Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Ansible playbook for the *very first* connection to a newly-provisioned VPS
---
##############################################################
#
# setup_accounts.yml
#
# This Ansible playbook configures the accounts for an initial
# connection to a newly provisioned VPS. It performs the following tasks:
#
# 1. Log into the target server using the root password (not public key)
# 2. Create a 'deploy' user
# 3. Install the SSH public key from your account/home directory
# 4. Add 'deploy' to /etc/sudoers to enable sudo access
# 5. Disallow password login for all accounts
# 6. Disallow root ssh access
# 7. (Leave ssh port set to default of 22 - commented out)
#
# The script ssh's into the host and uses the root password for
# authentication. It can never be re-run on the host because
# passwords and root access are both disallowed.
#
# You only need to run this playbook one time for a new VPS. After that
# all future connections to the host should use the 'deploy' user.
#
# ----------------
#
# To run the script, enter the following command:
#
# ansible-playbook -i "hostname," setup_accounts.yml -k
#
# Substitute the hostname as needed (keep the trailing comma (",").
# You will be prompted to enter the root password, then you will be
# prompted to enter a password (twice) for the 'deploy' user.
#
# If you see "Please add this host's fingerprint to your known_hosts file"
# you need to ssh root@hostname one time to set the fingerprint.
# Then re-run the ansible-playbook command (above)
#
# ----------------
#
# Copyright (c) 2020 Rich Brown
# Blueberry Hill Software
# rich.brown@blueberryhillsoftware.com
# GPL v2 - use it, enjoy it, and let me know if it helps!
#
# Provenance: Original ideas came from:
# https://github.com/jedelman8/server-build-ansible/blob/master/server_one_time_run.yml
# referred from http://jedelman.com/home/server-bootstrap-prep-with-ansible/
# Seasoned with info from Ryan Eschinger's first-time setup
# Those playbooks needed to be refreshed for the (current) Ansible 2.9 syntax
# Tested with Ansible 2.9.6 - 6Apr2020
#
##############################################################
- name: Set Up Accounts on a New Host (First run - never again)
hosts: all
gather_facts: no
remote_user: root
vars_prompt:
- name: deploy_password
prompt: "What is the password for the 'deploy' user?"
private: yes
- name: deploy_password2
prompt: " Enter the 'deploy' password one more time"
private: yes
vars:
ubuntu_common_deploy_user_name: deploy
hashed_password: "{{ deploy_password | password_hash('sha512') }}"
copy_of_my_ssh_key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"
# ubuntu_common_ssh_port: 22
tasks:
#check if params are valid: abort the remaining tasks if not
- assert:
that:
- deploy_password is defined
- deploy_password2 is defined
- deploy_password == deploy_password2
success_msg: "Passwords are OK"
fail_msg: "Passwords are missing or do not match"
- name: 'Add deploy user'
user: name={{ ubuntu_common_deploy_user_name }} password="{{ hashed_password }}" shell=/bin/bash
- name: 'Add authorized key taken from HOME public key'
authorized_key:
user: deploy
state: present
key: "{{ copy_of_my_ssh_key }}"
- name: 'Add deploy user to sudoers'
lineinfile: dest=/etc/sudoers
regexp="{{ ubuntu_common_deploy_user_name }} ALL"
line="{{ ubuntu_common_deploy_user_name }} ALL=(ALL) ALL"
state=present
- name: 'Disallow password authentication'
lineinfile: dest=/etc/ssh/sshd_config
regexp="^PasswordAuthentication"
line="PasswordAuthentication no"
state=present
notify: Restart ssh
- name: 'Disallow root SSH access'
lineinfile: dest=/etc/ssh/sshd_config
regexp="^PermitRootLogin"
line="PermitRootLogin no"
state=present
notify: Restart ssh
# - name: 'Change ssh port'
# lineinfile: dest=/etc/ssh/sshd_config
# regexp="^Port\s"
# line="Port {{ ubuntu_common_ssh_port }}"
# state=present
# notify: Restart ssh
handlers:
- name: Restart ssh
service: name=ssh state=restarted
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment