add VPS provisioning playbook
This commit is contained in:
parent
272585ca32
commit
dd3150aff5
21
README.md
21
README.md
|
@ -2,8 +2,27 @@
|
||||||
|
|
||||||
A collection of Ansible playbooks I use to provision things.
|
A collection of Ansible playbooks I use to provision things.
|
||||||
|
|
||||||
|
## Ansible VPS setup
|
||||||
|
|
||||||
|
Ansible playbook to provision a plain Ubuntu VPS from digitalocean. Expects ssh access for user root.
|
||||||
|
|
||||||
|
- Create user
|
||||||
|
- Secure ssh
|
||||||
|
- Configure ufw
|
||||||
|
|
||||||
|
### Setup
|
||||||
|
Copy or rename `vars.samle.yml` to `vars.yml` and set:
|
||||||
|
- **regular_user**: Default username to create
|
||||||
|
- **user_password**: Password for new user
|
||||||
|
- **sshd_port**: Change ssh port
|
||||||
|
|
||||||
|
### Run on a single host
|
||||||
|
```
|
||||||
|
ansible-playbook -i $hostname, ansible-vps-setup/playbook.yml
|
||||||
|
```
|
||||||
|
|
||||||
## Ansible Docker Ubuntu
|
## Ansible Docker Ubuntu
|
||||||
Ansible playbook to provision an standart Ubuntu LTS server VM.
|
Ansible playbook to provision an standart Ubuntu LTS server VM. Expects the user *regular_user* to be already created.
|
||||||
|
|
||||||
- update and upgrade repo packages
|
- update and upgrade repo packages
|
||||||
- install basic necessities
|
- install basic necessities
|
||||||
|
|
|
@ -0,0 +1,12 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Setup and secure blank VPS
|
||||||
|
hosts: all
|
||||||
|
gather_facts: true
|
||||||
|
user: root
|
||||||
|
vars_files:
|
||||||
|
- vars.yml
|
||||||
|
roles:
|
||||||
|
- user
|
||||||
|
- ssh_secure
|
||||||
|
- ufw
|
|
@ -0,0 +1,59 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: "backup config"
|
||||||
|
copy:
|
||||||
|
remote_src: yes
|
||||||
|
src: /etc/ssh/sshd_config
|
||||||
|
dest: /etc/ssh/sshd_config.backup
|
||||||
|
|
||||||
|
- name: "set sshd port"
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/ssh/sshd_config
|
||||||
|
regexp: "^#Port"
|
||||||
|
line: "Port {{ sshd_port }}"
|
||||||
|
|
||||||
|
- name: "disable root login"
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/ssh/sshd_config
|
||||||
|
regexp: "^PermitRootLogin"
|
||||||
|
line: "PermitRootLogin no"
|
||||||
|
|
||||||
|
- name: "enable PubkeyAuthentication"
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/ssh/sshd_config
|
||||||
|
regexp: "^#PubkeyAuthentication"
|
||||||
|
line: "PubkeyAuthentication yes"
|
||||||
|
|
||||||
|
- name: "enable RSAAuthentication"
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/ssh/sshd_config
|
||||||
|
line: "RSAAuthentication yes"
|
||||||
|
|
||||||
|
- name: "disable PasswordAuthentication"
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/ssh/sshd_config
|
||||||
|
regexp: "^PasswordAuthentication"
|
||||||
|
line: "PasswordAuthentication no"
|
||||||
|
|
||||||
|
- name: "disable X11Forwarding"
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/ssh/sshd_config
|
||||||
|
regexp: "^X11Forwarding"
|
||||||
|
line: "X11Forwarding no"
|
||||||
|
|
||||||
|
- name: "disable PAM"
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/ssh/sshd_config
|
||||||
|
regexp: "^UsePAM"
|
||||||
|
line: "UsePAM no"
|
||||||
|
|
||||||
|
- name: "disable PrintLastLog"
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/ssh/sshd_config
|
||||||
|
regexp: "^#PrintLastLog"
|
||||||
|
line: "PrintLastLog no"
|
||||||
|
|
||||||
|
- name: "restart ssh service"
|
||||||
|
service:
|
||||||
|
name: ssh
|
||||||
|
state: restarted
|
|
@ -0,0 +1,20 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: "update cache"
|
||||||
|
apt:
|
||||||
|
update_cache: yes
|
||||||
|
|
||||||
|
- name: "install ufw"
|
||||||
|
apt:
|
||||||
|
name: ufw
|
||||||
|
|
||||||
|
- name: deny everything and enable UFW
|
||||||
|
community.general.ufw:
|
||||||
|
state: enabled
|
||||||
|
policy: deny
|
||||||
|
|
||||||
|
- name: allow sshd port
|
||||||
|
community.general.ufw:
|
||||||
|
rule: allow
|
||||||
|
port: "{{ sshd_port }}"
|
||||||
|
proto: tcp
|
|
@ -0,0 +1,25 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: "create user"
|
||||||
|
user:
|
||||||
|
name: "{{ regular_user }}"
|
||||||
|
groups: sudo
|
||||||
|
append: yes
|
||||||
|
password: "{{ user_password | password_hash('sha512') }}"
|
||||||
|
|
||||||
|
- name: "create ssh folder"
|
||||||
|
file:
|
||||||
|
path: "/home/{{ regular_user }}/.ssh"
|
||||||
|
state: directory
|
||||||
|
owner: "{{ regular_user }}"
|
||||||
|
group: "{{ regular_user }}"
|
||||||
|
mode: '0700'
|
||||||
|
|
||||||
|
- name: "copy ssh key"
|
||||||
|
copy:
|
||||||
|
remote_src: yes
|
||||||
|
src: /root/.ssh/authorized_keys
|
||||||
|
dest: "/home/{{ regular_user }}/.ssh/authorized_keys"
|
||||||
|
owner: "{{ regular_user }}"
|
||||||
|
group: "{{ regular_user }}"
|
||||||
|
mode: '0600'
|
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
regular_user: username
|
||||||
|
user_password: password
|
||||||
|
sshd_port: 2222
|
Loading…
Reference in New Issue