infra/ansible/playbooks/secure-ssh-user.yml

55 lines
1.4 KiB
YAML
Raw Normal View History

2024-07-29 06:37:44 +00:00
# This playbook is to be executed when first setting up
# the machine so we'll have to login as root, but in doing so
# we'll setup a user which can use sudo and use pem based authentication
# this should remove the ability to login as root with a janky password
---
- hosts: webhost
remote_user: root
tasks:
- name: Ensure sudo is available
apt:
state: present
update_cache: true
pkg:
- sudo
- zsh
- name: Create webadmin user
user:
name: webadmin
state: present
shell: /bin/zsh
groups:
- nginx
append: yes
- name: webadmin key copy
authorized_key:
user: webadmin
state: present
key: "{{ lookup('file', '~/.ssh/vultr/webadmin.pem.pub') }}"
- name: Add webadmin to sudoers
copy:
dest: "/etc/sudoers.d/webadmin"
content: "webadmin ALL=(ALL) NOPASSWD: ALL"
- name: Disable Password Authentication
lineinfile:
dest: /etc/ssh/sshd_config
line: PasswordAuthentication no
state: present
backup: yes
notify:
- restart ssh
- name: Disable root login
lineinfile:
dest: /etc/ssh/sshd_config
line: PermitRootLogin no
state: present
backup: yes
notify:
- restart ssh
handlers:
- name: restart ssh
service:
name: sshd
state: restarted