ user_password }}"
	shell: "/bin/bash"
	groups: "wheel"

	- name: Add local public key for key-based SSH authentication
	authorized_key:
	user: "{{ user_name }}"
	key: "{{ item }}"
	with_file:
	- ~/.ssh/id_rsa.pub

	- name: Harden sshd configuration
	lineinfile:
	dest: /etc/ssh/sshd
	regexp: "{{ item.regexp }}"
	line: "{{ item.line }}"
	with_items:
	- { regexp: "^#?PermitRootLogin", line: "PermitRootLogin no" }
	- { regexp: "^^#?PasswordAuthentication", line: "PasswordAuthentication no" }
	- { regexp: "^#?AllowAgentForwarding", line: "AllowAgentForwarding no" }
	- { regexp: "^#?AllowTcpForwarding", line: "AllowTcpForwarding no" }
	- { regexp: "^#?MaxAuthTries", line: "MaxAuthTries 2" }
	- { regexp: "^#?MaxSessions", line: "MaxSessions 2" }
	- { regexp: "^#?TCPKeepAlive", line: "TCPKeepAlive no" }
	- { regexp: "^#?UseDNS", line: "UseDNS no" }
	- { regexp: "^#?AllowAgentForwarding", line: "AllowAgentForwarding no" }

	- name: Restart sshd
	systemd:
	state: restarted
	daemon_reload: yes
	name: sshd

	- name: Install a few more packages for the sake of convenience
	package: name={{item}} state=installed
	with_items:
	- nano
	- vim
	- htop