--- - name: Generate password delegate_to: localhost shell: bash autopassword.sh {{ inventory_hostname }} register: genPass - name: Backup ssh config fetch: src: /etc/ssh/sshd_config dest: "{{ inventory_hostname }}" - name: Backup os-release fetch: src: /etc/os-release dest: "{{ inventory_hostname }}" - name: Backup etc/passwd fetch: src: /etc/passwd dest: "{{ inventory_hostname }}" - name: Get users get_users: min_uid: "{{ (ansible_os_family == 'RedHat') | ternary(500,1000) }}" max_uid: 65000 register: users_list - name: Give root exclusively the current controller user's SSH key ansible.posix.authorized_key: user: root state: present key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}" exclusive: yes become: yes - name: Give all users exclusively the current controller user's SSH key ansible.posix.authorized_key: user: "{{item}}" state: present key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}" exclusive: yes become: yes loop: "{{ users_list.users }}" - name: Ensure UFW is installed package: name: ufw state: present - name: Configure ufw defaults ufw: direction={{ item.direction }} policy={{ item.policy }} with_items: - { direction: 'incoming', policy: 'deny' } - { direction: 'outgoing', policy: 'allow' } notify: - restart ufw - name: Configure ufw rules ufw: rule={{ item.rule }} port={{ item.port }} proto={{ item.proto }} with_items: - { rule: 'limit', port: '22', proto: 'tcp' } notify: - restart ufw - name: Enable ufw logging ufw: logging=on notify: - restart ufw - name: Enable ufw ufw: state=enabled - name: Change root password user: name: root shell: /bin/bash password: "{{ genPass.stdout | password_hash('sha512') }}" - name: Change admin password user: name: "{{ ansible_user }}" shell: /bin/bash password: "{{ genPass.stdout | password_hash('sha512') }}"