feat(bundle): initial commit
Some checks failed
Build Bootstrap Bundle / build (push) Failing after 54s
Some checks failed
Build Bootstrap Bundle / build (push) Failing after 54s
This commit is contained in:
Sebastian Rust
88
bootstrap.yml
Normal file
88
bootstrap.yml
Normal file
@@ -0,0 +1,88 @@
|
||||
---
|
||||
# Generic Host Bootstrap Playbook
|
||||
#
|
||||
# This playbook sets up a user and hardens SSH on target hosts.
|
||||
# Designed to be built with ansible-bundler.
|
||||
#
|
||||
# Usage:
|
||||
# ansible-playbook bootstrap.yml -i inventory -e @vars.yml
|
||||
#
|
||||
# Or with bundled version:
|
||||
# ./bootstrap.run -e user_name=operator -e user_pubkey="ssh-ed25519 AAAA..."
|
||||
#
|
||||
# Required variables:
|
||||
# - user_name: Username to create
|
||||
# - One of: user_pubkey, user_pubkey_file, user_pubkey_url
|
||||
#
|
||||
# Optional variables (see roles/users/defaults/main.yml for full list):
|
||||
# - user_password: Password for the user
|
||||
# - user_sudo_enabled: Enable sudo (default: true)
|
||||
# - user_sudo_nopasswd: Passwordless sudo (default: true)
|
||||
# - ssh_server_ports: SSH port(s) (default: ["22"])
|
||||
# - ssh_permit_root_login: Allow root login (default: "no")
|
||||
#
|
||||
|
||||
- name: Bootstrap and harden host
|
||||
hosts: all
|
||||
gather_facts: yes
|
||||
|
||||
vars:
|
||||
# User defaults (override via -e or vars file)
|
||||
user_name: "operator"
|
||||
|
||||
# SSH hardening defaults - secure by default
|
||||
ssh_permit_root_login: "no"
|
||||
ssh_server_password_login: false
|
||||
ssh_client_password_login: false
|
||||
ssh_allow_tcp_forwarding: "no"
|
||||
ssh_allow_agent_forwarding: false
|
||||
ssh_x11_forwarding: false
|
||||
ssh_permit_tunnel: "no"
|
||||
ssh_use_pam: true
|
||||
ssh_print_motd: false
|
||||
ssh_print_last_log: false
|
||||
ssh_max_auth_retries: 2
|
||||
ssh_client_alive_interval: 300
|
||||
ssh_client_alive_count: 3
|
||||
|
||||
# Include sshd_config.d for distro-specific configs
|
||||
sshd_custom_options:
|
||||
- "Include /etc/ssh/sshd_config.d/*"
|
||||
|
||||
# Restrict SSH to created user (set to empty string to allow all users)
|
||||
# ssh_allow_users: "{{ user_name }}"
|
||||
|
||||
pre_tasks:
|
||||
- name: Update apt cache
|
||||
ansible.builtin.apt:
|
||||
update_cache: yes
|
||||
cache_valid_time: 3600
|
||||
become: yes
|
||||
when: ansible_os_family == "Debian"
|
||||
|
||||
- name: Ensure sudo is installed
|
||||
ansible.builtin.package:
|
||||
name: sudo
|
||||
state: present
|
||||
become: yes
|
||||
|
||||
roles:
|
||||
- role: users
|
||||
become: yes
|
||||
|
||||
- role: ssh_hardening
|
||||
become: yes
|
||||
|
||||
post_tasks:
|
||||
- name: Display connection info
|
||||
ansible.builtin.debug:
|
||||
msg: |
|
||||
Host bootstrap complete!
|
||||
|
||||
User '{{ user_name }}' has been created with SSH key authentication.
|
||||
SSH has been hardened with the following settings:
|
||||
- Root login: {{ ssh_permit_root_login }}
|
||||
- Password authentication: {{ ssh_server_password_login }}
|
||||
- Port(s): {{ ssh_server_ports | default(['22']) | join(', ') }}
|
||||
|
||||
To connect: ssh {{ user_name }}@{{ ansible_host | default(inventory_hostname) }}
|
||||
Reference in New Issue
Block a user