sukaato-ansible/.ansible/roles/lockdown/tasks/main.yml

# SPDX-License-Identifier: MIT-0
---
# tasks file for lockdown
# @NOTE: assumes one logged in to SSH server as root to begin with, hence no need for privilege escalation
- name: Create users
  when: ansible_facts["user_id"] == "root"
  block:
    - name: Create sys-admin user
      ansible.builtin.user:
        name: "{{ create_users[0].username }}"
        uid: 1000
        password: "{{ create_users[0].password }}"
        append: yes
        groups:
          - sudo
        shell: /bin/bash
        generate_ssh_key: yes
        password_expire_min: 93
        password_expire_max: 186
        password_expire_warn: 45
        comment: sysadmin
        # ssh_key_passphrase: "{{ item.password }}"
        state: present
      tags:
        - default
        - administrative_user
      register: created_admin
    - name: Create new user
      ansible.builtin.user:
        name: "{{ item.username }}"
        uid: 1000
        password: "{{ item.password }}"
        append: yes
        shell: /bin/bash
        generate_ssh_key: yes
        password_expire_min: 93
        password_expire_max: 186
        password_expire_warn: 45
        comment: administrator
        # ssh_key_passphrase: "{{ item.password }}"
        state: present
      loop: "{{ create_users[1:] }}"
      tags:
        - other_users
      register: created_users
- name: Specify authorized SSH keys for users based on local public keys
  when: not files_mode and ansible_facts["user_id"] == "root"
  block:
    - name: Acquire list of SSH public keys for sys-admin user
      delegate_to: "{{ ssh_keypairs_origin_host }}"
      ansible.builtin.find:
        paths: "{{ lookup('env', 'HOME') }}/.ssh"
        patterns:
          - '{{ ssh_pubkey_filename_pattern }}'
        use_regex: yes
        recurse: no
      tags:
        - default
        - administrative_user
        - admin_ssh
      register: ssh_public_keys
    - name: Acquire contents of SSH public keys for sys-admin user
      delegate_to: "{{ ssh_keypairs_origin_host }}"
      ansible.builtin.command:
        argv:
          - cat
          - "{{ item.path }}"
      loop: "{{ ssh_public_keys.files }}"
      register: ssh_public_keys_contents
    - name: Register SSH public keys as sys-admin user's authorized keys
      ansible.builtin.lineinfile:
        path: "{{ created_admin.home }}/.ssh/authorized_keys"
        line: "{{ item }}"
        owner: "{{ created_admin.name }}"
        group: "{{ created_admin.name }}"
        mode: "0600"
        create: yes
        insertafter: EOF
        state: present
      tags:
        - default
        - administrative_user
        - admin_ssh
      loop: "{{ ssh_public_keys_contents.results }}"
    - name: Register SSH public keys as other users' authorized keys
      ansible.builtin.copy:
        src: "ssh/{{ item.name }}/authorized_keys"
        dest: "{{ item.home }}/.ssh/authorized_keys"
        force: yes
        backup: yes
        owner: "{{ item.name }}"
        group: "{{ item.name }}"
        mode: "0600"
        state: present
      tags:
        - other_users
        - others_ssh
      loop: "{{ created_users.results }}"
      register: authorized_ssh_pubkeys
- name: Specify authorized SSH keys for users
  when: files_mode and ansible_facts["user_id"] == "root"
  block:
    - name: Specify authorized keys file for sys-admin user
      ansible.builtin.copy:
        src: ssh/authorized_keys
        dest: "{{ created_admin.home }}/.ssh/authorized_keys"
        force: yes
        backup: yes
        owner: "{{ created_admin.name }}"
        group: "{{ created_admin.name }}"
        mode: "0600"
        state: present
      tags:
        - default
        - administrative_user
        - admin_ssh
      register: authorized_admin_ssh_pubkeys
    - name: Specify authorized keys file for other users
      ansible.builtin.copy:
        src: "ssh/{{ item.name }}/authorized_keys"
        dest: "{{ item.home }}/.ssh/authorized_keys"
        force: yes
        backup: yes
        owner: "{{ item.name }}"
        group: "{{ item.name }}"
        mode: "0600"
      tags:
        - other_users
        - others_ssh
      loop: "{{ created_users.results }}"
      register: authorized_ssh_pubkeys
- name: Lock down root SSH access
  when: ansible_facts["user_id"] == "root"
  block:
    - name: Constrain SSH authentication methods to using SSH key
      ansible.builtin.copy:
        src: sshd_config.d/auth.conf
        dest: /etc/ssh/sshd_config.d/auth.conf
        force: yes
        backup: yes
        owner: root
        group: root
        mode: "0644"
        state: present
      tags:
        - depass_root
      register: constrained_auth
    - name: Prohibit access to root via SSH
      ansible.builtin.copy:
        src: sshd_config.d/denyroot.conf
        dest: /etc/ssh/sshd_config.d/denyroot.conf
        force: yes
        backup: yes
        owner: root
        group: root
        mode: "0644"
        state: present
      tags:
        - prohib_root_ssh
      register: prohibited_root_ssh_login
    - name: Lock the root account
      when: include_root_lock
      ansible.builtin.user:
        name: root
        password_lock: yes
      tags:
        - delog_root
      register: prohibited_root_login
  tags:
    - default
    - deroot
  notify: "restart ssh"