diff options
Diffstat (limited to 'playbooks/roles/common')
| -rw-r--r-- | playbooks/roles/common/files/authorized_keys | 1 | ||||
| -rw-r--r-- | playbooks/roles/common/files/sshd_config | 21 | ||||
| -rw-r--r-- | playbooks/roles/common/handlers/main.yml | 23 | ||||
| -rw-r--r-- | playbooks/roles/common/tasks/main.yml | 66 |
4 files changed, 111 insertions, 0 deletions
diff --git a/playbooks/roles/common/files/authorized_keys b/playbooks/roles/common/files/authorized_keys new file mode 100644 index 0000000..6d49a82 --- /dev/null +++ b/playbooks/roles/common/files/authorized_keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnLAE5TrdYF8QWCSkvgUp15XKcwQJ9393a/CghSo8dG serve@ansible diff --git a/playbooks/roles/common/files/sshd_config b/playbooks/roles/common/files/sshd_config new file mode 100644 index 0000000..239a0c0 --- /dev/null +++ b/playbooks/roles/common/files/sshd_config @@ -0,0 +1,21 @@ +Include /etc/ssh/sshd_config.d/*.conf + +Port 22 +PermitRootLogin no +PubkeyAuthentication yes +PasswordAuthentication no + +KbdInteractiveAuthentication no + +UsePAM yes + +AllowAgentForwarding yes +X11Forwarding no +PrintMotd no +PrintLastLog yes +TCPKeepAlive yes +ClientAliveInterval 300 +ClientAliveCountMax 1 + +AcceptEnv LANG LC_* +Subsystem sftp /usr/lib/openssh/sftp-server diff --git a/playbooks/roles/common/handlers/main.yml b/playbooks/roles/common/handlers/main.yml new file mode 100644 index 0000000..015db8b --- /dev/null +++ b/playbooks/roles/common/handlers/main.yml @@ -0,0 +1,23 @@ +--- + +- name: Enable systemd-timesyncd + ansible.builtin.service: + name: systemd-timesyncd + state: restarted + enabled: true + +- name: Restart sshd + ansible.builtin.service: + name: sshd + state: restarted + enabled: true + +- name: Enable ufw + ansible.builtin.service: + name: ufw + enabled: true + +- name: Reload ufw + ansible.builtin.service: + name: ufw + state: restarted diff --git a/playbooks/roles/common/tasks/main.yml b/playbooks/roles/common/tasks/main.yml new file mode 100644 index 0000000..446db35 --- /dev/null +++ b/playbooks/roles/common/tasks/main.yml @@ -0,0 +1,66 @@ +--- + +### Rly base stuff + +- name: Apt upgrade, update + ansible.builtin.apt: + update_cache: true + upgrade: "dist" + +- name: Install dependencies + ansible.builtin.apt: + name: + - apt-transport-https + - ca-certificates + - curl + - gnupg-agent + - software-properties-common + - vim + - git + - rsync + state: latest + update_cache: true + +### Time + +- name: Timesyncd + ansible.builtin.apt: + name: + - systemd-timesyncd + notify: + - Enable systemd-timesyncd + +### SSH + +- name: Copy sshd_config + ansible.builtin.copy: + src: files/sshd_config + dest: /etc/ssh/sshd_config + owner: root + group: root + mode: u=rw,g=r,o=r + notify: + - Restart sshd + +- name: Copy authorized_keys + ansible.builtin.copy: + src: files/authorized_keys + dest: /home/{{ ansible_user }}/.ssh/authorized_keys + +### UFW + +- name: Install ufw + ansible.builtin.apt: + name: ufw + state: present + +- name: Allow ssh from rfc1918 networks + loop: "{{ rfc1918_cgnat_networks }}" + community.general.ufw: + rule: allow + name: "OpenSSH" + from: "{{ item }}" + state: "enabled" + notify: + - Enable ufw + - Reload ufw |