Last active
May 31, 2023 14:37
-
-
Save duboiss/6964a6d809c1cdbcab7f55a89b3a415d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
- hosts: all | |
become: true | |
vars: | |
timezone: Europe/Paris | |
created_username: server | |
ssh_port: 49999 | |
mysql_port: 50123 | |
txadmin_port: 48888 | |
fivem_port: 30120 | |
vars_prompt: | |
- name: "ssh_key_passphrase" | |
prompt: "Enter passphrase for the SSH key (if generated)" | |
private: yes | |
tasks: | |
- name: Set timezone to "{{ timezone }}" (system and hardware clock) | |
community.general.timezone: | |
name: "{{ timezone }}" | |
notify: | |
- Restart crond | |
- name: Setup passwordless sudo | |
lineinfile: | |
path: /etc/sudoers | |
state: present | |
regexp: '^%sudo' | |
line: '%sudo ALL=(ALL) NOPASSWD: ALL' | |
validate: '/usr/sbin/visudo -cf %s' | |
- name: User - Create a new regular user with sudo privileges | |
user: | |
name: "{{ created_username }}" | |
state: present | |
groups: sudo | |
append: true | |
create_home: true | |
shell: /bin/bash | |
- name: SSH - Disable password authentication for root | |
lineinfile: | |
path: /etc/ssh/sshd_config | |
state: present | |
regexp: '^#?PermitRootLogin' | |
line: 'PermitRootLogin no' | |
notify: | |
- Restart SSHD | |
- name: SSH - Pubkey Auth Enable (ensure) | |
lineinfile: | |
path: /etc/ssh/sshd_config | |
regexp: '^#?PubkeyAuthentication' | |
line: 'PubkeyAuthentication yes' | |
notify: | |
- Restart SSHD | |
- name: SSH - Password Auth Disable (ensure) | |
lineinfile: | |
path: /etc/ssh/sshd_config | |
regexp: '^#?PasswordAuthentication' | |
line: 'PasswordAuthentication no' | |
notify: | |
- Restart SSHD | |
- name: SSH - Lower the maximum number of authentication attempts | |
lineinfile: | |
path: /etc/ssh/sshd_config | |
regexp: '^#?MaxAuthTries' | |
line: 'MaxAuthTries 3' | |
notify: | |
- Restart SSHD | |
- name: SSH - Lower the maximum number of simultaneous SSH sessions allowed for a user | |
lineinfile: | |
path: /etc/ssh/sshd_config | |
regexp: '^#?MaxSessions' | |
line: 'MaxSessions 2' | |
notify: | |
- Restart SSHD | |
- name: SSH - Update SSH port | |
lineinfile: | |
path: /etc/ssh/sshd_config | |
regexp: '^#?Port' | |
line: "Port {{ ssh_port }}" | |
notify: | |
- Restart SSHD | |
- name: SSH - Set authorized key for remote user | |
ansible.posix.authorized_key: | |
user: "{{ created_username }}" | |
state: present | |
key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_ed25519.pub') }}" | |
- name: SSH - Generate ed25519 ssh key if necessary | |
command: ssh-keygen -t ed25519 -f "/home/{{ created_username }}/.ssh/id_ed25519" -N "{{ ssh_key_passphrase }}" -q | |
args: | |
creates: "/home/{{ created_username }}/.ssh/id_ed25519.pub" | |
- name: Update apt and install required system packages | |
apt: | |
pkg: | |
- curl | |
- fail2ban | |
- git | |
- nano | |
- screen | |
- ufw | |
state: latest | |
update_cache: true | |
- name: UFW - Allow SSH connections | |
community.general.ufw: | |
rule: limit | |
port: "{{ ssh_port }}" | |
proto: tcp | |
- name: UFW - Allow MySQL connections | |
community.general.ufw: | |
rule: allow | |
port: "{{ mysql_port }}" | |
proto: tcp | |
- name: UFW - Allow TxAdmin connections | |
community.general.ufw: | |
rule: allow | |
port: "{{ txadmin_port }}" | |
proto: tcp | |
- name: UFW - Allow FiveM UDP connections | |
community.general.ufw: | |
rule: allow | |
port: "{{ fivem_port }}" | |
proto: udp | |
- name: UFW - Allow FiveM TCP connections | |
community.general.ufw: | |
rule: allow | |
port: "{{ fivem_port }}" | |
proto: tcp | |
- name: UFW - Enable and deny by default | |
community.general.ufw: | |
state: enabled | |
default: deny | |
handlers: | |
- name: Restart crond | |
service: | |
name: cron | |
state: restarted | |
- name: Restart SSHD | |
service: | |
name: sshd | |
state: restarted |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment