70 lines
1.9 KiB
YAML
70 lines
1.9 KiB
YAML
---
|
|
- name: First setup of new VPS
|
|
gather_facts: false
|
|
port: 22
|
|
remote_user: root
|
|
hosts: hetzner
|
|
vars_files:
|
|
- initial_vars.yml
|
|
tasks:
|
|
- name: update the package list
|
|
apt:
|
|
update_cache: yes
|
|
cache_valid_time: 3600
|
|
- name: upgrade a server with apt
|
|
apt:
|
|
upgrade: dist
|
|
register: upgrade
|
|
- name: create ssh login user
|
|
user:
|
|
name: {{ ssh_user }}
|
|
password: {{ new_user_password | password_hash('sha512') }}
|
|
append: yes
|
|
groups:
|
|
- sudo
|
|
- name: allow passwordless sudo for new user
|
|
template:
|
|
src: etc/sudoers.d/ssh_user.j2
|
|
dest: /etc/sudoers.d/{{ ssh_user }}
|
|
owner: root
|
|
group: root
|
|
mode: 0440
|
|
- name: add authorized key to SSH login user
|
|
authorized_key:
|
|
key: "{{ item }}"
|
|
user: "{{ ssh_user }}"
|
|
with_file:
|
|
- "{{ ssh_key }}"
|
|
become: yes
|
|
become_user: "{{ ssh_user }}"
|
|
- name: set up SSH properly
|
|
block:
|
|
- name: disable root SSH login
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
line: 'PermitRootLogin no'
|
|
state: present
|
|
insertafter: EOF
|
|
- name: disable password authentication
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
line: 'PasswordAuthentication no'
|
|
state: present
|
|
insertafter: EOF
|
|
- name: set modern host key
|
|
lineinfile:
|
|
dest: /etc/ssh/sshd_config
|
|
line: 'HostKey /etc/ssh/ssh_host_ed25519_key'
|
|
insertafter: EOF
|
|
state: present
|
|
- name: generate missing host keys
|
|
command: ssh-keygen -A
|
|
- name: restart ssh
|
|
service:
|
|
name: ssh
|
|
state: restarted
|
|
- name: lock root password
|
|
user:
|
|
name: root
|
|
password_lock: yes
|