Skip to content

Instantly share code, notes, and snippets.

@andrewsomething
Last active September 15, 2020 18:13
Show Gist options
  • Save andrewsomething/f2307d1ea07329fd9273821d5709d15f to your computer and use it in GitHub Desktop.
Save andrewsomething/f2307d1ea07329fd9273821d5709d15f to your computer and use it in GitHub Desktop.
My "first five minutes" on a server
---
- name: Restart sshd
service:
name: ssh
state: restarted
become: yes
---
- name: Update APT cache
apt: update_cache=yes
become: yes
- name: Upgrade APT packages
apt: upgrade=dist
become: yes
- name: Install common APT packages
apt:
pkg: "{{ item }}"
state: installed
with_items: [ 'byobu', 'fail2ban', 'git', 'htop', 'openssl',
'ssh-import-id', 'ufw', 'vim' ]
become: yes
- name: Use UFW with IPv6
lineinfile:
dest: /etc/default/ufw
regexp: "^IPV6"
line: "IPV6=yes"
state: present
become: yes
- name: UFW deny incoming
ufw:
direction: incoming
policy: deny
become: yes
- name: UFW allow outgoing
ufw:
direction: outgoing
policy: allow
become: yes
- name: Open port 22
ufw:
rule: allow
port: 22
proto: tcp
become: yes
- name: Enable ufw
ufw:
state: enabled
become: yes
- name: Ensure 'wheel' group exists
group:
name: wheel
state: present
- name: Allow 'wheel' group to have passwordless sudo
lineinfile:
dest: /etc/sudoers
state: present
regexp: '^%wheel'
line: '%wheel ALL=(ALL) NOPASSWD: ALL'
become: yes
- name: Add default user with sudo access
user:
name: "{{ username }}"
group: "wheel"
shell: /bin/bash
state: present
become: yes
- name: Add SSH keys to authorized_keys using ssh-import-id
command: /usr/bin/ssh-import-id gh:{{ gh_username }} -o /home/{{ username }}/.ssh/authorized_keys
args:
creates: /home/{{ username }}/.ssh/authorized_keys
become: yes
become_user: "{{ username }}"
- name: Enable byobu for default user
command: byobu-enable
args:
creates: /home/{{ username }}/.byobu/
become: yes
become_user: "{{ username }}"
- name: Delete root password
user:
name: root
password: ""
become: yes
- name: Remove authorized_keys file for root user
file:
path: /root/.ssh/authorized_keys
state: absent
become: yes
- name: Disallow root SSH access
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^PermitRootLogin"
line: "PermitRootLogin no"
state: present
become: yes
notify: Restart sshd
- name: Disallow password authentication
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^PasswordAuthentication"
line: "PasswordAuthentication no"
state: present
become: yes
notify: Restart sshd
username: asb
gh_username: andrewsomething
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment