|
|
|
@@ -1,43 +1,41 @@
|
|
|
|
---
|
|
|
|
---
|
|
|
|
- name: Secure and Configure a New LXC Container
|
|
|
|
- name: 1. Secure and Configure a New LXC Container
|
|
|
|
hosts: 'lxc' # Hosts or group defined in your inventory
|
|
|
|
hosts: 'new' # Target hosts in the [new] group
|
|
|
|
remote_user: root
|
|
|
|
remote_user: root # Connect as root, as defined in the inventory for this group
|
|
|
|
|
|
|
|
gather_facts: no
|
|
|
|
|
|
|
|
vars:
|
|
|
|
|
|
|
|
target_user: mbuz
|
|
|
|
|
|
|
|
my_public_keys:
|
|
|
|
|
|
|
|
- "{{ lookup('file', '/home/mbuz/.ssh/id_ed25519.pub') }}"
|
|
|
|
tasks:
|
|
|
|
tasks:
|
|
|
|
- name: 1. Create user '{{ target_user }}'
|
|
|
|
- name: Create user '{{ target_user }}'
|
|
|
|
ansible.builtin.user:
|
|
|
|
ansible.builtin.user:
|
|
|
|
name: '{{ target_user }}'
|
|
|
|
name: '{{ target_user }}'
|
|
|
|
shell: /bin/bash
|
|
|
|
shell: /bin/bash
|
|
|
|
groups: sudo # Add to sudo (for Debian/Ubuntu)
|
|
|
|
groups: sudo
|
|
|
|
state: present
|
|
|
|
state: present
|
|
|
|
|
|
|
|
|
|
|
|
- name: 1.1. Allow '{{ target_user }}' to use sudo without a password
|
|
|
|
- name: Allow '{{ target_user }}' to use sudo without a password
|
|
|
|
ansible.builtin.copy:
|
|
|
|
ansible.builtin.copy:
|
|
|
|
dest: /etc/sudoers.d/90-{{ target_user }}-nopasswd
|
|
|
|
dest: /etc/sudoers.d/90-{{ target_user }}-nopasswd
|
|
|
|
content: '{{ target_user }} ALL=(ALL) NOPASSWD: ALL'
|
|
|
|
content: '{{ target_user }} ALL=(ALL) NOPASSWD: ALL'
|
|
|
|
mode: '0440'
|
|
|
|
mode: '0440'
|
|
|
|
validate: /usr/sbin/visudo -cf %s
|
|
|
|
validate: /usr/sbin/visudo -cf %s
|
|
|
|
|
|
|
|
|
|
|
|
- name: 2. Set up authorized_keys for '{{ target_user }}'
|
|
|
|
- name: Set up authorized_keys for '{{ target_user }}'
|
|
|
|
ansible.posix.authorized_key:
|
|
|
|
ansible.posix.authorized_key:
|
|
|
|
user: '{{ target_user }}'
|
|
|
|
user: '{{ target_user }}'
|
|
|
|
key: "{{ item }}"
|
|
|
|
key: "{{ item }}"
|
|
|
|
state: present
|
|
|
|
state: present
|
|
|
|
path: /home/{{ target_user }}/.ssh/authorized_keys
|
|
|
|
path: /home/{{ target_user }}/.ssh/authorized_keys
|
|
|
|
loop: "{{ my_public_keys }}"
|
|
|
|
loop: "{{ my_public_keys }}"
|
|
|
|
# ansible.posix.authorized_key will create an .ssh directory with the correct permissions.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- name: 3. Lock password for '{{ target_user }}'
|
|
|
|
- name: Lock password for '{{ target_user }}'
|
|
|
|
ansible.builtin.user:
|
|
|
|
ansible.builtin.user:
|
|
|
|
name: '{{ target_user }}'
|
|
|
|
name: '{{ target_user }}'
|
|
|
|
password_lock: yes
|
|
|
|
password_lock: yes
|
|
|
|
|
|
|
|
|
|
|
|
- name: 4.0. Install software-properties-common
|
|
|
|
- name: Disallow root login over SSH
|
|
|
|
ansible.builtin.apt:
|
|
|
|
|
|
|
|
name: software-properties-common
|
|
|
|
|
|
|
|
state: present
|
|
|
|
|
|
|
|
update_cache: yes
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- name: 4.1. Disallow root login over SSH
|
|
|
|
|
|
|
|
ansible.builtin.lineinfile:
|
|
|
|
ansible.builtin.lineinfile:
|
|
|
|
path: /etc/ssh/sshd_config
|
|
|
|
path: /etc/ssh/sshd_config
|
|
|
|
regexp: '^#?PermitRootLogin'
|
|
|
|
regexp: '^#?PermitRootLogin'
|
|
|
|
@@ -45,7 +43,7 @@
|
|
|
|
validate: /usr/sbin/sshd -t -f %s
|
|
|
|
validate: /usr/sbin/sshd -t -f %s
|
|
|
|
notify: restart sshd
|
|
|
|
notify: restart sshd
|
|
|
|
|
|
|
|
|
|
|
|
- name: 4.2. Disallow password authentication
|
|
|
|
- name: Disallow password authentication
|
|
|
|
ansible.builtin.lineinfile:
|
|
|
|
ansible.builtin.lineinfile:
|
|
|
|
path: /etc/ssh/sshd_config
|
|
|
|
path: /etc/ssh/sshd_config
|
|
|
|
regexp: '^#?PasswordAuthentication'
|
|
|
|
regexp: '^#?PasswordAuthentication'
|
|
|
|
@@ -54,10 +52,30 @@
|
|
|
|
notify: restart sshd
|
|
|
|
notify: restart sshd
|
|
|
|
|
|
|
|
|
|
|
|
handlers:
|
|
|
|
handlers:
|
|
|
|
# This block will only run if at least one task sends a notification.
|
|
|
|
- name: Restart sshd server
|
|
|
|
# This prevents unnecessary service restarts.
|
|
|
|
|
|
|
|
- name: 5. Restart sshd server
|
|
|
|
|
|
|
|
listen: "restart sshd"
|
|
|
|
listen: "restart sshd"
|
|
|
|
ansible.builtin.service:
|
|
|
|
ansible.builtin.service:
|
|
|
|
name: sshd
|
|
|
|
name: sshd
|
|
|
|
state: restarted
|
|
|
|
state: restarted
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# --- Move host from NEW to LXC group ---
|
|
|
|
|
|
|
|
- name: 2. Graduate Host from [new] to [lxc] in Inventory
|
|
|
|
|
|
|
|
hosts: localhost
|
|
|
|
|
|
|
|
connection: local
|
|
|
|
|
|
|
|
gather_facts: no
|
|
|
|
|
|
|
|
tasks:
|
|
|
|
|
|
|
|
- name: Remove host from the [new] group
|
|
|
|
|
|
|
|
ansible.builtin.lineinfile:
|
|
|
|
|
|
|
|
path: /opt/ansible/inventory/hosts.ini
|
|
|
|
|
|
|
|
regexp: "^{{ item }}\\s" # Match the start of the line with the hostname
|
|
|
|
|
|
|
|
state: absent
|
|
|
|
|
|
|
|
loop: "{{ groups['new'] }}" # Loop over all hosts in the 'new' group
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- name: Add host to the [lxc] group
|
|
|
|
|
|
|
|
ansible.builtin.blockinfile:
|
|
|
|
|
|
|
|
path: /opt/ansible/inventory/hosts.ini
|
|
|
|
|
|
|
|
block: |
|
|
|
|
|
|
|
|
{{ item }} ansible_host={{ hostvars[item]['ansible_host'] }}
|
|
|
|
|
|
|
|
insertafter: "[lxc]"
|
|
|
|
|
|
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR LXC"
|
|
|
|
|
|
|
|
loop: "{{ groups['new'] }}" # Loop over all hosts in the 'new' group
|
