From b2deebfffcdc37073600ee141ac4028725d30c37 Mon Sep 17 00:00:00 2001
From: sujiba <mail@sujiba.de>
Date: Tue, 17 Sep 2024 00:49:08 +0200
Subject: [PATCH] first commit

---
 README.md                       | 38 +++++++++++++++++++
 defaults/main.yml               | 13 +++++++
 files/profile.d/00-bash.sh      | 15 ++++++++
 files/vim/vimrc.local           | 10 +++++
 handlers/main.yml               |  6 +++
 meta/main.yml                   | 52 ++++++++++++++++++++++++++
 tasks/main.yml                  | 66 +++++++++++++++++++++++++++++++++
 templates/00-sshd.conf.j2       | 28 ++++++++++++++
 templates/10_allowed_suoders.j2 |  6 +++
 9 files changed, 234 insertions(+)
 create mode 100644 README.md
 create mode 100644 defaults/main.yml
 create mode 100644 files/profile.d/00-bash.sh
 create mode 100644 files/vim/vimrc.local
 create mode 100644 handlers/main.yml
 create mode 100644 meta/main.yml
 create mode 100644 tasks/main.yml
 create mode 100644 templates/00-sshd.conf.j2
 create mode 100644 templates/10_allowed_suoders.j2

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..225dd44
--- /dev/null
+++ b/README.md
@@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).
diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..89f23d2
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,13 @@
+---
+# defaults file for ssh
+ssh_users:
+  - name: USER
+    state: present
+    keys:
+      - key: "PUBLIC KEY 1"
+      - key: "PUBLIC KEY 2"
+      - key: "PUBLIC KEY n"
+    # If set to true, the loop overwrites existing keys in authorized_keys
+    # and overwrites the keys from "keys" one after the other
+    # only the last key in the list is retained
+    exclusive: false
diff --git a/files/profile.d/00-bash.sh b/files/profile.d/00-bash.sh
new file mode 100644
index 0000000..4d4f338
--- /dev/null
+++ b/files/profile.d/00-bash.sh
@@ -0,0 +1,15 @@
+## custom bash changes
+# colorful bash
+force_color_prompt=yes
+export LS_OPTIONS='--color=auto'
+eval "`dircolors`"
+# aliases
+alias l='ls $LS_OPTIONS -la'
+alias ll='ls $LS_OPTIONS -l'
+alias vi='vim'
+alias docker-compose='docker compose'
+# search history with keys
+bind '"\e[A": history-search-backward'
+bind '"\e[B": history-search-forward'
+bind '"\e[5~": history-search-backward'
+bind '"\e[6~": history-search-forward'
\ No newline at end of file
diff --git a/files/vim/vimrc.local b/files/vim/vimrc.local
new file mode 100644
index 0000000..ecea65b
--- /dev/null
+++ b/files/vim/vimrc.local
@@ -0,0 +1,10 @@
+set nocompatible
+set ignorecase
+set hlsearch
+set showmatch
+set wrap
+set mouse-=a
+set autoindent
+syntax on
+highlight Comment ctermfg=LightCyan
+let g:skip_defaults_vim = 1
\ No newline at end of file
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..75c83a2
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+# handlers file for ssh
+- name: Reload SSH
+  ansible.builtin.service:
+    name: sshd
+    state: reloaded
diff --git a/meta/main.yml b/meta/main.yml
new file mode 100644
index 0000000..c572acc
--- /dev/null
+++ b/meta/main.yml
@@ -0,0 +1,52 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..6f32442
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,66 @@
+---
+# tasks file for ssh
+- name: Add group
+  ansible.builtin.group:
+    name: "{{ ssh_item.name }}"
+    state: present
+  loop: "{{ ssh_users }}"
+  loop_control:
+    loop_var: ssh_item
+
+- name: Add user
+  ansible.builtin.user:
+    name: "{{ ssh_item.name }}"
+    group: "{{ ssh_item.name }}"
+    home: /home/{{ ssh_item.name }}
+    create_home: true
+    shell: /bin/bash
+    state: "{{ ssh_item.state }}"
+  loop: "{{ ssh_users }}"
+  loop_control:
+    loop_var: ssh_item
+
+- name: Add authorized_key
+  ansible.posix.authorized_key:
+    user: "{{ ssh_item.0.name }}"
+    key: "{{ ssh_item.1.key }}"
+    exclusive: "{{ ssh_item.0.exclusive }}"
+    state: "{{ ssh_item.0.state }}"
+  loop: "{{ ssh_users | subelements('keys') }}"
+  loop_control:
+    loop_var: ssh_item
+
+- name: Add sudoer rule for local user
+  ansible.builtin.template:
+    src: templates/10_allowed_suoders.j2
+    dest: /etc/sudoers.d/10_allowed_suoders
+    owner: root
+    group: root
+    mode: '0440'
+    validate: /usr/sbin/visudo -csf %s
+
+- name: Add hardened SSH config
+  ansible.builtin.template:
+    src: templates/00-sshd.conf.j2
+    dest: /etc/ssh/sshd_config.d/00-sshd.conf
+    owner: root
+    group: root
+    mode: '0600'
+    validate: /usr/sbin/sshd -t -f %s
+  notify: Reload SSH
+
+- name: Set bash profile
+  ansible.builtin.copy:
+    src: files/profile.d/00-bash.sh
+    dest: /etc/profile.d/00-bash.sh
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Set vim config
+  ansible.builtin.copy:
+    src: files/vim/vimrc.local
+    dest: /etc/vim/vimrc.local
+    owner: root
+    group: root
+    mode: '0644'
diff --git a/templates/00-sshd.conf.j2 b/templates/00-sshd.conf.j2
new file mode 100644
index 0000000..6ab03ca
--- /dev/null
+++ b/templates/00-sshd.conf.j2
@@ -0,0 +1,28 @@
+#jinja2: lstrip_blocks: True
+# {{ ansible_managed }}
+
+ChallengeResponseAuthentication no
+UsePAM yes
+PasswordAuthentication no
+PermitRootLogin no
+
+# Allow specific users only
+AllowUsers {% for item in ssh_users %}{{ item.name }} {% endfor %}
+
+# Sicherheit und Allgemeines
+LoginGraceTime 2m
+ClientAliveInterval 600
+StrictModes yes
+AllowTcpForwarding no
+AllowStreamLocalForwarding no
+X11Forwarding no
+
+## Ciphers (01.2024, ssh-audit and https://www.ssh.com/academy/ssh/sshd_config#cryptographic-policy)
+# Encryption algorithms (ciphers)
+Ciphers aes256-ctr,aes128-ctr,aes192-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
+# Host-key algorithms
+HostKeyAlgorithms rsa-sha2-256,rsa-sha2-512,ssh-ed25519,ssh-dss
+# Key exchange algorithms
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
+# Message authentication code (MAC) algorithms
+MACs hmac-sha2-512,hmac-sha2-256
\ No newline at end of file
diff --git a/templates/10_allowed_suoders.j2 b/templates/10_allowed_suoders.j2
new file mode 100644
index 0000000..92b23c5
--- /dev/null
+++ b/templates/10_allowed_suoders.j2
@@ -0,0 +1,6 @@
+#jinja2: lstrip_blocks: True
+# {{ ansible_managed }}
+
+{% for item in ssh_users %}
+{{ item.name }} ALL=(ALL) NOPASSWD: ALL
+{% endfor %}