-
-
Save tylerodonnell/b8d144e74c73f77b5c192a038b0942f1 to your computer and use it in GitHub Desktop.
My "first five minutes" on a server
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - name: Restart sshd | |
| service: | |
| name: ssh | |
| state: restarted | |
| become: yes | |
| - name: Start NTP | |
| service: | |
| name: ntp | |
| state: started | |
| enabled: yes |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - name: Update APT cache | |
| apt: update_cache=yes | |
| become: yes | |
| - name: Upgrade APT packages | |
| apt: upgrade=dist | |
| become: yes | |
| - name: Install common APT packages | |
| apt: | |
| pkg: "{{ item }}" | |
| state: installed | |
| with_items: | |
| - acl | |
| - unattended-upgrades | |
| - policykit-1 | |
| - ntp | |
| - wget | |
| - curl | |
| - vim | |
| - ack-grep | |
| - git | |
| - unzip | |
| - htop | |
| - tmux | |
| - ssh-import-id | |
| - fail2ban | |
| - openssl | |
| - ufw | |
| - software-properties-common | |
| become: yes | |
| - name: Use UFW with IPv6 | |
| lineinfile: | |
| dest: /etc/default/ufw | |
| regexp: "^IPV6" | |
| line: "IPV6=yes" | |
| state: present | |
| become: yes | |
| - name: UFW deny incoming | |
| ufw: | |
| direction: incoming | |
| policy: deny | |
| become: yes | |
| - name: UFW allow outgoing | |
| ufw: | |
| direction: outgoing | |
| policy: allow | |
| become: yes | |
| - name: Open port 22 | |
| ufw: | |
| rule: allow | |
| port: 22 | |
| proto: tcp | |
| become: yes | |
| - name: Enable ufw | |
| ufw: | |
| state: enabled | |
| become: yes | |
| - name: Ensure 'wheel' group exists | |
| group: | |
| name: wheel | |
| state: present | |
| - name: Allow 'wheel' group to have passwordless sudo | |
| lineinfile: | |
| dest: /etc/sudoers | |
| state: present | |
| regexp: '^%wheel' | |
| line: '%wheel ALL=(ALL) NOPASSWD: ALL' | |
| become: yes | |
| - name: Add default user with sudo access | |
| user: | |
| name: "{{ username }}" | |
| group: "wheel" | |
| shell: /bin/bash | |
| state: present | |
| become: yes | |
| - name: Add SSH keys to authorized_keys using ssh-import-id | |
| command: /usr/bin/ssh-import-id gh:{{ gh_username }} -o /home/{{ username }}/.ssh/authorized_keys | |
| args: | |
| creates: /home/{{ username }}/.ssh/authorized_keys | |
| become: yes | |
| become_user: "{{ username }}" | |
| - name: Delete root password | |
| user: | |
| name: root | |
| password: "" | |
| become: yes | |
| - name: Remove authorized_keys file for root user | |
| file: | |
| path: /root/.ssh/authorized_keys | |
| state: absent | |
| become: yes | |
| - name: Disallow root SSH access | |
| lineinfile: | |
| dest: /etc/ssh/sshd_config | |
| regexp: "^PermitRootLogin" | |
| line: "PermitRootLogin no" | |
| state: present | |
| become: yes | |
| notify: Restart sshd | |
| - name: Disallow password authentication | |
| lineinfile: | |
| dest: /etc/ssh/sshd_config | |
| regexp: "^PasswordAuthentication" | |
| line: "PasswordAuthentication no" | |
| state: present | |
| become: yes | |
| notify: Restart sshd |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| username: tyler | |
| gh_username: tylerodonnell |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment