Skip to content

Instantly share code, notes, and snippets.

@Alevsk
Created March 28, 2023 06:07
Show Gist options
  • Save Alevsk/2b81a504c410b4b567f3c8193a418398 to your computer and use it in GitHub Desktop.
Save Alevsk/2b81a504c410b4b567f3c8193a418398 to your computer and use it in GitHub Desktop.
Ansible playbook to install ssh public keys
- hosts: "{{ HOSTS }}"
name: Install authentication keys and certificates
become: yes
tasks:
- name: install public keys
register: pub_keys_installed
ansible.posix.authorized_key:
exclusive: yes
user: "{{ ansible_user }}"
state: present
key: "{{ lookup('pipe','cat ~/.ssh/id_ecdsa_sk-*.pub') }}"
- name: add user to sudoers list
lineinfile:
path: "/etc/sudoers.d/{{ ansible_user }}"
line: "{{ ansible_user }} ALL=(ALL) NOPASSWD: ALL"
state: present
mode: 0440
create: yes
validate: 'visudo -cf %s'
- name: install local certificate authority certs
copy:
src: /usr/local/share/ca-certificates/network.lan.ca.crt
dest: /usr/local/share/ca-certificates/network.lan.ca.crt
- name: set timezone to America/Los_Angeles
community.general.timezone:
name: "America/Los_Angeles"
- name: Install additional tools
ansible.builtin.apt:
name:
- ca-certificates
state: latest
update_cache: true
- name: Update certificates index
shell: /usr/sbin/update-ca-certificates
- name: Disable root login over SSH
lineinfile:
path: "/etc/ssh/sshd_config"
regexp: "^PermitRootLogin"
line: "PermitRootLogin no"
state: "present"
validate: 'sshd -t -f %s'
- name: Disable password login over SSH
lineinfile:
path: "/etc/ssh/sshd_config"
regexp: "^PasswordAuthentication"
line: "PasswordAuthentication no"
state: "present"
validate: 'sshd -t -f %s'
notify:
- restart ssh
handlers:
- name: restart ssh
service:
name: ssh
state: restarted
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment