dhet/secrets.yaml

## secrets.yaml
docker_username: dhetbot
docker_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          33383361346365316566663434303530346663636261653934316366323162616137343464656438
          3032616265386530393237663533323834393064343531390a626233353961363632643661376164
          65336635366130663266623861613834646232393766396462316365346665613065646638333534
          6364373831346235610a366639393163666234643631396464643036623536396335666336343133
          6561

## setup.yaml
- hosts: all
  remote_user: root
  gather_facts: false
  vars:
    users:
    - name: david
      groups: docker,appadmin
      key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGJXMAnZGc8+qZYm1Vb2ZyPsyKoweoqFQ0PBzkd1ZiioBWIK185zgV4VvVHruTc+xozFZPXacM0WAxBQ7CE2fyD9ssyDPA/bB+JQ4C572GV9MDA0mIsRUF3DxXbUB0ROmvQ6VDxqT+mUn1tDyLmxVqZAxSLEobgaWV7c5K8IPdF47RU7/elOWjTHssfsyghztbhr7LYlO5JJRGuK/kv40mVrQWGWrcHqNEgnJLuCC2I8OaZqzGNynL6gymTdYs/JtZahO/0E0SNct+dk+/eiVzkl9RzbBmAZXTKGOxG/qCF0G2SEQU7joDTwO6Ohc2hvdBe+g+uUWh/Mcpiq0+0EMIB5fiRSEJo1AAzphbp/zjUemAWzGcjo6Vt+6NgQm0BhU1L2mgptom44hVxtNbQebKnPk+6uB0addJf09LMQ+6qKJluGFefwTmpk5+yrXNhgfl5UP+i32X4XI6ofcF+lCsjK/MAml00LCWRFpfnw7NuWtKfmkd+blK5rgzWBL/zVyx2voBVRAOWu3ydid22j2AYzwSiG6KGdcZGweftm5meCsaZtbnwCTYCDhwvp2rie2SjfkGiimhGOT+vkXYa3XDO0I3L2kr110lqiVahjtjzArZK25qRcf2RmVtg4xxuekAfjDGPm5XWMiGDlVuP8uuknAuU6gP+/8Ig2UGpEBwZQ== david
      sudo: true
    - name: automation
      groups: docker,appadmin
      key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCXdd1mM0+xynLjXJ5TcaU1J1EKNYBMc0TzG2hWaHRufklMwLo4ZdaDyXjeEovWi84ZQGV0ldjni+D6doN2EvhSgeEumC2wW0nX98j/317m++jNfZpjIr3ut/P3+zfGPDJBa7xqzrLpEleU47iebo+Hm/sTuf50SqSt7sr5k33E15B4xil9TKuR/SF753OO1VnQqJh/a84QrC9IGJrOSrsxLCe1Qs1Rs98lMmuToGQ7C5ZRmrw7KGHVFecDcSvknZ9uOUwRqWDXebnTbCebVbyY2CJ6ZeIco4bYkioWZGU45xOAh4iLT5CHXmGWCYS5rU16JH1Jmajz4Zz8vdMBmCrehh3eN1sMgecu2r+VTVtlL2fQzPnSdl2994y6P4zhUJCTpzvChM0QkTE/4DR5+Wi+n+fUWUh0Ek2mjXduOGoie/yMBHH8yOzAM3GtzNnLTr/Z6IZEsvHz684wwTV3bEQ9YEYq/tIHLPszOpery6scDgppLhKCoGjYh8mb7FvFPY2dMqWIqvTgaC4hx55EBKrKvVkk4rpri5I2Hxrjlbr7K2+8KWI+Nw88gSZiPQthNeEVVsdy/krFWrdpYNr828Zqv9p8dXcTiF7aP9cSfmhZuRW2G0lxhUaTz3+B/SaCtjRjSw1GYZf2yd++KJvDV6+0jl/KvMS9D/1+A1vpfSQt7Q== automation
      sudo: true
  vars_files:
    - secrets.yaml
  handlers:
  - name: Restart ssh
    service:
      name: ssh
      state: restarted


  tasks:
  - name: Install packages
    apt:
      name:
        - ufw
        - fail2ban
        - vim
        - htop
        - jq
        - unattended-upgrades
        - docker
        - docker.io
        - docker-compose
      state: present
      update_cache: yes
      cache_valid_time: 3600
  - name: Upgrade packages
    apt:
      upgrade: safe
  - name: Adjust update intervals
    copy:
      dest: /etc/apt/apt.conf.d/10periodic
      content: |
        APT::Periodic::Update-Package-Lists "1";
        APT::Periodic::Download-Upgradeable-Packages "1";
        APT::Periodic::AutocleanInterval "7";
        APT::Periodic::Unattended-Upgrade "1";
  - name: Setup firewall
    ufw:
      state: enabled
      policy: deny
  - name: Open ports
    ufw:
      rule: allow
      port: "{{ item }}"
    loop: [ "22", "80", "443"]
  - name: Disallow password authentication
    lineinfile:
      dest: /etc/ssh/sshd_config
      regexp: "^PasswordAuthentication"
      line: "PasswordAuthentication no"
      state: present
    notify: Restart ssh
  - name: Create appadmin group
    group:
      name: appadmin
      state: present
  - name: Add users
    user:
      name: "{{ item.name }}"
      groups: "{{ item.groups }}"
      shell: /bin/bash
    loop: "{{ users }}"
  - name: Configure SSH access
    authorized_key:
      user: "{{ item.name}}"
      key: "{{ item.key }}"
    loop: "{{ users }}"
  - name: Configure sudoers
    lineinfile:
      dest: /etc/sudoers
      regexp: "{{ item.name }} ALL"
      line: "{{ item.name }} ALL=(ALL) NOPASSWD:ALL"
      state: present
    when: item.sudo
    loop: "{{ users }}"
  - name: Log users into Dockerhub
    docker_login:
      username: "{{ docker_username }}"
      password: "{{ docker_password }}"
    become_user: "{{ item.name }}"
    loop: "{{ users }}"
	docker_username: dhetbot
	docker_password: !vault \|
	$ANSIBLE_VAULT;1.1;AES256
	33383361346365316566663434303530346663636261653934316366323162616137343464656438
	3032616265386530393237663533323834393064343531390a626233353961363632643661376164
	65336635366130663266623861613834646232393766396462316365346665613065646638333534
	6364373831346235610a366639393163666234643631396464643036623536396335666336343133
	6561
	- hosts: all
	remote_user: root
	gather_facts: false
	vars:
	users:
	- name: david
	groups: docker,appadmin
	key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGJXMAnZGc8+qZYm1Vb2ZyPsyKoweoqFQ0PBzkd1ZiioBWIK185zgV4VvVHruTc+xozFZPXacM0WAxBQ7CE2fyD9ssyDPA/bB+JQ4C572GV9MDA0mIsRUF3DxXbUB0ROmvQ6VDxqT+mUn1tDyLmxVqZAxSLEobgaWV7c5K8IPdF47RU7/elOWjTHssfsyghztbhr7LYlO5JJRGuK/kv40mVrQWGWrcHqNEgnJLuCC2I8OaZqzGNynL6gymTdYs/JtZahO/0E0SNct+dk+/eiVzkl9RzbBmAZXTKGOxG/qCF0G2SEQU7joDTwO6Ohc2hvdBe+g+uUWh/Mcpiq0+0EMIB5fiRSEJo1AAzphbp/zjUemAWzGcjo6Vt+6NgQm0BhU1L2mgptom44hVxtNbQebKnPk+6uB0addJf09LMQ+6qKJluGFefwTmpk5+yrXNhgfl5UP+i32X4XI6ofcF+lCsjK/MAml00LCWRFpfnw7NuWtKfmkd+blK5rgzWBL/zVyx2voBVRAOWu3ydid22j2AYzwSiG6KGdcZGweftm5meCsaZtbnwCTYCDhwvp2rie2SjfkGiimhGOT+vkXYa3XDO0I3L2kr110lqiVahjtjzArZK25qRcf2RmVtg4xxuekAfjDGPm5XWMiGDlVuP8uuknAuU6gP+/8Ig2UGpEBwZQ== david
	sudo: true
	- name: automation
	groups: docker,appadmin
	key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCXdd1mM0+xynLjXJ5TcaU1J1EKNYBMc0TzG2hWaHRufklMwLo4ZdaDyXjeEovWi84ZQGV0ldjni+D6doN2EvhSgeEumC2wW0nX98j/317m++jNfZpjIr3ut/P3+zfGPDJBa7xqzrLpEleU47iebo+Hm/sTuf50SqSt7sr5k33E15B4xil9TKuR/SF753OO1VnQqJh/a84QrC9IGJrOSrsxLCe1Qs1Rs98lMmuToGQ7C5ZRmrw7KGHVFecDcSvknZ9uOUwRqWDXebnTbCebVbyY2CJ6ZeIco4bYkioWZGU45xOAh4iLT5CHXmGWCYS5rU16JH1Jmajz4Zz8vdMBmCrehh3eN1sMgecu2r+VTVtlL2fQzPnSdl2994y6P4zhUJCTpzvChM0QkTE/4DR5+Wi+n+fUWUh0Ek2mjXduOGoie/yMBHH8yOzAM3GtzNnLTr/Z6IZEsvHz684wwTV3bEQ9YEYq/tIHLPszOpery6scDgppLhKCoGjYh8mb7FvFPY2dMqWIqvTgaC4hx55EBKrKvVkk4rpri5I2Hxrjlbr7K2+8KWI+Nw88gSZiPQthNeEVVsdy/krFWrdpYNr828Zqv9p8dXcTiF7aP9cSfmhZuRW2G0lxhUaTz3+B/SaCtjRjSw1GYZf2yd++KJvDV6+0jl/KvMS9D/1+A1vpfSQt7Q== automation
	sudo: true
	vars_files:
	- secrets.yaml
	handlers:
	- name: Restart ssh
	service:
	name: ssh
	state: restarted


	tasks:
	- name: Install packages
	apt:
	name:
	- ufw
	- fail2ban
	- vim
	- htop
	- jq
	- unattended-upgrades
	- docker
	- docker.io
	- docker-compose
	state: present
	update_cache: yes
	cache_valid_time: 3600
	- name: Upgrade packages
	apt:
	upgrade: safe
	- name: Adjust update intervals
	copy:
	dest: /etc/apt/apt.conf.d/10periodic
	content: \|
	APT::Periodic::Update-Package-Lists "1";
	APT::Periodic::Download-Upgradeable-Packages "1";
	APT::Periodic::AutocleanInterval "7";
	APT::Periodic::Unattended-Upgrade "1";
	- name: Setup firewall
	ufw:
	state: enabled
	policy: deny
	- name: Open ports
	ufw:
	rule: allow
	port: "{{ item }}"
	loop: [ "22", "80", "443"]
	- name: Disallow password authentication
	lineinfile:
	dest: /etc/ssh/sshd_config
	regexp: "^PasswordAuthentication"
	line: "PasswordAuthentication no"
	state: present
	notify: Restart ssh
	- name: Create appadmin group
	group:
	name: appadmin
	state: present
	- name: Add users
	user:
	name: "{{ item.name }}"
	groups: "{{ item.groups }}"
	shell: /bin/bash
	loop: "{{ users }}"
	- name: Configure SSH access
	authorized_key:
	user: "{{ item.name}}"
	key: "{{ item.key }}"
	loop: "{{ users }}"
	- name: Configure sudoers
	lineinfile:
	dest: /etc/sudoers
	regexp: "{{ item.name }} ALL"
	line: "{{ item.name }} ALL=(ALL) NOPASSWD:ALL"
	state: present
	when: item.sudo
	loop: "{{ users }}"
	- name: Log users into Dockerhub
	docker_login:
	username: "{{ docker_username }}"
	password: "{{ docker_password }}"
	become_user: "{{ item.name }}"
	loop: "{{ users }}"