Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
five_minutes.yml
---
- hosts: all
vars:
UBUNTU_COMMON_ROOT_PASSWORD: 'xxxxx'
UBUNTU_COMMON_DEPLOY_PASSWORD: 'xxxxx'
UBUNTU_COMMON_LOGWATCH_EMAIL: user@example.com
ubuntu_common_deploy_user_name: deploy
ubuntu_common_deploy_public_keys:
- ~/.ssh/id_rsa.pub
ubuntu_common_required_packages:
- ufw
- fail2ban
- unattended-upgrades
- logwatch
ubuntu_common_optional_packages:
- mosh
- vim
ubuntu_common_ssh_port: 22
ubuntu_common_mosh_from_port: 60000
ubuntu_common_mosh_to_port: 60010
tasks:
- name: Change root password
user: name=root password="{{ UBUNTU_COMMON_ROOT_PASSWORD }}"
- name: Add deploy user
user: name={{ ubuntu_common_deploy_user_name }} password="{{ UBUNTU_COMMON_DEPLOY_PASSWORD }}" shell=/bin/bash
- name: Add authorized keys for deploy user
authorized_key: user={{ ubuntu_common_deploy_user_name }} key="{{ lookup('file', item) }}"
with_items: ubuntu_common_deploy_public_keys
- name: Add deploy user to sudoers
lineinfile: dest=/etc/sudoers
regexp="{{ ubuntu_common_deploy_user_name }} ALL"
line="{{ ubuntu_common_deploy_user_name }} ALL=(ALL) ALL"
state=present
- name: Update APT package cache
apt: update_cache=yes cache_valid_time=3600
- name: Upgrade APT to the latest packages
apt: upgrade=safe
- name: Install required packages
apt: state=installed pkg={{ item }}
with_items: ubuntu_common_required_packages
- name: Install optional packages
apt: state=installed pkg={{ item }}
with_items: ubuntu_common_optional_packages
- name: Adjust APT update intervals
copy: src=apt_periodic dest=/etc/apt/apt.conf.d/10periodic
- name: Setup ufw
ufw: state=enabled policy=deny
- name: Allow ssh traffic
ufw: rule=allow port={{ ubuntu_common_ssh_port }} proto=tcp
- name: Allow mosh traffic
ufw: rule=allow proto=udp port={{ ubuntu_common_mosh_from_port }}:{{ ubuntu_common_mosh_to_port }}
when: "'mosh' in ubuntu_common_optional_packages"
- name: Set up Postfix to relay mail
debconf: name=postfix
question='{{ item.question }}'
value='{{ item.value }}'
vtype='{{ item.vtype }}'
with_items:
- { question: 'postfix/mailname', value: '{{ ansible_fqdn }}', vtype: 'string' }
- { question: 'postfix/main_mailer_type', value: 'Internet Site', vtype: 'string' }
- name: Email log summary daily
lineinfile: dest=/etc/cron.daily/00logwatch
regexp="^/usr/sbin/logwatch"
line="/usr/sbin/logwatch --output mail --mailto {{ UBUNTU_COMMON_LOGWATCH_EMAIL }} --detail high"
state=present create=yes
- name: Change ssh port
lineinfile: dest=/etc/ssh/sshd_config
regexp="^Port\s"
line="Port {{ ubuntu_common_ssh_port }}"
state=present
notify: Restart ssh
- name: Disallow password authentication
lineinfile: dest=/etc/ssh/sshd_config
regexp="^PasswordAuthentication"
line="PasswordAuthentication no"
state=present
notify: Restart ssh
- name: Disallow root SSH access
lineinfile: dest=/etc/ssh/sshd_config
regexp="^PermitRootLogin"
line="PermitRootLogin no"
state=present
notify: Restart ssh
handlers:
- name: Restart ssh
service: name=ssh state=restarted
@numediaweb

This comment has been minimized.

Copy link

@numediaweb numediaweb commented Oct 3, 2017

The lookup for ~/.ssh/id_rsa.pub is not working :(
According to the docs of Ansible: Lookups are executed with a cwd relative to the role or play, as opposed to local tasks which are executed with the cwd of the executed script.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment