- name: "create new ssh users" hosts: ssh_servers connection: ansible.builtin.ssh remote_user: root vars_prompt: - name: root_password prompt: "What is the password to the root account?" private: true - name: user_password prompt: "What password would you like for regular user account?" encrypt: sha256_crypt confirm: true private: true # - name: wwwdata_password # prompt: "What password would you like for regular user account?" # encrypt: sha256_crypt # confirm: true # private: true - name: web_domain prompt: "What is the current or expected FQDN for the extant or planned web server?" private: false confirm: false vars: ansible_ssh_pass: "{{ root_password }}" tasks: - name: "creating system user" ansible.builtin.user: name: "www-data" # password: wwwdata_password create_home: true home: "/srv/www" shell: "/bin/bash" state: present update_password: always comment: "webadmin" system: true uid: 100032 - name: "creating normal user" ansible.builtin.user: name: senpai password: "{{ user_password }}" create_home: true shell: "/bin/bash" state: present update_password: always comment: "sysadmin" append: true groups: - "www-data" - sudo #@TODO: conditionally change to "wheel" system: false uid: 1000 - name: "changing ownership of '/srv'" ansible.builtin.file: path: "/srv" state: directory recurse: no owner: root group: "www-data" - name: "creating a webdev subdirectory for user www-data" ansible.builtin.file: path: "/srv/www" state: directory recurse: no owner: senpai group: "www-data" mode: "u=rwx,g=rx,o=rx" - name: "creating a subdirectory for FQDN" ansible.builtin.file: path: "/srv/www/{{ web_domain }}" state: directory recurse: no owner: senpai group: "www-data" mode: "u=rwx,g=rx,o=rx" - name: "create local ssh public keys for remote user" hosts: local_ssh connection: ansible.builtin.ssh vars_prompt: - name: local_user prompt: "As what local user will you log in?" private: false - name: local_pass prompt: "Enter password for this local user " private: true - name: need_keypair prompt: "Do you need a new ssh keypair?" private: false - name: desire_smartcard prompt: "Do you wish to use a smartcard or security key?" private: false remote_user: "{{ local_user }}" vars: ansible_ssh_pass: "{{ local_pass }}" tasks: - name: "creating hardware key or smartcard based ssh keypair" #@TODO: for below property, ssh shell command to create # hardware key based keypair ansible.builtin.shell: "" when: need_keypair and desire_smartcard - name: "creating ssh keypair" #@TODO: for below property's value, write ssh keypair # creation command ansible.builtin.shell: "" when: need_keypair and not desire_smartcard - name: "send local ssh public keys to remote user" hosts: local_ssh connection: ansible.builtin.ssh vars_prompt: - name: local_user prompt: "As what local user will you log in?" private: false - name: local_pass prompt: "Enter password for this local user " private: true - name: local_pubkey prompt: "Enter public key ssh keypair path " private: false remote_user: "{{ local_user }}" vars: ansible_ssh_pass: "{{ local_pass }}" target_user1: senpai target_user2: www-data tasks: - name: "sending public key to remote ssh server" #@TODO: for below property's value, write ssh pubkey # sending command ansible.builtin.shell: "" when: local_pubkey - name: "set up sftp for new users" hosts: ssh_servers connection: ansible.builtin.ssh remote_user: root vars_prompt: - name: root_password prompt: "What is the password to the root account?" private: true vars: ansible_ssh_pass: "{{ root_password }}" ssh_ftp_file: "/etc/ssh/sshd_config.d/ftp.conf" ssh_ftp_config: "Match User senpai,www-data\n PasswordAuthentication no\n PubkeyAuthentication yes\n AllowAgentForwarding no\n AllowTcpForwarding no\n X11Forwarding no\n\n Match User www-data\n ChrootDirectory /srv/www\n AuthorizedKeysFile /srv/.ssh_wwwdata/authorized_keys\n\n Match User senpai\n ForceCommand internal-sftp -d /srv/www/{{ web_domain }}\n AuthorizedKeysFile /home/senpai/.ssh/authorized_keys\n\n" tasks: - name: "adding file for sftp configuration" ansible.builtin.file: path: "{{ ssh_ftp_file }}" state: touch owner: root group: root mode: "u=rw,g=r,o=r" - name: "configuring sftp" ansible.builtin.shell: 'printf "{{ ssh_ftp_config }}" >> {{ ssh_ftp_file }}' - name: "adding requisite authorized keys directory for www-data" ansible.builtin.file: path: "/srv/.ssh_wwwdata" state: directory recurse: yes owner: www-data group: www-data mode: "0700" - name: "adding requisite authorized keys file for www-data" ansible.builtin.file: path: "/srv/.ssh_wwwdata/authorized_keys" state: touch recurse: yes owner: www-data group: www-data mode: "0600" - name: "disable non-key-based and root authentication for ssh" hosts: ssh_servers connection: ansible.builtin.ssh remote_user: root vars_prompt: - name: root_password prompt: "What is the password to the root account?" private: true vars: ansible_ssh_pass: "{{ root_password }}" ssh_auth_file: "/etc/ssh/sshd_config.d/auth.conf" ssh_no_root: "/etc/ssh/sshd_config.d/deny_root.conf" tasks: - name: "adding file for authentication restriction" ansible.builtin.file: path: "{{ ssh_auth_file }}" state: touch owner: root group: root mode: "u=rw,g=r,o=r" - name: "disabling password authentication" ansible.builtin.shell: 'printf "PasswordAuthentication no\n" >> {{ ssh_auth_file }}' - name: "disabling empty password usage" ansible.builtin.shell: 'printf "PermitEmptyPasswords no\n" >> {{ ssh_auth_file }}' - name: "disabling ssh root login" ansible.builtin.shell: 'printf "PermitRootLogin no\n" > {{ ssh_no_root }}'