From dd3150aff5f47059cea204771f2e9a3ae861036e Mon Sep 17 00:00:00 2001
From: simon <simobilleter@gmail.com>
Date: Thu, 28 Apr 2022 20:56:42 +0700
Subject: [PATCH] add VPS provisioning playbook

---
 README.md                                     | 21 ++++++-
 ansible-vps-setup/playbook.yml                | 12 ++++
 .../roles/ssh_secure/tasks/main.yml           | 59 +++++++++++++++++++
 ansible-vps-setup/roles/ufw/tasks/main.yml    | 20 +++++++
 ansible-vps-setup/roles/user/tasks/main.yml   | 25 ++++++++
 ansible-vps-setup/vars.sample.yml             |  5 ++
 6 files changed, 141 insertions(+), 1 deletion(-)
 create mode 100644 ansible-vps-setup/playbook.yml
 create mode 100644 ansible-vps-setup/roles/ssh_secure/tasks/main.yml
 create mode 100644 ansible-vps-setup/roles/ufw/tasks/main.yml
 create mode 100644 ansible-vps-setup/roles/user/tasks/main.yml
 create mode 100644 ansible-vps-setup/vars.sample.yml

diff --git a/README.md b/README.md
index 5415764..9b38ac4 100644
--- a/README.md
+++ b/README.md
@@ -2,8 +2,27 @@
 
 A collection of Ansible playbooks I use to provision things.
 
+## Ansible VPS setup
+
+Ansible playbook to provision a plain Ubuntu VPS from digitalocean. Expects ssh access for user root. 
+
+- Create user
+- Secure ssh
+- Configure ufw
+
+### Setup
+Copy or rename `vars.samle.yml` to `vars.yml` and set:
+- **regular_user**: Default username to create
+- **user_password**: Password for new user
+- **sshd_port**: Change ssh port
+
+### Run on a single host
+```
+ansible-playbook -i $hostname, ansible-vps-setup/playbook.yml
+```
+
 ## Ansible Docker Ubuntu
-Ansible playbook to provision an standart Ubuntu LTS server VM.
+Ansible playbook to provision an standart Ubuntu LTS server VM. Expects the user *regular_user* to be already created. 
 
 - update and upgrade repo packages
 - install basic necessities
diff --git a/ansible-vps-setup/playbook.yml b/ansible-vps-setup/playbook.yml
new file mode 100644
index 0000000..a023c01
--- /dev/null
+++ b/ansible-vps-setup/playbook.yml
@@ -0,0 +1,12 @@
+---
+
+- name: Setup and secure blank VPS
+  hosts: all
+  gather_facts: true
+  user: root
+  vars_files:
+    - vars.yml
+  roles:
+    - user
+    - ssh_secure
+    - ufw
diff --git a/ansible-vps-setup/roles/ssh_secure/tasks/main.yml b/ansible-vps-setup/roles/ssh_secure/tasks/main.yml
new file mode 100644
index 0000000..61f3a7c
--- /dev/null
+++ b/ansible-vps-setup/roles/ssh_secure/tasks/main.yml
@@ -0,0 +1,59 @@
+---
+
+- name: "backup config"
+  copy:
+    remote_src: yes
+    src: /etc/ssh/sshd_config
+    dest: /etc/ssh/sshd_config.backup
+
+- name: "set sshd port"
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^#Port"
+    line: "Port {{ sshd_port }}"
+
+- name: "disable root login"
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^PermitRootLogin"
+    line: "PermitRootLogin no"
+
+- name: "enable PubkeyAuthentication"
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^#PubkeyAuthentication"
+    line: "PubkeyAuthentication yes"
+
+- name: "enable RSAAuthentication"
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    line: "RSAAuthentication yes"
+
+- name: "disable PasswordAuthentication"
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^PasswordAuthentication"
+    line: "PasswordAuthentication no"
+
+- name: "disable X11Forwarding"
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^X11Forwarding"
+    line: "X11Forwarding no"
+
+- name: "disable PAM"
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^UsePAM"
+    line: "UsePAM no"
+
+- name: "disable PrintLastLog"
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^#PrintLastLog"
+    line: "PrintLastLog no"
+
+- name: "restart ssh service"
+  service:
+    name: ssh
+    state: restarted
diff --git a/ansible-vps-setup/roles/ufw/tasks/main.yml b/ansible-vps-setup/roles/ufw/tasks/main.yml
new file mode 100644
index 0000000..b020539
--- /dev/null
+++ b/ansible-vps-setup/roles/ufw/tasks/main.yml
@@ -0,0 +1,20 @@
+---
+
+- name: "update cache"
+  apt:
+    update_cache: yes
+
+- name: "install ufw"
+  apt:
+    name: ufw
+
+- name: deny everything and enable UFW
+  community.general.ufw:
+    state: enabled
+    policy: deny
+
+- name: allow sshd port
+  community.general.ufw:
+    rule: allow
+    port: "{{ sshd_port }}"
+    proto: tcp
diff --git a/ansible-vps-setup/roles/user/tasks/main.yml b/ansible-vps-setup/roles/user/tasks/main.yml
new file mode 100644
index 0000000..ac589ae
--- /dev/null
+++ b/ansible-vps-setup/roles/user/tasks/main.yml
@@ -0,0 +1,25 @@
+---
+
+- name: "create user"
+  user:
+    name: "{{ regular_user }}"
+    groups: sudo
+    append: yes
+    password: "{{ user_password | password_hash('sha512') }}"
+
+- name: "create ssh folder"
+  file:
+    path: "/home/{{ regular_user }}/.ssh"
+    state: directory
+    owner: "{{ regular_user }}"
+    group: "{{ regular_user }}"
+    mode: '0700'
+
+- name: "copy ssh key"
+  copy:
+    remote_src: yes
+    src: /root/.ssh/authorized_keys
+    dest: "/home/{{ regular_user }}/.ssh/authorized_keys"
+    owner: "{{ regular_user }}"
+    group: "{{ regular_user }}"
+    mode: '0600'
diff --git a/ansible-vps-setup/vars.sample.yml b/ansible-vps-setup/vars.sample.yml
new file mode 100644
index 0000000..d0b741f
--- /dev/null
+++ b/ansible-vps-setup/vars.sample.yml
@@ -0,0 +1,5 @@
+---
+
+regular_user: username
+user_password: password
+sshd_port: 2222