add VPS provisioning playbook

README.md

@@ -2,8 +2,27 @@
 
 A collection of Ansible playbooks I use to provision things.
 
+## Ansible VPS setup
+
+Ansible playbook to provision a plain Ubuntu VPS from digitalocean. Expects ssh access for user root. 
+
+- Create user
+- Secure ssh
+- Configure ufw
+
+### Setup
+Copy or rename `vars.samle.yml` to `vars.yml` and set:
+- **regular_user**: Default username to create
+- **user_password**: Password for new user
+- **sshd_port**: Change ssh port
+
+### Run on a single host
+```
+ansible-playbook -i $hostname, ansible-vps-setup/playbook.yml
+```
+
 ## Ansible Docker Ubuntu
-Ansible playbook to provision an standart Ubuntu LTS server VM.
+Ansible playbook to provision an standart Ubuntu LTS server VM. Expects the user *regular_user* to be already created. 
 
 - update and upgrade repo packages
 - install basic necessities

ansible-vps-setup/playbook.yml

@@ -0,0 +1,12 @@
+---
+
+- name: Setup and secure blank VPS
+  hosts: all
+  gather_facts: true
+  user: root
+  vars_files:
+    - vars.yml
+  roles:
+    - user
+    - ssh_secure
+    - ufw

ansible-vps-setup/roles/ssh_secure/tasks/main.yml

@@ -0,0 +1,59 @@
+---
+
+- name: "backup config"
+  copy:
+    remote_src: yes
+    src: /etc/ssh/sshd_config
+    dest: /etc/ssh/sshd_config.backup
+
+- name: "set sshd port"
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^#Port"
+    line: "Port {{ sshd_port }}"
+
+- name: "disable root login"
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^PermitRootLogin"
+    line: "PermitRootLogin no"
+
+- name: "enable PubkeyAuthentication"
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^#PubkeyAuthentication"
+    line: "PubkeyAuthentication yes"
+
+- name: "enable RSAAuthentication"
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    line: "RSAAuthentication yes"
+
+- name: "disable PasswordAuthentication"
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^PasswordAuthentication"
+    line: "PasswordAuthentication no"
+
+- name: "disable X11Forwarding"
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^X11Forwarding"
+    line: "X11Forwarding no"
+
+- name: "disable PAM"
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^UsePAM"
+    line: "UsePAM no"
+
+- name: "disable PrintLastLog"
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^#PrintLastLog"
+    line: "PrintLastLog no"
+
+- name: "restart ssh service"
+  service:
+    name: ssh
+    state: restarted

ansible-vps-setup/roles/ufw/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+
+- name: "update cache"
+  apt:
+    update_cache: yes
+
+- name: "install ufw"
+  apt:
+    name: ufw
+
+- name: deny everything and enable UFW
+  community.general.ufw:
+    state: enabled
+    policy: deny
+
+- name: allow sshd port
+  community.general.ufw:
+    rule: allow
+    port: "{{ sshd_port }}"
+    proto: tcp

ansible-vps-setup/roles/user/tasks/main.yml

@@ -0,0 +1,25 @@
+---
+
+- name: "create user"
+  user:
+    name: "{{ regular_user }}"
+    groups: sudo
+    append: yes
+    password: "{{ user_password | password_hash('sha512') }}"
+
+- name: "create ssh folder"
+  file:
+    path: "/home/{{ regular_user }}/.ssh"
+    state: directory
+    owner: "{{ regular_user }}"
+    group: "{{ regular_user }}"
+    mode: '0700'
+
+- name: "copy ssh key"
+  copy:
+    remote_src: yes
+    src: /root/.ssh/authorized_keys
+    dest: "/home/{{ regular_user }}/.ssh/authorized_keys"
+    owner: "{{ regular_user }}"
+    group: "{{ regular_user }}"
+    mode: '0600'

ansible-vps-setup/vars.sample.yml

@@ -0,0 +1,5 @@
+---
+
+regular_user: username
+user_password: password
+sshd_port: 2222