-
-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathbootstrap.yml
executable file
·149 lines (147 loc) · 3.74 KB
/
bootstrap.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
---
# Ubuntu
- hosts: ubuntu
remote_user: root
gather_facts: true
vars_files:
- 'vars/vault.yaml'
tasks:
- name: Apt update
apt:
upgrade: 'yes'
update_cache: yes
cache_valid_time: 3600
- name: Ensure user groups exists
group:
name: "{{ item }}"
state: present
loop:
- "{{ main_username }}"
- ansible
- name: Add users
user:
name: "{{ item.user }}"
password: "{{ item.pass }}"
groups:
- "{{ item.user }}"
- sudo
shell: /bin/bash
loop:
- {user: "{{ main_username }}", pass: "{{ secret_main_user_pass }}"}
- {user: ansible, pass: "{{ secret_ansible_pass }}"}
- name: Add sudoers file for ansible
copy:
src: sudoer_ansible
dest: /etc/sudoers.d/ansible
owner: root
group: root
mode: 0440
- name: SSH Keys
authorized_key:
user: "{{ item.user }}"
state: present
key: "{{ item.ssh }}"
loop:
- {user: "{{ main_username }}", ssh: "{{ secret_main_user_ssh }}"}
- {user: "{{ main_username }}", ssh: "{{ secret_main_user_alt_ssh }}"}
- {user: "{{ main_username }}", ssh: "{{ secret_main_user_pixel_ssh }}"}
- {user: ansible, ssh: "{{ secret_ansible_ssh }}"}
- name: Add hardened SSH config
copy:
src: sshd_config
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: 0600
- name: Restart ssh
service:
name: sshd
state: restarted
### Arch/Fedora
- hosts: arch fedora
remote_user: "{{ bootstrap_user }}"
gather_facts: true
vars_files:
- 'vars/vault.yaml'
tasks:
- name: Add ansible user
user:
name: ansible
password: "{{ secret_ansible_pass }}"
uid: 666
groups:
- wheel
system: yes
shell: /bin/bash
- name: Add sudoers file for ansible
copy:
src: sudoer_ansible
dest: /etc/sudoers.d/ansible
owner: root
group: root
mode: 0440
- name: Add SSH Keys
authorized_key:
user: ansible
state: present
key: "{{ secret_ansible_ssh }}"
- name: Add hardened SSH config
copy:
src: sshd_config
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: 0600
- name: Restart ssh
service:
name: sshd
state: restarted
### Debian Bootstrap
- hosts: debian
remote_user: "{{ bootstrap_user }}"
gather_facts: true
vars_files:
- 'vars/vault.yaml'
tasks:
- name: Apt update
apt:
upgrade: 'yes'
update_cache: yes
cache_valid_time: 3600
- name: Add ansible user
user:
name: ansible
password: "{{ secret_ansible_pass }}"
uid: 666
groups:
- sudo
system: yes
shell: /bin/bash
- name: Add sudoers file for ansible
copy:
src: sudoer_ansible
dest: /etc/sudoers.d/ansible
owner: root
group: root
mode: 0440
- name: SSH Keys
authorized_key:
user: "{{ item.user }}"
state: present
key: "{{ item.ssh }}"
loop:
- {user: "{{ main_username }}", ssh: "{{ secret_main_user_ssh }}"}
- {user: "{{ main_username }}", ssh: "{{ secret_main_user_alt_ssh }}"}
- {user: "{{ main_username }}", ssh: "{{ secret_main_user_pixel_ssh }}"}
- {user: ansible, ssh: "{{ secret_ansible_ssh }}"}
- name: Add hardened SSH config
copy:
src: sshd_config
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: 0600
- name: Restart ssh
service:
name: sshd
state: restarted