diff options
Diffstat (limited to 'playbooks/bootstrap.yaml')
| -rw-r--r-- | playbooks/bootstrap.yaml | 76 |
1 files changed, 76 insertions, 0 deletions
diff --git a/playbooks/bootstrap.yaml b/playbooks/bootstrap.yaml new file mode 100644 index 0000000..73da248 --- /dev/null +++ b/playbooks/bootstrap.yaml @@ -0,0 +1,76 @@ +- name: Bootstrap host access + hosts: hollyhock + become: "{{ ansible_user != 'root' }}" + tasks: + - name: Configure ssh hardening + ansible.builtin.template: + src: sshd_hardening.conf.j2 + dest: /etc/ssh/sshd_config.d/99-hardening.conf + mode: "0644" + backup: true + validate: /usr/sbin/sshd -t -f %s + notify: Restart ssh + + - name: Configure ssh socket port + ansible.builtin.template: + src: ssh.socket.conf.j2 + dest: /etc/systemd/system/ssh.socket.d/10-listen.conf + mode: "0644" + backup: true + notify: Restart ssh + + - name: Create groups + ansible.builtin.group: + name: "{{ item }}" + state: present + loop: + - "{{ admin_group }}" + - "{{ automation_group }}" + - "{{ deploy_group }}" + + - name: Create users + ansible.builtin.user: + name: "{{ item.user }}" + password: "{{ item.password | password_hash('sha512') }}" + update_password: on_create + groups: "{{ item.groups }}" + shell: /bin/bash + create_home: true + loop: + - user: "{{ admin_user }}" + password: "{{ admin_password }}" + groups: "{{ admin_group }},sudo" + - user: "{{ automation_user }}" + password: "{{ automation_password }}" + groups: "{{ automation_group }},sudo" + - user: "{{ deploy_user }}" + password: "{{ deploy_password }}" + groups: "{{ deploy_group }}" + no_log: true + + - name: Add ssh keys + ansible.posix.authorized_key: + user: "{{ item }}" + state: present + key: "{{ ssh_key }}" + loop: + - "{{ admin_user }}" + - "{{ automation_user }}" + - "{{ deploy_user }}" + + - name: Apply ssh changes + ansible.builtin.meta: flush_handlers + + handlers: + - name: Restart ssh socket + ansible.builtin.systemd: + name: ssh.socket + state: restarted + daemon_reload: true + listen: Restart ssh + + - name: Restart ssh service + ansible.builtin.systemd: + name: ssh + state: restarted + listen: Restart ssh |