yumminhuang · March 6, 2021 15:12 · yumminhuang · Apr 24, 2017
diff --git a/secure_init.yml b/secure_init.yml
 ---
 - hosts: all

  vars:
    root_password: xxx
    common_user_password: xxx
    common_user_name: deploy
    ssh_port: 22

  remote_user: root

  become: true

  tasks:
  - name: Change root password
    user:
      name: root
      password: "{{ root_password }}"

  - name: Update all packages to the latest version
    apt:
      update_cache: yes
      upgrade: dist

  - name: Install required packages
    apt:
      name: "{{ item }}"
    with_items:
      - ufw
      - unattended-upgrades

  - name: Setup automatic upgrade
    lineinfile:
      path: /etc/apt/apt.conf.d/10periodic
      regexp: "{{ item.regexp }}"
      line: "{{ item.line }}"
      state: present
    with_items:
      - { regexp: '^APT::Periodic::Update-Package-Lists', line: 'APT::Periodic::Update-Package-Lists "1";' }
      - { regexp: '^APT::Periodic::Download-Upgradeable-Packages', line: 'APT::Periodic::Download-Upgradeable-Packages "1";' }
      - { regexp: '^APT::Periodic::AutocleanInterval', line: 'APT::Periodic::AutocleanInterval "7";' }
      - { regexp: '^APT::Periodic::Unattended-Upgrade', line: 'APT::Periodic::Unattended-Upgrade "1";' }

  - name: Create new group
    group:
      name: "{{ common_user_name }}"
      state: present

  - name: Create new user
    user:
      name: "{{ common_user_name }}"
      group: "{{ common_user_name }}"
      shell: /bin/bash
      home: "/home/{{ common_user_name }}"
      password: "{{ common_user_password }}"
      generate_ssh_key: yes
      state: present

  - name: Add authorized keys
    authorized_key:
      user: "{{ common_user_name }}"
      key: "{{ lookup('file', item) }}"
    with_items:
      - ~/.ssh/id_rsa.pub

  # Firewall config via ufw
  # See: http://docs.ansible.com/ansible/ufw_module.html
  - name: Allow ssh traffic
    ufw:
      rule: allow
      port: "{{ ssh_port }}"
      proto: tcp

  - name: Lock down SSH
    lineinfile:
      path: /etc/ssh/sshd_config
      regexp: "{{ item.regexp }}"
      line: "{{ item.line }}"
      state: present
    with_items:
      - { regexp: '^PermitRootLogin', line: 'PermitRootLogin no' }
      - { regexp: '^PasswordAuthentication', line: 'PasswordAuthentication no' }
      - { regexp: '^AllowUsers', line: 'AllowUsers {{ common_user_name }}' }
      - { regexp: '^Port\s', line: 'Port {{ ssh_port }}' }
    notify: restart ssh

  - name: Enable sudo for new user
    lineinfile:
      path: /etc/sudoers
      state: present
      regexp: "{{ common_user_name }} ALL="
      line: "{{ common_user_name }} ALL=(ALL) ALL"
      validate: 'visudo -cf %s'

  handlers:
    - name: restart ssh
      service:
        name: ssh
        state: restarted
	---
	- hosts: all

	vars:
	root_password: xxx
	common_user_password: xxx
	common_user_name: deploy
	ssh_port: 22

	remote_user: root

	become: true

	tasks:
	- name: Change root password
	user:
	name: root
	password: "{{ root_password }}"

	- name: Update all packages to the latest version
	apt:
	update_cache: yes
	upgrade: dist

	- name: Install required packages
	apt:
	name: "{{ item }}"
	with_items:
	- ufw
	- unattended-upgrades

	- name: Setup automatic upgrade
	lineinfile:
	path: /etc/apt/apt.conf.d/10periodic
	regexp: "{{ item.regexp }}"
	line: "{{ item.line }}"
	state: present
	with_items:
	- { regexp: '^APT::Periodic::Update-Package-Lists', line: 'APT::Periodic::Update-Package-Lists "1";' }
	- { regexp: '^APT::Periodic::Download-Upgradeable-Packages', line: 'APT::Periodic::Download-Upgradeable-Packages "1";' }
	- { regexp: '^APT::Periodic::AutocleanInterval', line: 'APT::Periodic::AutocleanInterval "7";' }
	- { regexp: '^APT::Periodic::Unattended-Upgrade', line: 'APT::Periodic::Unattended-Upgrade "1";' }

	- name: Create new group
	group:
	name: "{{ common_user_name }}"
	state: present

	- name: Create new user
	user:
	name: "{{ common_user_name }}"
	group: "{{ common_user_name }}"
	shell: /bin/bash
	home: "/home/{{ common_user_name }}"
	password: "{{ common_user_password }}"
	generate_ssh_key: yes
	state: present

	- name: Add authorized keys
	authorized_key:
	user: "{{ common_user_name }}"
	key: "{{ lookup('file', item) }}"
	with_items:
	- ~/.ssh/id_rsa.pub

	# Firewall config via ufw
	# See: http://docs.ansible.com/ansible/ufw_module.html
	- name: Allow ssh traffic
	ufw:
	rule: allow
	port: "{{ ssh_port }}"
	proto: tcp

	- name: Lock down SSH
	lineinfile:
	path: /etc/ssh/sshd_config
	regexp: "{{ item.regexp }}"
	line: "{{ item.line }}"
	state: present
	with_items:
	- { regexp: '^PermitRootLogin', line: 'PermitRootLogin no' }
	- { regexp: '^PasswordAuthentication', line: 'PasswordAuthentication no' }
	- { regexp: '^AllowUsers', line: 'AllowUsers {{ common_user_name }}' }
	- { regexp: '^Port\s', line: 'Port {{ ssh_port }}' }
	notify: restart ssh

	- name: Enable sudo for new user
	lineinfile:
	path: /etc/sudoers
	state: present
	regexp: "{{ common_user_name }} ALL="
	line: "{{ common_user_name }} ALL=(ALL) ALL"
	validate: 'visudo -cf %s'

	handlers:
	- name: restart ssh
	service:
	name: ssh
	state: restarted