---
- hosts: hosts
vars:
ROOT_PASSWORD: '<un mot de passe vraiment long et dur>'
ADMIN_USER: admin
ADMIN_PASSWORD: '<un mot de passe vraiment long et dur>'
SSH_KEYS:
- ~/.ssh/id_ed25519.pub
REQUIRED_PACKAGES:
- sudo
- fail2ban
- unattended-upgrades
OPTIONAL_PACKAGES:
- vim
SSH_PORT: 22001
tasks:
- name: Change root password
user: name=root password="{{ ROOT_PASSWORD |password_hash('sha512')}}"
- name: Update APT package cache
apt: update_cache=yes cache_valid_time=3600
- name: Upgrade APT to the latest packages
apt: upgrade=safe
- name: Install required packages
apt: state=installed pkg={{ item }}
with_items: "{{ REQUIRED_PACKAGES }}"
- name: Install optional packages
apt: state=installed pkg={{ item }}
with_items: "{{ OPTIONAL_PACKAGES }}"
- name: Creating user {{ ADMIN_USER }} with admin access
user: name=admin password={{ ADMIN_PASSWORD |password_hash('sha512') }} groups=sudo append=yes shell=/bin/bash
- name: Add {{ ADMIN_USER }} user to sudoers
lineinfile:
dest=/etc/sudoers
regexp="{{ ADMIN_USER }} ALL"
line="{{ ADMIN_USER }} ALL=(ALL) ALL"
state=present
- name: Create group ssh-user
group:
name: ssh-user
state: present
- name: Add {{ ADMIN_USER }} user to ssh-user
user:
name='{{ ADMIN_USER }}'
groups=ssh-user
append=yes
- name: Clean old ssh host keys
file: path={{ item }} state=absent
with_items:
- /etc/ssh/ssh_host_dsa_key
- /etc/ssh/ssh_host_dsa_key.pub
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ecdsa_key.pub
- /etc/ssh/ssh_host_ed25519_key
- /etc/ssh/ssh_host_ed25519_key.pub
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_rsa_key.pub
- name: Create new ssh host key
command: ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
- name: Create footprint of ssh host key
command: ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub
- name: Add authorized keys for user {{ ADMIN_USER }}
authorized_key: user={{ ADMIN_USER }} key="{{ lookup('file', item) }}"
with_items: "{{ SSH_KEYS }}"
- name: Change ssh config file
template: src=../files/sshd_config dest=/etc/ssh/sshd_config owner=root group=root mode=664
notify: Restart ssh
handlers:
- name: Restart ssh
service: name=ssh state=restarted