New structure

2024-03-06 10:56:21 +00:00
parent f717d9ca0d
commit ca5b61e58b
38 changed files with 706 additions and 4 deletions
--- a/playbooks/inital_setup_new_server.yml
+++ b/playbooks/inital_setup_new_server.yml
@@ -0,0 +1,99 @@
+- hosts: new
+  vars:
+    ansible_host_key_checking: false ##If you get an error about hosts not trusted
+  become_user: root
+  become: yes
+  tasks:
+    - name: Update apt repo and cache on all Debian/Ubuntu boxes
+      apt: update_cache=yes force_apt_get=yes cache_valid_time=3600
+
+    - name: Upgrade all packages on servers
+      apt: upgrade=dist force_apt_get=yes
+
+    - name: Check if a reboot is needed on all servers
+      register: reboot_required_file
+      stat: path=/var/run/reboot-required get_md5=no
+
+    - name: Reboot the box if kernel updated
+      reboot:
+        msg: "Reboot initiated by Ansible for kernel updates"
+        connect_timeout: 5
+        reboot_timeout: 300
+        pre_reboot_delay: 0
+        post_reboot_delay: 30
+        test_command: uptime
+      when: reboot_required_file.stat.exists
+
+    - name: Add the user 'joachim' with a specific uid and a primary group of 'admin'
+      ansible.builtin.user:
+        name: joachim
+        shell: /bin/bash
+        comment: Joachim Hummel
+        createhome: yes
+        uid: 1000
+        group: sudo
+
+
+    - name: Add the user 'sysadmin' with a specific uid and a primary group of 'admin'
+      ansible.builtin.user:
+        name: sysadmin42
+        shell: /bin/bash
+        comment: Ansible Sysadmin42 
+        createhome: yes
+        uid: 1010
+        group: sudo
+
+    - name: Set authorized key for remote user joachim
+      ansible.posix.authorized_key:
+        user: joachim 
+        state: present
+        key: "{{ lookup('url', 'https://git.homeabc.de/jhummel/ansible-semaphore/raw/branch/master/keys/id_rsa.joachim', split_lines=False) }}" 
+
+    - name: Set authorized key for remote user sysadmin42
+      ansible.posix.authorized_key:
+        user: sysadmin42
+        state: present
+        key: "{{ lookup('url', 'https://git.homeabc.de/jhummel/ansible-semaphore/raw/branch/master/keys/id_rsa.semphore', split_lines=False) }}" 
+
+    - name: Disable password authentication for root
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        state: present
+        regexp: '^#?PermitRootLogin'
+        line: 'PermitRootLogin prohibit-password'
+
+    - name: Update apt and install required system packages
+      apt:
+        pkg:
+          - curl
+          - vim
+          - git
+          - ufw
+          - fail2ban
+          - apache2
+        state: latest
+        update_cache: true
+
+    - name: UFW - Allow SSH connections
+      community.general.ufw:
+        rule: allow
+        name: OpenSSH
+
+
+    - name: UFW - Allow HTTP connections
+      community.general.ufw:
+        rule: allow
+        port: 80
+        proto: tcp
+
+    - name: UFW - Allow HTTPS connections
+      community.general.ufw:
+        rule: allow
+        port: 443
+        proto: tcp
+
+    - name: UFW - Enable and deny by default
+      community.general.ufw:
+        state: enabled
+        default: deny
+