Renamed directory for lockdown Ansible playbook file

2024-05-12 17:38:45 -04:00
parent c6a30397ae
commit 4f77bd62e7
2 changed files with 204 additions and 0 deletions
--- a/playbooks/lockdown.yaml
+++ b/playbooks/lockdown.yaml
@@ -0,0 +1,204 @@
+- name: "create new ssh users"
+  hosts: ssh_servers
+  connection: ansible.builtin.ssh
+  remote_user: root
+  vars_prompt:
+    - name: root_password
+      prompt: "What is the password to the root account?"
+      private: true
+    - name: user_password
+      prompt: "What password would you like for regular user account?"
+      encrypt: sha256_crypt
+      confirm: true
+      private: true
+    # - name: wwwdata_password
+    #   prompt: "What password would you like for regular user account?"
+    #   encrypt: sha256_crypt
+    #   confirm: true
+    #   private: true
+    - name: web_domain
+      prompt: "What is the current or expected FQDN for the extant or planned web server?"
+      private: false
+      confirm: false
+  vars:
+    ansible_ssh_pass: "{{ root_password }}"
+  tasks:
+    - name: "creating system user"
+      ansible.builtin.user:
+        name: "www-data"
+        # password: wwwdata_password
+        create_home: true
+        home: "/srv/www"
+        shell: "/bin/bash"
+        state: present
+        update_password: always
+        comment: "webadmin"
+        system: true
+        uid: 100032
+    - name: "creating normal user"
+      ansible.builtin.user:
+        name: senpai
+        password: "{{ user_password }}"
+        create_home: true
+        shell: "/bin/bash"
+        state: present
+        update_password: always
+        comment: "sysadmin"
+        append: true
+        groups:
+          - "www-data"
+          - sudo #@TODO: conditionally change to "wheel"
+        system: false
+        uid: 1000
+    - name: "changing ownership of '/srv'"
+      ansible.builtin.file:
+        path: "/srv"
+        state: directory
+        recurse: no
+        owner: root
+        group: "www-data"
+    - name: "creating a webdev subdirectory for user www-data"
+      ansible.builtin.file:
+        path: "/srv/www"
+        state: directory
+        recurse: no
+        owner: senpai
+        group: "www-data"
+        mode: "u=rwx,g=rx,o=rx"
+    - name: "creating a subdirectory for FQDN"
+      ansible.builtin.file:
+        path: "/srv/www/{{ web_domain }}"
+        state: directory
+        recurse: no
+        owner: senpai
+        group: "www-data"
+        mode: "u=rwx,g=rx,o=rx"
+- name: "create local ssh public keys for remote user"
+  hosts: local_ssh
+  connection: ansible.builtin.ssh
+  vars_prompt:
+    - name: local_user
+      prompt: "As what local user will you log in?"
+      private: false
+    - name: local_pass
+      prompt: "Enter password for this local user "
+      private: true
+    - name: need_keypair
+      prompt: "Do you need a new ssh keypair?"
+      private: false
+    - name: desire_smartcard
+      prompt: "Do you wish to use a smartcard or security key?"
+      private: false
+  remote_user: "{{ local_user }}"
+  vars:
+    ansible_ssh_pass: "{{ local_pass }}"
+  tasks:
+    - name: "creating hardware key or smartcard based ssh keypair"
+      #@TODO: for below property, ssh shell command to create 
+      # hardware key based keypair
+      ansible.builtin.shell: ""
+      when: need_keypair and desire_smartcard
+    - name: "creating ssh keypair"
+      #@TODO: for below property's value, write ssh keypair 
+      # creation command
+      ansible.builtin.shell: ""
+      when: need_keypair and not desire_smartcard
+- name: "send local ssh public keys to remote user"
+  hosts: local_ssh
+  connection: ansible.builtin.ssh
+  vars_prompt:
+    - name: local_user
+      prompt: "As what local user will you log in?"
