V1V1/server_basics.yml

## server_basics.yml
---
- hosts: all

  vars:
    # To generate a sha512 password (mkpasswd --method=sha-512)
    deploy_username: vivi
    deploy_user_password: '$6$09OkVQ6vcbd1$k5.V0M4369M77OwjaN8zulWjWQWl6/7V./BOmvEY4XaQXasIobhrHwkdzeOFrpsUunNP.yS.oQZr.ZHvIjXb81' # v1v1
    root_user_password: '$6$tpxurhzMuV0drO$gaePtwj1QJc44jncbziUwtWiNDvWDJhR1iPlQq.WIz3rs59LqRSy2bFewG8YZCD7ACm03XpUsFSts0C8CawEE1' # Pass12!!

    # SSH key to assign to deploy user - can add multiple key locations
    ssh_public_keys:
      - ./ssh-keys/deploy.key.pub

    # Packages you wanna install
    required_package_install:
      - sudo
      - vim
      - wget
      - curl
      - screen
      - lsof
      - man-db
      - locate
      - unattended-upgrades
      - ufw
      - fail2ban
      - zip
      - unzip
      - apt-transport-https
      - git
      - ca-certificates
      - python
      - python-pip
      - python3
      - python-pip
      - python3-pip

    # VPN IPs SSH login & limited port access will be restricted to
    firewall_vpn_ips:
      - 1.2.3.4
      - 1.2.3.4
      - 1.2.3.4
    # New SSH port to configure (disable port 22)
    firewall_ssh_port: 12345
    # Additional ports other than SSH that only VPN IPs can access
    firewall_limited_ports:
      - 7443
    # Ports to allow access from any IP (allow all)
    firewall_allow_ports:
      - 80
      - 443
      - 8080
      - 8443

  tasks:
    # User management
    - name: Change root password
      user: name=root password="{{ root_user_password }}"

    - name: Add deploy user
      user: name={{ deploy_username }} password="{{ deploy_user_password }}" shell=/bin/bash

    - name: Add authorized SSH keys for deploy user
      authorized_key: user={{ deploy_username }} state=present key="{{ item }}"
      with_file: "{{ ssh_public_keys }}"

    - name: Add deploy user to sudoers
      lineinfile: dest=/etc/sudoers
                  regexp="{{ deploy_username }} ALL"
                  line="{{ deploy_username }} ALL=(ALL) ALL"
                  state=present

    # Server upgrade and package installation
    - name: Update APT package cache
      apt: update_cache=yes cache_valid_time=3600

    - name: Upgrade installed packages
      apt: upgrade=safe

    - name: Install required packages
      apt: state=present pkg={{ item }}
      with_items: "{{ required_package_install }}"

    # Configure auto update
    - name: Backup apt config file
      command: mv /etc/apt/apt.conf.d/10periodic /etc/apt/apt.conf.d/10periodic.bak

    - name: Configure apt auto update
      blockinfile:
        path: "/etc/apt/apt.conf.d/10periodic"
        create: yes
        block: |
          APT::Periodic::Update-Package-Lists "1";
          APT::Periodic::Download-Upgradeable-Packages "1";
          APT::Periodic::AutocleanInterval "7";
          APT::Periodic::Unattended-Upgrade "1";

    # Change timezone
    - name: Change timezone
      timezone:
        name: Europe/Moscow

    # Screen config (allow scrolling in screen and increase scrollback limit)
    - name: Screen config
      blockinfile:
        path: "/home/{{ deploy_username }}/.screenrc"
        create: yes
        block: |
          termcapinfo xterm* ti@:te@
          defscrollback 10000

    # Firewall rules
    - name: Setup firewall rules
      ufw: state=enabled policy=deny

    - name: Allow SSH traffic from VPN IPs only
      ufw: rule=allow port={{ firewall_ssh_port }} proto=tcp src="{{ item }}"
      with_items: "{{ firewall_vpn_ips }}"

    - name: Limit traffic to select ports to VPN IPs only
      ufw: rule=allow port="{{ item[0] }}" proto=tcp src="{{ item[1] }}"
      with_nested:
        - "{{ firewall_limited_ports }}"
        - "{{ firewall_vpn_ips }}"

    - name: Allow traffic to custom ports from any IP
      ufw: rule=allow port={{ item }} proto=tcp
      with_items: "{{ firewall_allow_ports }}"

    # SSH config
    - name: Backup SSH config file
      copy:
        src: /etc/ssh/sshd_config
        dest: /etc/ssh/sshd_config.bak
        remote_src: yes

    - name: Change SSH port
      lineinfile: dest=/etc/ssh/sshd_config
                  regexp="^Port\s"
                  line="Port {{ firewall_ssh_port }}"
                  state=present
      notify: Restart ssh

    - name: Disallow password authentication
      lineinfile: dest=/etc/ssh/sshd_config
                  regexp="^PasswordAuthentication"
                  line="PasswordAuthentication no"
                  state=present
      notify: Restart ssh

    - name: Disallow root SSH access
      lineinfile: dest=/etc/ssh/sshd_config
                  regexp="^PermitRootLogin"
                  line="PermitRootLogin no"
                  state=present
      notify: Restart ssh

  handlers:
    - name: Restart ssh
      service: name=ssh state=restarted
	---
	- hosts: all

	vars:
	# To generate a sha512 password (mkpasswd --method=sha-512)
	deploy_username: vivi
	deploy_user_password: '$6$09OkVQ6vcbd1$k5.V0M4369M77OwjaN8zulWjWQWl6/7V./BOmvEY4XaQXasIobhrHwkdzeOFrpsUunNP.yS.oQZr.ZHvIjXb81' # v1v1
	root_user_password: '$6$tpxurhzMuV0drO$gaePtwj1QJc44jncbziUwtWiNDvWDJhR1iPlQq.WIz3rs59LqRSy2bFewG8YZCD7ACm03XpUsFSts0C8CawEE1' # Pass12!!

	# SSH key to assign to deploy user - can add multiple key locations
	ssh_public_keys:
	- ./ssh-keys/deploy.key.pub

	# Packages you wanna install
	required_package_install:
	- sudo
	- vim
	- wget
	- curl
	- screen
	- lsof
	- man-db
	- locate
	- unattended-upgrades
	- ufw
	- fail2ban
	- zip
	- unzip
	- apt-transport-https
	- git
	- ca-certificates
	- python
	- python-pip
	- python3
	- python-pip
	- python3-pip

	# VPN IPs SSH login & limited port access will be restricted to
	firewall_vpn_ips:
	- 1.2.3.4
	- 1.2.3.4
	- 1.2.3.4
	# New SSH port to configure (disable port 22)
	firewall_ssh_port: 12345
	# Additional ports other than SSH that only VPN IPs can access
	firewall_limited_ports:
	- 7443
	# Ports to allow access from any IP (allow all)
	firewall_allow_ports:
	- 80
	- 443
	- 8080
	- 8443

	tasks:
	# User management
	- name: Change root password
	user: name=root password="{{ root_user_password }}"

	- name: Add deploy user
	user: name={{ deploy_username }} password="{{ deploy_user_password }}" shell=/bin/bash

	- name: Add authorized SSH keys for deploy user
	authorized_key: user={{ deploy_username }} state=present key="{{ item }}"
	with_file: "{{ ssh_public_keys }}"

	- name: Add deploy user to sudoers
	lineinfile: dest=/etc/sudoers
	regexp="{{ deploy_username }} ALL"
	line="{{ deploy_username }} ALL=(ALL) ALL"
	state=present

	# Server upgrade and package installation
	- name: Update APT package cache
	apt: update_cache=yes cache_valid_time=3600

	- name: Upgrade installed packages
	apt: upgrade=safe

	- name: Install required packages
	apt: state=present pkg={{ item }}
	with_items: "{{ required_package_install }}"

	# Configure auto update
	- name: Backup apt config file
	command: mv /etc/apt/apt.conf.d/10periodic /etc/apt/apt.conf.d/10periodic.bak

	- name: Configure apt auto update
	blockinfile:
	path: "/etc/apt/apt.conf.d/10periodic"
	create: yes
	block: \|
	APT::Periodic::Update-Package-Lists "1";
	APT::Periodic::Download-Upgradeable-Packages "1";
	APT::Periodic::AutocleanInterval "7";
	APT::Periodic::Unattended-Upgrade "1";

	# Change timezone
	- name: Change timezone
	timezone:
	name: Europe/Moscow

	# Screen config (allow scrolling in screen and increase scrollback limit)
	- name: Screen config
	blockinfile:
	path: "/home/{{ deploy_username }}/.screenrc"
	create: yes
	block: \|
	termcapinfo xterm* ti@:te@
	defscrollback 10000

	# Firewall rules
	- name: Setup firewall rules
	ufw: state=enabled policy=deny

	- name: Allow SSH traffic from VPN IPs only
	ufw: rule=allow port={{ firewall_ssh_port }} proto=tcp src="{{ item }}"
	with_items: "{{ firewall_vpn_ips }}"

	- name: Limit traffic to select ports to VPN IPs only
	ufw: rule=allow port="{{ item[0] }}" proto=tcp src="{{ item[1] }}"
	with_nested:
	- "{{ firewall_limited_ports }}"
	- "{{ firewall_vpn_ips }}"

	- name: Allow traffic to custom ports from any IP
	ufw: rule=allow port={{ item }} proto=tcp
	with_items: "{{ firewall_allow_ports }}"

	# SSH config
	- name: Backup SSH config file
	copy:
	src: /etc/ssh/sshd_config
	dest: /etc/ssh/sshd_config.bak
	remote_src: yes

	- name: Change SSH port
	lineinfile: dest=/etc/ssh/sshd_config
	regexp="^Port\s"
	line="Port {{ firewall_ssh_port }}"
	state=present
	notify: Restart ssh

	- name: Disallow password authentication
	lineinfile: dest=/etc/ssh/sshd_config
	regexp="^PasswordAuthentication"
	line="PasswordAuthentication no"
	state=present
	notify: Restart ssh

	- name: Disallow root SSH access
	lineinfile: dest=/etc/ssh/sshd_config
	regexp="^PermitRootLogin"
	line="PermitRootLogin no"
	state=present
	notify: Restart ssh

	handlers:
	- name: Restart ssh
	service: name=ssh state=restarted