61 lines
1.6 KiB
YAML
61 lines
1.6 KiB
YAML
- block:
|
|
- include_vars: "{{ playbook_dir ~ '/vault/user_provisioning' }}"
|
|
# Atmen : slave, servant
|
|
- name: Add provisioning user "atmen" for ansible
|
|
ansible.builtin.user:
|
|
name: atmen
|
|
comment: Ansible provisioner
|
|
groups: sudo
|
|
append: yes
|
|
shell: /bin/bash
|
|
password: "{{ vault_atmen_password | password_hash('sha512') }}"
|
|
|
|
- name: Set authorized key for atmen
|
|
ansible.posix.authorized_key:
|
|
user: atmen
|
|
state: present
|
|
key: "{{ lookup('file', atmen_ssh_key_host_path) }}"
|
|
|
|
- name: Add maintainer user
|
|
ansible.builtin.user:
|
|
name: "{{ vault_maintainer_user }}"
|
|
comment: Maintainer user
|
|
groups: sudo
|
|
append: yes
|
|
shell: /bin/bash
|
|
password: "{{ vault_maintainer_password | password_hash('sha512') }}"
|
|
|
|
- name: Set authorized key for maintainer user
|
|
ansible.posix.authorized_key:
|
|
user: "{{ vault_maintainer_user }}"
|
|
state: present
|
|
key: "{{ lookup('file', maintainer_ssh_key_host_path) }}"
|
|
|
|
- name: Disable root login
|
|
ansible.builtin.user:
|
|
name: root
|
|
password: '*'
|
|
|
|
- name: Disable SSH login for creator
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
line: DenyUsers creator
|
|
state: present
|
|
|
|
- name: Disable password login
|
|
lineinfile:
|
|
dest: "/etc/ssh/sshd_config"
|
|
regexp: '^(#\s*)?PasswordAuthentication '
|
|
line: "PasswordAuthentication no"
|
|
notify: restart sshd
|
|
|
|
- name: Change SSH port
|
|
lineinfile:
|
|
dest: "/etc/ssh/sshd_config"
|
|
regexp: "^Port "
|
|
line: "Port {{ sshd_port }}"
|
|
notify: restart sshd
|
|
changed_when: true
|
|
|
|
become: yes
|