+      private: false
+    - name: local_pass
+      prompt: "Enter password for this local user "
+      private: true
+    - name: local_pubkey
+      prompt: "Enter public key ssh keypair path "
+      private: false
+  remote_user: "{{ local_user }}"
+  vars:
+    ansible_ssh_pass: "{{ local_pass }}"
+    target_user1: senpai
+    target_user2: www-data
+  tasks:
+    - name: "sending public key to remote ssh server"
+      #@TODO: for below property's value, write ssh pubkey 
+      # sending command
+      ansible.builtin.shell: ""
+      when: local_pubkey
+- name: "set up sftp for new users"
+  hosts: ssh_servers
+  connection: ansible.builtin.ssh
+  remote_user: root
+  vars_prompt:
+    - name: root_password
+      prompt: "What is the password to the root account?"
+      private: true
+  vars:
+    ansible_ssh_pass: "{{ root_password }}"
+    ssh_ftp_file: "/etc/ssh/sshd_config.d/ftp.conf"
+    ssh_ftp_config: "Match User senpai,www-data\n
+             PasswordAuthentication no\n
+             PubkeyAuthentication yes\n
+             AllowAgentForwarding no\n
+             AllowTcpForwarding no\n
+             X11Forwarding no\n\n
+      Match User www-data\n
+             ChrootDirectory /srv/www\n
+             AuthorizedKeysFile /srv/.ssh_wwwdata/authorized_keys\n\n
+      Match User senpai\n
+             ForceCommand internal-sftp -d /srv/www/{{ web_domain }}\n
+             AuthorizedKeysFile /home/senpai/.ssh/authorized_keys\n\n"
+  tasks:
+    - name: "adding file for sftp configuration"
+      ansible.builtin.file:
+        path: "{{ ssh_ftp_file }}"
+        state: touch
+        owner: root
+        group: root
+        mode: "u=rw,g=r,o=r"
+    - name: "configuring sftp"
+      ansible.builtin.shell: 'printf "{{ ssh_ftp_config }}" >> {{ ssh_ftp_file }}'
+    - name: "adding requisite authorized keys directory for www-data"
+      ansible.builtin.file:
+        path: "/srv/.ssh_wwwdata"
+        state: directory
+        recurse: yes
+        owner: www-data
+        group: www-data
+        mode: "0700"
+    - name: "adding requisite authorized keys file for www-data"
+      ansible.builtin.file:
+        path: "/srv/.ssh_wwwdata/authorized_keys"
+        state: touch
+        recurse: yes
+        owner: www-data
+        group: www-data
+        mode: "0600"
+- name: "disable non-key-based and root authentication for ssh"
+  hosts: ssh_servers
+  connection: ansible.builtin.ssh
+  remote_user: root
+  vars_prompt:
+    - name: root_password
+      prompt: "What is the password to the root account?"
+      private: true
+  vars:
+    ansible_ssh_pass: "{{ root_password }}"
+    ssh_auth_file: "/etc/ssh/sshd_config.d/auth.conf"
+    ssh_no_root: "/etc/ssh/sshd_config.d/deny_root.conf"
+  tasks:
+    - name: "adding file for authentication restriction"
+      ansible.builtin.file:
+        path: "{{ ssh_auth_file }}"
+        state: touch
+        owner: root
+        group: root
+        mode: "u=rw,g=r,o=r"
+    - name: "disabling password authentication"
+      ansible.builtin.shell: 'printf "PasswordAuthentication no\n" >> {{ ssh_auth_file }}'
+    - name: "disabling empty password usage"
+      ansible.builtin.shell: 'printf "PermitEmptyPasswords no\n" >> {{ ssh_auth_file }}'
+    - name: "disabling ssh root login"
+      ansible.builtin.shell: 'printf "PermitRootLogin no\n" > {{ ssh_no_root }}'
--- a/vps_man/lockdown.yaml
+++ b/vps_man/lockdown.yaml