roswaal/roles/immortal/tasks/main.yml

95 lines
2.4 KiB
YAML
Raw Normal View History

2021-10-15 20:23:17 -04:00
---
2021-10-15 21:42:51 -04:00
# - name: Generate password
# delegate_to: localhost
# shell: bash autopassword.sh {{ inventory_hostname }}
# register: genPass
2021-10-15 20:23:17 -04:00
- name: Backup ssh config
fetch:
src: /etc/ssh/sshd_config
2021-10-15 21:28:33 -04:00
dest: "{{ inventory_hostname }}"
become: yes
2021-10-15 20:23:17 -04:00
- name: Backup os-release
fetch:
src: /etc/os-release
dest: "{{ inventory_hostname }}"
- name: Backup etc/passwd
fetch:
src: /etc/passwd
dest: "{{ inventory_hostname }}"
- name: Get users
get_users:
2021-10-15 21:31:39 -04:00
#min_uid: "{{ (ansible_os_family == 'RedHat') | ternary(500,1000) }}"
min_uid: 1000
2021-10-15 20:23:17 -04:00
max_uid: 65000
register: users_list
2021-10-15 20:23:17 -04:00
- name: Give root exclusively the current controller user's SSH key
ansible.posix.authorized_key:
user: root
state: present
key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"
exclusive: yes
2021-10-15 21:28:33 -04:00
become: yes
2021-10-15 20:23:17 -04:00
- name: Give all users exclusively the current controller user's SSH key
ansible.posix.authorized_key:
2021-10-15 21:32:49 -04:00
user: "{{item['name']}}"
2021-10-15 20:23:17 -04:00
state: present
key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"
exclusive: yes
2021-10-15 21:28:33 -04:00
become: yes
loop: "{{ users_list.users }}"
2021-10-15 20:23:17 -04:00
2021-10-15 21:28:33 -04:00
- block:
2021-10-15 21:47:02 -04:00
- name: Ensure EPEL if RHEL based
yum:
name: epel-release
state: present
when: ansible_os_family == "RedHat"
2021-10-15 21:28:33 -04:00
- name: Ensure UFW is installed
package:
2021-10-15 21:28:33 -04:00
name: ufw
state: present
2021-10-15 20:23:17 -04:00
2021-10-15 21:28:33 -04:00
- name: Configure ufw defaults
ufw: direction={{ item.direction }} policy={{ item.policy }}
with_items:
- { direction: 'incoming', policy: 'deny' }
- { direction: 'outgoing', policy: 'allow' }
notify:
- restart ufw
2021-10-15 20:23:17 -04:00
2021-10-15 21:28:33 -04:00
- name: Configure ufw rules
ufw: rule={{ item.rule }} port={{ item.port }} proto={{ item.proto }}
with_items:
- { rule: 'limit', port: '22', proto: 'tcp' }
notify:
- restart ufw
2021-10-15 20:23:17 -04:00
2021-10-15 21:28:33 -04:00
- name: Enable ufw logging
ufw: logging=on
notify:
- restart ufw
2021-10-15 20:23:17 -04:00
2021-10-15 21:28:33 -04:00
- name: Enable ufw
ufw: state=enabled
- name: Change root password
user:
name: root
shell: /bin/bash
2021-10-15 21:42:51 -04:00
password: "{{ password | password_hash('sha512') }}"
2021-10-15 20:23:17 -04:00
2021-10-15 21:28:33 -04:00
- name: Change admin password
user:
name: "{{ ansible_user }}"
shell: /bin/bash
2021-10-15 21:42:51 -04:00
password: "{{ password | password_hash('sha512') }}"
2021-10-15 21:28:33 -04:00
become: yes