Kishan Takoordyal
879cb58cd1
All checks were successful
Run ansible-lint / Perform Ansible Lint (push) Successful in 1m45s
86 lines
2.0 KiB
YAML
86 lines
2.0 KiB
YAML
---
|
|
- name: Create admin group
|
|
ansible.builtin.group:
|
|
name: admin
|
|
state: present
|
|
become: true
|
|
|
|
- name: Allow admin sudo access without password
|
|
ansible.builtin.lineinfile:
|
|
dest: /etc/sudoers
|
|
regexp: '^%admin'
|
|
line: '%admin ALL=(ALL) NOPASSWD:ALL'
|
|
backup: true
|
|
validate: visudo -cf %s
|
|
become: true
|
|
|
|
- name: Create accounts
|
|
ansible.builtin.user:
|
|
name: '{{ item.key }}'
|
|
password: ''
|
|
shell: '/bin/bash'
|
|
group: admin
|
|
generate_ssh_key: false
|
|
state: present
|
|
loop: '{{ access.admin | dict2items }}'
|
|
become: true
|
|
|
|
- name: Configure ssh keys
|
|
ansible.posix.authorized_key:
|
|
user: '{{ item.key }}'
|
|
key: '{{ item.value }}'
|
|
state: present
|
|
loop: '{{ access.admin | dict2items }}'
|
|
become: true
|
|
|
|
- name: Replace default sshd_config file
|
|
ansible.builtin.copy:
|
|
src: sshd_config
|
|
dest: /etc/ssh/sshd_config
|
|
mode: '0644'
|
|
become: true
|
|
notify:
|
|
- Restart sshd
|
|
- Restart ssh
|
|
|
|
- name: Install fail2ban
|
|
ansible.builtin.apt:
|
|
name: fail2ban
|
|
update_cache: true
|
|
state: present
|
|
become: true
|
|
notify: Enable and start fail2ban
|
|
|
|
- name: Configure fail2ban
|
|
ansible.builtin.copy:
|
|
src: '{{ item }}'
|
|
dest: '/etc/fail2ban/{{ item }}'
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
become: true
|
|
loop:
|
|
- fail2ban.local
|
|
- jail.local
|
|
notify: Restart fail2ban
|
|
|
|
- name: Run handlers
|
|
ansible.builtin.meta: flush_handlers
|
|
|
|
- name: Modify inventory file in order to login with current user instead
|
|
ansible.builtin.lineinfile:
|
|
path: '{{ ansible_inventory_sources[0] }}/hosts'
|
|
regexp: '^{{ inventory_hostname }} .*'
|
|
line: '{{ inventory_hostname }} ansible_host={{ ansible_host }} ansible_ssh_user={{ lookup("env", "USER") }}' # noqa yaml[line-length]
|
|
loop: '{{ ansible_play_hosts }}'
|
|
delegate_to: localhost
|
|
|
|
- name: Add host to in-memory inventory
|
|
ansible.builtin.add_host:
|
|
hostname: '{{ inventory_hostname }}'
|
|
ansible_host: '{{ ansible_host }}'
|
|
ansible_ssh_user: '{{ lookup("env", "USER") }}'
|
|
|
|
- name: Refresh inventory
|
|
ansible.builtin.meta: refresh_inventory
|