vps-ansible/initial-setup.yml

---
- name: First setup of new VPS
  gather_facts: false
  port: 22
  remote_user: root
  hosts: hetzner
  vars_files:
    - initial_vars.yml
  tasks:
    - name: update the package list
      apt:
        update_cache: yes
        cache_valid_time: 3600
    - name: upgrade a server with apt
      apt:
        upgrade: dist
      register: upgrade
    - name: create ssh login user
      user:
        name: {{ ssh_user }}
        password: {{ new_user_password | password_hash('sha512') }}
        append: yes
        groups:
          - sudo
    - name: allow passwordless sudo for new user
      template:
        src: etc/sudoers.d/ssh_user.j2
        dest: /etc/sudoers.d/{{ ssh_user }}
        owner: root
        group: root
        mode: 0440
    - name: add authorized key to SSH login user
      authorized_key:
        key: "{{ item }}"
        user: "{{ ssh_user }}"
      with_file:
        - "{{ ssh_key }}"
      become: yes
      become_user: "{{ ssh_user }}"
    - name: set up SSH properly
      block:
        - name: disable root SSH login
          lineinfile:
            path: /etc/ssh/sshd_config
            line: 'PermitRootLogin no'
            state: present
            insertafter: EOF
        - name: disable password authentication
          lineinfile:
            path: /etc/ssh/sshd_config
            line: 'PasswordAuthentication no'
            state: present
            insertafter: EOF
        - name: set modern host key
          lineinfile:
            dest: /etc/ssh/sshd_config
            line: 'HostKey /etc/ssh/ssh_host_ed25519_key'
            insertafter: EOF
            state: present
        - name: generate missing host keys
          command: ssh-keygen -A
        - name: restart ssh
          service:
            name: ssh
            state: restarted
    - name: lock root password
      user:
        name: root
        password_lock: yes