From ff9315a5922980c11b13c25633cc2801fa9e44a3 Mon Sep 17 00:00:00 2001 From: Alex Tavarez Date: Sun, 9 Mar 2025 16:36:38 -0400 Subject: [PATCH] Added gitignore to ignore Python environment files --- .gitignore | 1 + inventory.yaml | 24 ----- playbooks/lockdown.yaml | 204 ---------------------------------------- 3 files changed, 1 insertion(+), 228 deletions(-) create mode 100644 .gitignore delete mode 100644 inventory.yaml delete mode 100644 playbooks/lockdown.yaml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b2561e3 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.env/ \ No newline at end of file diff --git a/inventory.yaml b/inventory.yaml deleted file mode 100644 index c335694..0000000 --- a/inventory.yaml +++ /dev/null @@ -1,24 +0,0 @@ -webservers: - hosts: - # {{ host_name }}: - # ansible_host: {{ fqdn }} - vars: - # ansible_port: {{ port_num }} -ssl_webservers: - hosts: - # {{ host_name }}: - # ansible_host: {{ fqdn }} - vars: - # ansible_port: {{ port_num }} -ssh_servers: - hosts: - # {{ host_name }}: - # ansible_host: {{ fqdn }} - vars: - # ansible_port: {{ port_num }} -local_ssh: - hosts: - # {{ host_name }}: - # ansible_host: {{ fqdn }} - vars: - # ansible_port: {{ port_num }} \ No newline at end of file diff --git a/playbooks/lockdown.yaml b/playbooks/lockdown.yaml deleted file mode 100644 index 4fb151f..0000000 --- a/playbooks/lockdown.yaml +++ /dev/null @@ -1,204 +0,0 @@ -- name: "create new ssh users" - hosts: ssh_servers - connection: ansible.builtin.ssh - remote_user: root - vars_prompt: - - name: root_password - prompt: "What is the password to the root account?" - private: true - - name: user_password - prompt: "What password would you like for regular user account?" - encrypt: sha256_crypt - confirm: true - private: true - # - name: wwwdata_password - # prompt: "What password would you like for regular user account?" - # encrypt: sha256_crypt - # confirm: true - # private: true - - name: web_domain - prompt: "What is the current or expected FQDN for the extant or planned web server?" - private: false - confirm: false - vars: - ansible_ssh_pass: "{{ root_password }}" - tasks: - - name: "creating system user" - ansible.builtin.user: - name: "www-data" - # password: wwwdata_password - create_home: true - home: "/srv/www" - shell: "/bin/bash" - state: present - update_password: always - comment: "webadmin" - system: true - uid: 100032 - - name: "creating normal user" - ansible.builtin.user: - name: senpai - password: "{{ user_password }}" - create_home: true - shell: "/bin/bash" - state: present - update_password: always - comment: "sysadmin" - append: true - groups: - - "www-data" - - sudo #@TODO: conditionally change to "wheel" - system: false - uid: 1000 - - name: "changing ownership of '/srv'" - ansible.builtin.file: - path: "/srv" - state: directory - recurse: no - owner: root - group: "www-data" - - name: "creating a webdev subdirectory for user www-data" - ansible.builtin.file: - path: "/srv/www" - state: directory - recurse: no - owner: senpai - group: "www-data" - mode: "u=rwx,g=rx,o=rx" - - name: "creating a subdirectory for FQDN" - ansible.builtin.file: - path: "/srv/www/{{ web_domain }}" - state: directory - recurse: no - owner: senpai - group: "www-data" - mode: "u=rwx,g=rx,o=rx" -- name: "create local ssh public keys for remote user" - hosts: local_ssh - connection: ansible.builtin.ssh - vars_prompt: - - name: local_user - prompt: "As what local user will you log in?" - private: false - - name: local_pass - prompt: "Enter password for this local user " - private: true - - name: need_keypair - prompt: "Do you need a new ssh keypair?" - private: false - - name: desire_smartcard - prompt: "Do you wish to use a smartcard or security key?" - private: false - remote_user: "{{ local_user }}" - vars: - ansible_ssh_pass: "{{ local_pass }}" - tasks: - - name: "creating hardware key or smartcard based ssh keypair" - #@TODO: for below property, ssh shell command to create - # hardware key based keypair - ansible.builtin.shell: "" - when: need_keypair and desire_smartcard - - name: "creating ssh keypair" - #@TODO: for below property's value, write ssh keypair - # creation command - ansible.builtin.shell: "" - when: need_keypair and not desire_smartcard -- name: "send local ssh public keys to remote user" - hosts: local_ssh - connection: ansible.builtin.ssh - vars_prompt: - - name: local_user - prompt: "As what local user will you log in?" - private: false - - name: local_pass - prompt: "Enter password for this local user " - private: true - - name: local_pubkey - prompt: "Enter public key ssh keypair path " - private: false - remote_user: "{{ local_user }}" - vars: - ansible_ssh_pass: "{{ local_pass }}" - target_user1: senpai - target_user2: www-data - tasks: - - name: "sending public key to remote ssh server" - #@TODO: for below property's value, write ssh pubkey - # sending command - ansible.builtin.shell: "" - when: local_pubkey -- name: "set up sftp for new users" - hosts: ssh_servers - connection: ansible.builtin.ssh - remote_user: root - vars_prompt: - - name: root_password - prompt: "What is the password to the root account?" - private: true - vars: - ansible_ssh_pass: "{{ root_password }}" - ssh_ftp_file: "/etc/ssh/sshd_config.d/ftp.conf" - ssh_ftp_config: "Match User senpai,www-data\n - PasswordAuthentication no\n - PubkeyAuthentication yes\n - AllowAgentForwarding no\n - AllowTcpForwarding no\n - X11Forwarding no\n\n - Match User www-data\n - ChrootDirectory /srv/www\n - AuthorizedKeysFile /srv/.ssh_wwwdata/authorized_keys\n\n - Match User senpai\n - ForceCommand internal-sftp -d /srv/www/{{ web_domain }}\n - AuthorizedKeysFile /home/senpai/.ssh/authorized_keys\n\n" - tasks: - - name: "adding file for sftp configuration" - ansible.builtin.file: - path: "{{ ssh_ftp_file }}" - state: touch - owner: root - group: root - mode: "u=rw,g=r,o=r" - - name: "configuring sftp" - ansible.builtin.shell: 'printf "{{ ssh_ftp_config }}" >> {{ ssh_ftp_file }}' - - name: "adding requisite authorized keys directory for www-data" - ansible.builtin.file: - path: "/srv/.ssh_wwwdata" - state: directory - recurse: yes - owner: www-data - group: www-data - mode: "0700" - - name: "adding requisite authorized keys file for www-data" - ansible.builtin.file: - path: "/srv/.ssh_wwwdata/authorized_keys" - state: touch - recurse: yes - owner: www-data - group: www-data - mode: "0600" -- name: "disable non-key-based and root authentication for ssh" - hosts: ssh_servers - connection: ansible.builtin.ssh - remote_user: root - vars_prompt: - - name: root_password - prompt: "What is the password to the root account?" - private: true - vars: - ansible_ssh_pass: "{{ root_password }}" - ssh_auth_file: "/etc/ssh/sshd_config.d/auth.conf" - ssh_no_root: "/etc/ssh/sshd_config.d/deny_root.conf" - tasks: - - name: "adding file for authentication restriction" - ansible.builtin.file: - path: "{{ ssh_auth_file }}" - state: touch - owner: root - group: root - mode: "u=rw,g=r,o=r" - - name: "disabling ssh password authentication" - ansible.builtin.shell: 'printf "PasswordAuthentication no\n" >> {{ ssh_auth_file }}' - - name: "disabling ssh empty password usage" - ansible.builtin.shell: 'printf "PermitEmptyPasswords no\n" >> {{ ssh_auth_file }}' - - name: "disabling ssh root login" - ansible.builtin.shell: 'printf "PermitRootLogin no\n" > {{ ssh_no_root }}' \ No newline at end of file