80 lines
2.1 KiB
YAML
80 lines
2.1 KiB
YAML
---
|
|
- name: First setup of new VPS
|
|
gather_facts: false
|
|
port: 22
|
|
remote_user: root
|
|
hosts: vps
|
|
vars:
|
|
- ssh_user: ssh_login
|
|
|
|
vars_prompt:
|
|
- name: new_root_pw
|
|
prompt: "What should be the new root password?"
|
|
private: yes
|
|
encrypt: "sha512_crypt"
|
|
confirm: yes
|
|
salt_size: 7
|
|
- name: new_user_password
|
|
prompt: "Password of the SSH login user"
|
|
private: yes
|
|
encrypt: "sha512_crypt"
|
|
confirm: yes
|
|
salt_size: 7
|
|
- name: ssh_key
|
|
prompt: "public SSH key file location for new SSH login user"
|
|
private: no
|
|
tasks:
|
|
- name: update the package list
|
|
apt:
|
|
update_cache: yes
|
|
cache_valid_time: 3600
|
|
- name: upgrade a server with apt
|
|
apt:
|
|
upgrade: dist
|
|
register: upgrade
|
|
- name: updates password of root user
|
|
user:
|
|
name: root
|
|
password: {{ new_root_pw }}
|
|
- name: create ssh login user
|
|
user:
|
|
name: {{ ssh_user }}
|
|
password: {{ new_user_password }}
|
|
append: yes
|
|
groups:
|
|
- sudo
|
|
- name: add authorized key to SSH login user
|
|
authorized_key:
|
|
key: "{{ item }}"
|
|
user: "{{ ssh_user }}"
|
|
with_file:
|
|
- "{{ ssh_key }}"
|
|
become: yes
|
|
become_user: "{{ ssh_user }}"
|
|
- name: set up SSH properly
|
|
block:
|
|
- name: disable root SSH login
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
line: 'PermitRootLogin no'
|
|
state: present
|
|
insertafter: EOF
|
|
- name: disable password authentication
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
line: 'PasswordAuthentication no'
|
|
state: present
|
|
insertafter: EOF
|
|
- name: set modern host key
|
|
lineinfile:
|
|
dest: /etc/ssh/sshd_config
|
|
line: 'HostKey /etc/ssh/ssh_host_ed25519_key'
|
|
insertafter: EOF
|
|
state: present
|
|
- name: generate missing host keys
|
|
command: ssh-keygen -A
|
|
- name: restart ssh
|
|
service:
|
|
name: ssh
|
|
state: restarted
|