first commit

2024-09-17 00:49:08 +02:00 · 2024-09-17 00:49:08 +02:00 · b2deebfffc
commit b2deebfffc
9 changed files with 234 additions and 0 deletions
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -0,0 +1,66 @@
+---
+# tasks file for ssh
+- name: Add group
+  ansible.builtin.group:
+    name: "{{ ssh_item.name }}"
+    state: present
+  loop: "{{ ssh_users }}"
+  loop_control:
+    loop_var: ssh_item
+
+- name: Add user
+  ansible.builtin.user:
+    name: "{{ ssh_item.name }}"
+    group: "{{ ssh_item.name }}"
+    home: /home/{{ ssh_item.name }}
+    create_home: true
+    shell: /bin/bash
+    state: "{{ ssh_item.state }}"
+  loop: "{{ ssh_users }}"
+  loop_control:
+    loop_var: ssh_item
+
+- name: Add authorized_key
+  ansible.posix.authorized_key:
+    user: "{{ ssh_item.0.name }}"
+    key: "{{ ssh_item.1.key }}"
+    exclusive: "{{ ssh_item.0.exclusive }}"
+    state: "{{ ssh_item.0.state }}"
+  loop: "{{ ssh_users | subelements('keys') }}"
+  loop_control:
+    loop_var: ssh_item
+
+- name: Add sudoer rule for local user
+  ansible.builtin.template:
+    src: templates/10_allowed_suoders.j2
+    dest: /etc/sudoers.d/10_allowed_suoders
+    owner: root
+    group: root
+    mode: '0440'
+    validate: /usr/sbin/visudo -csf %s
+
+- name: Add hardened SSH config
+  ansible.builtin.template:
+    src: templates/00-sshd.conf.j2
+    dest: /etc/ssh/sshd_config.d/00-sshd.conf
+    owner: root
+    group: root
+    mode: '0600'
+    validate: /usr/sbin/sshd -t -f %s
+  notify: Reload SSH
+
+- name: Set bash profile
+  ansible.builtin.copy:
+    src: files/profile.d/00-bash.sh
+    dest: /etc/profile.d/00-bash.sh
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Set vim config
+  ansible.builtin.copy:
+    src: files/vim/vimrc.local
+    dest: /etc/vim/vimrc.local
+    owner: root
+    group: root
+    mode: '0644'