citty/roswaal
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Privileges are important

Browse Source
This commit is contained in:
citty 2021-10-15 21:28:33 -04:00
parent 7b9d345ed8
commit 5894376128
1 changed files with 42 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
roles/immortal/tasks/main.yml
View File

@ -7,7 +7,8 @@
- name: Backup ssh config - name: Backup ssh config
fetch: fetch:
src: /etc/ssh/sshd_config src: /etc/ssh/sshd_config
dest: "{{ inventory_hostname }}" dest: "{{ inventory_hostname }}"
become: yes
- name: Backup os-release - name: Backup os-release
fetch: fetch:
@ -31,7 +32,8 @@
state: present state: present
key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}" key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"
exclusive: yes exclusive: yes
become: yes become: yes
- name: Give all users exclusively the current controller user's SSH key - name: Give all users exclusively the current controller user's SSH key
ansible.posix.authorized_key: ansible.posix.authorized_key:
@ -39,46 +41,47 @@
state: present state: present
key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}" key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"
exclusive: yes exclusive: yes
become: yes become: yes
loop: "{{ users_list.users }}" loop: "{{ users_list.users }}"
- name: Ensure UFW is installed - block:
package: - name: Ensure UFW is installed
name: ufw package:
state: present name: ufw
state: present
- name: Configure ufw defaults - name: Configure ufw defaults
ufw: direction={{ item.direction }} policy={{ item.policy }} ufw: direction={{ item.direction }} policy={{ item.policy }}
with_items: with_items:
- { direction: 'incoming', policy: 'deny' } - { direction: 'incoming', policy: 'deny' }
- { direction: 'outgoing', policy: 'allow' } - { direction: 'outgoing', policy: 'allow' }
notify: notify:
- restart ufw - restart ufw
- name: Configure ufw rules - name: Configure ufw rules
ufw: rule={{ item.rule }} port={{ item.port }} proto={{ item.proto }} ufw: rule={{ item.rule }} port={{ item.port }} proto={{ item.proto }}
with_items: with_items:
- { rule: 'limit', port: '22', proto: 'tcp' } - { rule: 'limit', port: '22', proto: 'tcp' }
notify: notify:
- restart ufw - restart ufw
- name: Enable ufw logging - name: Enable ufw logging
ufw: logging=on ufw: logging=on
notify: notify:
- restart ufw - restart ufw
- name: Enable ufw - name: Enable ufw
ufw: state=enabled ufw: state=enabled
- name: Change root password - name: Change root password
user: user:
name: root name: root
shell: /bin/bash shell: /bin/bash
password: "{{ genPass.stdout | password_hash('sha512') }}" password: "{{ genPass.stdout | password_hash('sha512') }}"
- name: Change admin password
user:
name: "{{ ansible_user }}"
shell: /bin/bash
password: "{{ genPass.stdout | password_hash('sha512') }}"
- name: Change admin password
user:
name: "{{ ansible_user }}"
shell: /bin/bash
password: "{{ genPass.stdout | password_hash('sha512') }}"
become: yes