55 lines
1.4 KiB
YAML
55 lines
1.4 KiB
YAML
|
# This playbook is to be executed when first setting up
|
||
|
# the machine so we'll have to login as root, but in doing so
|
||
|
# we'll setup a user which can use sudo and use pem based authentication
|
||
|
# this should remove the ability to login as root with a janky password
|
||
|
---
|
||
|
- hosts: webhost
|
||
|
remote_user: root
|
||
|
tasks:
|
||
|
- name: Ensure sudo is available
|
||
|
apt:
|
||
|
state: present
|
||
|
update_cache: true
|
||
|
pkg:
|
||
|
- sudo
|
||
|
- zsh
|
||
|
- name: Create webadmin user
|
||
|
user:
|
||
|
name: webadmin
|
||
|
state: present
|
||
|
shell: /bin/zsh
|
||
|
groups:
|
||
|
- nginx
|
||
|
append: yes
|
||
|
- name: webadmin key copy
|
||
|
authorized_key:
|
||
|
user: webadmin
|
||
|
state: present
|
||
|
key: "{{ lookup('file', '~/.ssh/vultr/webadmin.pem.pub') }}"
|
||
|
- name: Add webadmin to sudoers
|
||
|
copy:
|
||
|
dest: "/etc/sudoers.d/webadmin"
|
||
|
content: "webadmin ALL=(ALL) NOPASSWD: ALL"
|
||
|
- name: Disable Password Authentication
|
||
|
lineinfile:
|
||
|
dest: /etc/ssh/sshd_config
|
||
|
line: PasswordAuthentication no
|
||
|
state: present
|
||
|
backup: yes
|
||
|
notify:
|
||
|
- restart ssh
|
||
|
- name: Disable root login
|
||
|
lineinfile:
|
||
|
dest: /etc/ssh/sshd_config
|
||
|
line: PermitRootLogin no
|
||
|
state: present
|
||
|
backup: yes
|
||
|
notify:
|
||
|
- restart ssh
|
||
|
handlers:
|
||
|
- name: restart ssh
|
||
|
service:
|
||
|
name: sshd
|
||
|
state: restarted
|
||
|
|