add VPS provisioning playbook
This commit is contained in:
parent
272585ca32
commit
dd3150aff5
21
README.md
21
README.md
|
@ -2,8 +2,27 @@
|
|||
|
||||
A collection of Ansible playbooks I use to provision things.
|
||||
|
||||
## Ansible VPS setup
|
||||
|
||||
Ansible playbook to provision a plain Ubuntu VPS from digitalocean. Expects ssh access for user root.
|
||||
|
||||
- Create user
|
||||
- Secure ssh
|
||||
- Configure ufw
|
||||
|
||||
### Setup
|
||||
Copy or rename `vars.samle.yml` to `vars.yml` and set:
|
||||
- **regular_user**: Default username to create
|
||||
- **user_password**: Password for new user
|
||||
- **sshd_port**: Change ssh port
|
||||
|
||||
### Run on a single host
|
||||
```
|
||||
ansible-playbook -i $hostname, ansible-vps-setup/playbook.yml
|
||||
```
|
||||
|
||||
## Ansible Docker Ubuntu
|
||||
Ansible playbook to provision an standart Ubuntu LTS server VM.
|
||||
Ansible playbook to provision an standart Ubuntu LTS server VM. Expects the user *regular_user* to be already created.
|
||||
|
||||
- update and upgrade repo packages
|
||||
- install basic necessities
|
||||
|
|
|
@ -0,0 +1,12 @@
|
|||
---
|
||||
|
||||
- name: Setup and secure blank VPS
|
||||
hosts: all
|
||||
gather_facts: true
|
||||
user: root
|
||||
vars_files:
|
||||
- vars.yml
|
||||
roles:
|
||||
- user
|
||||
- ssh_secure
|
||||
- ufw
|
|
@ -0,0 +1,59 @@
|
|||
---
|
||||
|
||||
- name: "backup config"
|
||||
copy:
|
||||
remote_src: yes
|
||||
src: /etc/ssh/sshd_config
|
||||
dest: /etc/ssh/sshd_config.backup
|
||||
|
||||
- name: "set sshd port"
|
||||
lineinfile:
|
||||
path: /etc/ssh/sshd_config
|
||||
regexp: "^#Port"
|
||||
line: "Port {{ sshd_port }}"
|
||||
|
||||
- name: "disable root login"
|
||||
lineinfile:
|
||||
path: /etc/ssh/sshd_config
|
||||
regexp: "^PermitRootLogin"
|
||||
line: "PermitRootLogin no"
|
||||
|
||||
- name: "enable PubkeyAuthentication"
|
||||
lineinfile:
|
||||
path: /etc/ssh/sshd_config
|
||||
regexp: "^#PubkeyAuthentication"
|
||||
line: "PubkeyAuthentication yes"
|
||||
|
||||
- name: "enable RSAAuthentication"
|
||||
lineinfile:
|
||||
path: /etc/ssh/sshd_config
|
||||
line: "RSAAuthentication yes"
|
||||
|
||||
- name: "disable PasswordAuthentication"
|
||||
lineinfile:
|
||||
path: /etc/ssh/sshd_config
|
||||
regexp: "^PasswordAuthentication"
|
||||
line: "PasswordAuthentication no"
|
||||
|
||||
- name: "disable X11Forwarding"
|
||||
lineinfile:
|
||||
path: /etc/ssh/sshd_config
|
||||
regexp: "^X11Forwarding"
|
||||
line: "X11Forwarding no"
|
||||
|
||||
- name: "disable PAM"
|
||||
lineinfile:
|
||||
path: /etc/ssh/sshd_config
|
||||
regexp: "^UsePAM"
|
||||
line: "UsePAM no"
|
||||
|
||||
- name: "disable PrintLastLog"
|
||||
lineinfile:
|
||||
path: /etc/ssh/sshd_config
|
||||
regexp: "^#PrintLastLog"
|
||||
line: "PrintLastLog no"
|
||||
|
||||
- name: "restart ssh service"
|
||||
service:
|
||||
name: ssh
|
||||
state: restarted
|
|
@ -0,0 +1,20 @@
|
|||
---
|
||||
|
||||
- name: "update cache"
|
||||
apt:
|
||||
update_cache: yes
|
||||
|
||||
- name: "install ufw"
|
||||
apt:
|
||||
name: ufw
|
||||
|
||||
- name: deny everything and enable UFW
|
||||
community.general.ufw:
|
||||
state: enabled
|
||||
policy: deny
|
||||
|
||||
- name: allow sshd port
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
port: "{{ sshd_port }}"
|
||||
proto: tcp
|
|
@ -0,0 +1,25 @@
|
|||
---
|
||||
|
||||
- name: "create user"
|
||||
user:
|
||||
name: "{{ regular_user }}"
|
||||
groups: sudo
|
||||
append: yes
|
||||
password: "{{ user_password | password_hash('sha512') }}"
|
||||
|
||||
- name: "create ssh folder"
|
||||
file:
|
||||
path: "/home/{{ regular_user }}/.ssh"
|
||||
state: directory
|
||||
owner: "{{ regular_user }}"
|
||||
group: "{{ regular_user }}"
|
||||
mode: '0700'
|
||||
|
||||
- name: "copy ssh key"
|
||||
copy:
|
||||
remote_src: yes
|
||||
src: /root/.ssh/authorized_keys
|
||||
dest: "/home/{{ regular_user }}/.ssh/authorized_keys"
|
||||
owner: "{{ regular_user }}"
|
||||
group: "{{ regular_user }}"
|
||||
mode: '0600'
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
|
||||
regular_user: username
|
||||
user_password: password
|
||||
sshd_port: 2222
|
Loading…
Reference in New Issue