-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathmain.yml
165 lines (148 loc) · 4.28 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
---
- name: Determine login credentials
hosts: all
gather_facts: false
tasks:
- name: get the username running the deploy
become: false
local_action: command whoami
register: username_on_the_host
when: ansible_user is not defined
changed_when: false
- name: "Set ansible_user to {{ username_on_the_host.stdout }}"
connection: local
set_fact:
ansible_user: "{{ username_on_the_host.stdout }}"
when: ansible_user is not defined
- name: Check if connection is possible
command: ssh -o User={{ ansible_user }} -o ConnectTimeout=10 -o PreferredAuthentications=publickey -o PubkeyAuthentication=yes {{ ansible_host }} echo "Worked"
register: result
connection: local
ignore_errors: yes
changed_when: False
- name: "Store ansible_user for later use."
set_fact:
ansible_user_orig: "{{ ansible_user }}"
when: result.failed
- name: If no connection, change user_name
connection: local
set_fact:
ansible_user: "root"
ansible_password: "{{ root_password }}"
when: result.failed
- name: Secure servers
hosts: all
become: true
vars_files:
- vars.yml
tasks:
- name: Ensure 'sudo' group exists
group:
name: sudo
state: present
- name: Create users
user:
name: '{{ item.name }}'
shell: /bin/bash
password: '!'
update_password: on_create
groups:
- sudo
state: present
with_items: '{{ users }}'
- name: Add SSH keys
authorized_key:
user: '{{ item.name }}'
state: present
key: '{{ item.sshkeys }}'
with_items: '{{ users }}'
- name: Ensure sudo group is passwordless
lineinfile:
path: /etc/sudoers.d/sudo-nopasswd
line: '%sudo ALL=(ALL) NOPASSWD: ALL'
state: present
mode: 0440
create: yes
validate: '/usr/sbin/visudo -cf %s'
- name: Ensure sudoers uses sudoers.d
lineinfile:
path: /etc/sudoers
line: '#includedir /etc/sudoers.d'
state: present
validate: '/usr/sbin/visudo -cf %s'
- name: Disable root login over SSH
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^PermitRootLogin"
line: "PermitRootLogin no"
state: present
notify:
- restart sshd
- name: Disable password login
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^PasswordAuthentication"
line: "PasswordAuthentication no"
state: present
notify:
- restart sshd
# - name: "Configuring eth"
# loop: "{{ips}}"
# loop_control:
# loop_var: ip
# index_var: idx
post_tasks:
- name: Restore original ansible_user
set_fact:
ansible_user: "{{ ansible_user_orig }}"
when: ansible_user_orig is defined
- name: remove ansible password
set_fact:
ansible_password:
when: ansible_user_orig is defined
handlers:
- name: restart sshd
service:
name: sshd
state: restarted
- name: Setup network
hosts: all
become: true
tasks:
- name: add additional ipv4 interfaces
blockinfile:
block: |
{% for ip in additional_ips %}
iface eth0 inet static
address {{ ip.ipv4 }}
netmask 255.255.255.255{% endfor %}
marker: "# {mark} additional ipv4 addresses"
path: /etc/network/interfaces
insertbefore: "^ *dns-search"
when: additional_ips is defined
notify: restart
- name: add additional ipv6 interfaces
blockinfile:
block: |
{% for ip in additional_ips %}
iface eth0 inet6 static
address {{ ip.ipv6 }}
netmask 64{% endfor %}
path: /etc/network/interfaces
marker: "# {mark} additional ipv6 addresses"
when: additional_ips is defined
notify: restart
- name: Ensure IPv6 not disabled with sysctl
sysctl:
name: "{{ item }}"
value: 0
state: present
reload: true
with_items:
- net.ipv6.conf.all.disable_ipv6
- net.ipv6.conf.default.disable_ipv6
- net.ipv6.conf.lo.disable_ipv6
notify: restart
handlers:
- name: restart
reboot: