204 lines
6.6 KiB
YAML
204 lines
6.6 KiB
YAML
- name: "create new ssh users"
|
|
hosts: ssh_servers
|
|
connection: ansible.builtin.ssh
|
|
remote_user: root
|
|
vars_prompt:
|
|
- name: root_password
|
|
prompt: "What is the password to the root account?"
|
|
private: true
|
|
- name: user_password
|
|
prompt: "What password would you like for regular user account?"
|
|
encrypt: sha256_crypt
|
|
confirm: true
|
|
private: true
|
|
# - name: wwwdata_password
|
|
# prompt: "What password would you like for regular user account?"
|
|
# encrypt: sha256_crypt
|
|
# confirm: true
|
|
# private: true
|
|
- name: web_domain
|
|
prompt: "What is the current or expected FQDN for the extant or planned web server?"
|
|
private: false
|
|
confirm: false
|
|
vars:
|
|
ansible_ssh_pass: "{{ root_password }}"
|
|
tasks:
|
|
- name: "creating system user"
|
|
ansible.builtin.user:
|
|
name: "www-data"
|
|
# password: wwwdata_password
|
|
create_home: true
|
|
home: "/srv/www"
|
|
shell: "/bin/bash"
|
|
state: present
|
|
update_password: always
|
|
comment: "webadmin"
|
|
system: true
|
|
uid: 100032
|
|
- name: "creating normal user"
|
|
ansible.builtin.user:
|
|
name: senpai
|
|
password: "{{ user_password }}"
|
|
create_home: true
|
|
shell: "/bin/bash"
|
|
state: present
|
|
update_password: always
|
|
comment: "sysadmin"
|
|
append: true
|
|
groups:
|
|
- "www-data"
|
|
- sudo #@TODO: conditionally change to "wheel"
|
|
system: false
|
|
uid: 1000
|
|
- name: "changing ownership of '/srv'"
|
|
ansible.builtin.file:
|
|
path: "/srv"
|
|
state: directory
|
|
recurse: no
|
|
owner: root
|
|
group: "www-data"
|
|
- name: "creating a webdev subdirectory for user www-data"
|
|
ansible.builtin.file:
|
|
path: "/srv/www"
|
|
state: directory
|
|
recurse: no
|
|
owner: senpai
|
|
group: "www-data"
|
|
mode: "u=rwx,g=rx,o=rx"
|
|
- name: "creating a subdirectory for FQDN"
|
|
ansible.builtin.file:
|
|
path: "/srv/www/{{ web_domain }}"
|
|
state: directory
|
|
recurse: no
|
|
owner: senpai
|
|
group: "www-data"
|
|
mode: "u=rwx,g=rx,o=rx"
|
|
- name: "create local ssh public keys for remote user"
|
|
hosts: local_ssh
|
|
connection: ansible.builtin.ssh
|
|
vars_prompt:
|
|
- name: local_user
|
|
prompt: "As what local user will you log in?"
|
|
private: false
|
|
- name: local_pass
|
|
prompt: "Enter password for this local user "
|
|
private: true
|
|
- name: need_keypair
|
|
prompt: "Do you need a new ssh keypair?"
|
|
private: false
|
|
- name: desire_smartcard
|
|
prompt: "Do you wish to use a smartcard or security key?"
|
|
private: false
|
|
remote_user: "{{ local_user }}"
|
|
vars:
|
|
ansible_ssh_pass: "{{ local_pass }}"
|
|
tasks:
|
|
- name: "creating hardware key or smartcard based ssh keypair"
|
|
#@TODO: for below property, ssh shell command to create
|
|
# hardware key based keypair
|
|
ansible.builtin.shell: ""
|
|
when: need_keypair and desire_smartcard
|
|
- name: "creating ssh keypair"
|
|
#@TODO: for below property's value, write ssh keypair
|
|
# creation command
|
|
ansible.builtin.shell: ""
|
|
when: need_keypair and not desire_smartcard
|
|
- name: "send local ssh public keys to remote user"
|
|
hosts: local_ssh
|
|
connection: ansible.builtin.ssh
|
|
vars_prompt:
|
|
- name: local_user
|
|
prompt: "As what local user will you log in?"
|
|
private: false
|
|
- name: local_pass
|
|
prompt: "Enter password for this local user "
|
|
private: true
|
|
- name: local_pubkey
|
|
prompt: "Enter public key ssh keypair path "
|
|
private: false
|
|
remote_user: "{{ local_user }}"
|
|
vars:
|
|
ansible_ssh_pass: "{{ local_pass }}"
|
|
target_user1: senpai
|
|
target_user2: www-data
|
|
tasks:
|
|
- name: "sending public key to remote ssh server"
|
|
#@TODO: for below property's value, write ssh pubkey
|
|
# sending command
|
|
ansible.builtin.shell: ""
|
|
when: local_pubkey
|
|
- name: "set up sftp for new users"
|
|
hosts: ssh_servers
|
|
connection: ansible.builtin.ssh
|
|
remote_user: root
|
|
vars_prompt:
|
|
- name: root_password
|
|
prompt: "What is the password to the root account?"
|
|
private: true
|
|
vars:
|
|
ansible_ssh_pass: "{{ root_password }}"
|
|
ssh_ftp_file: "/etc/ssh/sshd_config.d/ftp.conf"
|
|
ssh_ftp_config: "Match User senpai,www-data\n
|
|
PasswordAuthentication no\n
|
|
PubkeyAuthentication yes\n
|
|
AllowAgentForwarding no\n
|
|
AllowTcpForwarding no\n
|
|
X11Forwarding no\n\n
|
|
Match User www-data\n
|
|
ChrootDirectory /srv/www\n
|
|
AuthorizedKeysFile /srv/.ssh_wwwdata/authorized_keys\n\n
|
|
Match User senpai\n
|
|
ForceCommand internal-sftp -d /srv/www/{{ web_domain }}\n
|
|
AuthorizedKeysFile /home/senpai/.ssh/authorized_keys\n\n"
|
|
tasks:
|
|
- name: "adding file for sftp configuration"
|
|
ansible.builtin.file:
|
|
path: "{{ ssh_ftp_file }}"
|
|
state: touch
|
|
owner: root
|
|
group: root
|
|
mode: "u=rw,g=r,o=r"
|
|
- name: "configuring sftp"
|
|
ansible.builtin.shell: 'printf "{{ ssh_ftp_config }}" >> {{ ssh_ftp_file }}'
|
|
- name: "adding requisite authorized keys directory for www-data"
|
|
ansible.builtin.file:
|
|
path: "/srv/.ssh_wwwdata"
|
|
state: directory
|
|
recurse: yes
|
|
owner: www-data
|
|
group: www-data
|
|
mode: "0700"
|
|
- name: "adding requisite authorized keys file for www-data"
|
|
ansible.builtin.file:
|
|
path: "/srv/.ssh_wwwdata/authorized_keys"
|
|
state: touch
|
|
recurse: yes
|
|
owner: www-data
|
|
group: www-data
|
|
mode: "0600"
|
|
- name: "disable non-key-based and root authentication for ssh"
|
|
hosts: ssh_servers
|
|
connection: ansible.builtin.ssh
|
|
remote_user: root
|
|
vars_prompt:
|
|
- name: root_password
|
|
prompt: "What is the password to the root account?"
|
|
private: true
|
|
vars:
|
|
ansible_ssh_pass: "{{ root_password }}"
|
|
ssh_auth_file: "/etc/ssh/sshd_config.d/auth.conf"
|
|
ssh_no_root: "/etc/ssh/sshd_config.d/deny_root.conf"
|
|
tasks:
|
|
- name: "adding file for authentication restriction"
|
|
ansible.builtin.file:
|
|
path: "{{ ssh_auth_file }}"
|
|
state: touch
|
|
owner: root
|
|
group: root
|
|
mode: "u=rw,g=r,o=r"
|
|
- name: "disabling password authentication"
|
|
ansible.builtin.shell: 'printf "PasswordAuthentication no\n" >> {{ ssh_auth_file }}'
|
|
- name: "disabling empty password usage"
|
|
ansible.builtin.shell: 'printf "PermitEmptyPasswords no\n" >> {{ ssh_auth_file }}'
|
|
- name: "disabling ssh root login"
|
|
ansible.builtin.shell: 'printf "PermitRootLogin no\n" > {{ ssh_no_root }}' |