-
Notifications
You must be signed in to change notification settings - Fork 1
/
vpsBootstrap.yml
88 lines (68 loc) · 3.28 KB
/
vpsBootstrap.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
# vpsBootstrap.yml
# https://serverfault.com/questions/567887/how-to-install-python-packages-to-homebrew-ansibles-site-packages-folder
---
- hosts: all
user: vagrant
sudo: yes
vars:
- ubuntu_release: trusty
- logwatch_email: [email protected]
# crypted passwords, generated using passlib (pip install passlib):
# python -c "from passlib.hash import sha512_crypt; import getpass; print sha512_crypt.encrypt(getpass.getpass())"
- deploy_password: $6$rounds=100000$oasyo6Etwm5Z1y/P$4md7tsFpgSKvjsK6W1CnzYnGIWSCcMFxBTmUd74amfbciAqc/5Z9asFQzaFZQuHZ/SgY1Uwo76hX.fUNYWfj00
- root_password: $6$rounds=100000$.giIFokLccflM7L.$5feT4Lc0J9j3orVX3gNz6RU07yUYITUzsfKQi4t//EBReMXTFk4lvUztY9mqXsq45hiJn6sgVEJtkkGsUiXGL1
- fqdn_hostname: server.yourdomain.tld
- fqdn_smtp_relay: mail.yourrelay.tld
tasks:
- name: Update APT package cache
action: apt update_cache=yes
- name: Upgrade APT to the lastest packages
action: apt upgrade=safe
- name: Install mosh
action: apt pkg=mosh state=installed
- name: Install vim
action: apt pkg=vim state=installed
- name: Install fail2ban
action: apt pkg=fail2ban state=installed
- name: Set root password
action: user name=root password={{root_password}}
- name: Add deployment user
action: user name=deploy shell=/bin/bash password={{deploy_password}} state=present
- name: Add authorized deploy key
action: authorized_key user=deploy key="{{ lookup('file', './id_rsa.pub') }}" state=present
- name: Remove sudo group rights
action: lineinfile dest=/etc/sudoers regexp="^%sudo" state=absent
- name: Add deploy user to sudoers
action: lineinfile dest=/etc/sudoers regexp="deploy ALL" line="deploy ALL=(ALL) ALL" state=present
- name: Disallow password authentication
action: lineinfile dest=/etc/ssh/sshd_config regexp="^PasswordAuthentication" line="PasswordAuthentication no" state=present
notify: Restart ssh
- name: Install unattended-upgrades
action: apt pkg=unattended-upgrades state=present
- name: Make sure unattended-upgrades only installs from $ubuntu_release-security
action: lineinfile dest=/etc/apt/apt.conf.d/50unattended-upgrades regexp="$ubuntu_release-updates" state=absent
# - name: Set up Postfix to relay mail
# template: src=postfix-smarthost.preseed.j2 dest=/tmp/postfix-smarthost.preseed validate='debconf-set-selections %s'
#
# - name: Install Postfix package
# action: apt pkg=postfix state=installed update-cache=yes
#
# - name: Install logwatch
# action: apt pkg=logwatch state=installed
#
# - name: Make logwatch mail $logwatch_email daily
# action: lineinfile dest=/etc/cron.daily/00logwatch regexp="^/usr/sbin/logwatch" line="/usr/sbin/logwatch --output mail --mailto $logwatch_email --detail high" state=present create=yes
- name: Setup ufw (allow ssh)
action: shell ufw allow 22/tcp
- name: Setup ufw (allow HTTPS)
action: shell ufw allow 443/tcp
- name: Setup ufw ()
action: shell ufw allow 60023/udp
- name: Enable ufw
action: shell echo 'y' | ufw enable
# - name: Disallow root SSH access
# action: lineinfile dest=/etc/ssh/sshd_config regexp="^PermitRootLogin" line="PermitRootLogin no" state=present
# notify: Restart ssh
handlers:
- name: Restart ssh
action: service name=ssh state=restarted