55 lines
		
	
	
		
			1.4 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
			
		
		
	
	
			55 lines
		
	
	
		
			1.4 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
| # This playbook is to be executed when first setting up
 | |
| # the machine so we'll have to login as root, but in doing so
 | |
| # we'll setup a user which can use sudo and use pem based authentication
 | |
| # this should remove the ability to login as root with a janky password
 | |
| ---
 | |
| - hosts: webhost
 | |
|   remote_user: root
 | |
|   tasks:
 | |
|     - name: Ensure sudo is available
 | |
|       apt:
 | |
|         state: present
 | |
|         update_cache: true
 | |
|         pkg:
 | |
|           - sudo
 | |
|           - zsh
 | |
|     - name: Create webadmin user
 | |
|       user:
 | |
|         name: webadmin
 | |
|         state: present
 | |
|         shell: /bin/zsh
 | |
|         groups:
 | |
|           - nginx
 | |
|         append: yes
 | |
|     - name: webadmin key copy
 | |
|       authorized_key:
 | |
|         user: webadmin
 | |
|         state: present
 | |
|         key: "{{ lookup('file', '~/.ssh/vultr/webadmin.pem.pub') }}"
 | |
|     - name: Add webadmin to sudoers
 | |
|       copy:
 | |
|         dest: "/etc/sudoers.d/webadmin"
 | |
|         content: "webadmin ALL=(ALL) NOPASSWD: ALL"
 | |
|     - name: Disable Password Authentication
 | |
|       lineinfile:
 | |
|         dest: /etc/ssh/sshd_config
 | |
|         line: PasswordAuthentication no
 | |
|         state: present
 | |
|         backup: yes
 | |
|       notify:
 | |
|         - restart ssh
 | |
|     - name: Disable root login
 | |
|       lineinfile:
 | |
|         dest: /etc/ssh/sshd_config
 | |
|         line: PermitRootLogin no
 | |
|         state: present
 | |
|         backup: yes
 | |
|       notify:
 | |
|         - restart ssh
 | |
|   handlers:
 | |
|     - name: restart ssh
 | |
|       service:
 | |
|         name: sshd
 | |
|         state: restarted
 | |
| 
 |