richb-hanover · April 7, 2020 11:24
diff --git a/setup_accounts.yml b/setup_accounts.yml
 ---

 ##############################################################
 #
 # setup_accounts.yml
 #
 # This Ansible playbook configures the accounts for an initial
 #   connection to a newly provisioned VPS. It performs the following tasks:
 #
 #  1. Log into the target server using the root password (not public key)
 #  2. Create a 'deploy' user
 #  3. Install the SSH public key from your account/home directory
 #  4. Add 'deploy' to /etc/sudoers to enable sudo access
 #  5. Disallow password login for all accounts
 #  6. Disallow root ssh access
 #  7. (Leave ssh port set to default of 22 - commented out)
 #
 # The script ssh's into the host and uses the root password for 
 #   authentication. It can never be re-run on the host because
 #   passwords and root access are both disallowed.
 #
 # You only need to run this playbook one time for a new VPS. After that
 #   all future connections to the host should use the 'deploy' user.
 # 
 # ----------------
 #
 # To run the script, enter the following command:
 #
 # ansible-playbook -i "hostname," setup_accounts.yml -k  
 #
 # Substitute the hostname as needed (keep the trailing comma (",").
 # You will be prompted to enter the root password, then you will be
 #   prompted to enter a password (twice) for the 'deploy' user.
 #
 # If you see "Please add this host's fingerprint to your known_hosts file"
 #   you need to ssh root@hostname one time to set the fingerprint. 
 #   Then re-run the ansible-playbook command (above)
 # 
 # ----------------
 #
 # Copyright (c) 2020 Rich Brown
 # Blueberry Hill Software 
 # [email protected]
 # GPL v2 - use it, enjoy it, and let me know if it helps!
 #
 # Provenance: Original ideas came from:
 # https://github.com/jedelman8/server-build-ansible/blob/master/server_one_time_run.yml
 # referred from http://jedelman.com/home/server-bootstrap-prep-with-ansible/
 # Seasoned with info from Ryan Eschinger's first-time setup
 # Those playbooks needed to be refreshed for the (current) Ansible 2.9 syntax
 # Tested with Ansible 2.9.6 - 6Apr2020 
 #
 ##############################################################

 - name: Set Up Accounts on a New Host (First run - never again)
  hosts: all
  gather_facts: no
  remote_user: root

  vars_prompt:
    - name: deploy_password
      prompt: "What is the password for the 'deploy' user?"
      private: yes
    - name: deploy_password2
      prompt: "  Enter the 'deploy' password one more time"
      private: yes

  vars:
      ubuntu_common_deploy_user_name: deploy
      hashed_password:  "{{ deploy_password | password_hash('sha512') }}"
      copy_of_my_ssh_key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"
 #     ubuntu_common_ssh_port: 22

  tasks:

   #check if params are valid: abort the remaining tasks if not
  - assert: 
      that: 
        - deploy_password is defined
        - deploy_password2 is defined
        - deploy_password == deploy_password2
      success_msg: "Passwords are OK"
      fail_msg: "Passwords are missing or do not match"

  - name: 'Add deploy user'
    user: name={{ ubuntu_common_deploy_user_name }} password="{{ hashed_password }}" shell=/bin/bash

  - name: 'Add authorized key taken from HOME public key'
    authorized_key:
      user: deploy
      state: present
      key: "{{ copy_of_my_ssh_key }}"

  - name: 'Add deploy user to sudoers'
    lineinfile: dest=/etc/sudoers
                  regexp="{{ ubuntu_common_deploy_user_name }} ALL"
                  line="{{ ubuntu_common_deploy_user_name }} ALL=(ALL) ALL"
                  state=present

  - name: 'Disallow password authentication'
    lineinfile: dest=/etc/ssh/sshd_config
                  regexp="^PasswordAuthentication"
                  line="PasswordAuthentication no"
                  state=present
    notify: Restart ssh

  - name: 'Disallow root SSH access'
    lineinfile: dest=/etc/ssh/sshd_config
                  regexp="^PermitRootLogin"
                  line="PermitRootLogin no"
                  state=present
    notify: Restart ssh

  # - name: 'Change ssh port'
  #   lineinfile: dest=/etc/ssh/sshd_config
  #                 regexp="^Port\s"
  #                 line="Port {{ ubuntu_common_ssh_port }}"
  #                 state=present
  #   notify: Restart ssh

  handlers:
    - name: Restart ssh
      service: name=ssh state=restarted
	---

	##############################################################
	#
	# setup_accounts.yml
	#
	# This Ansible playbook configures the accounts for an initial
	# connection to a newly provisioned VPS. It performs the following tasks:
	#
	# 1. Log into the target server using the root password (not public key)
	# 2. Create a 'deploy' user
	# 3. Install the SSH public key from your account/home directory
	# 4. Add 'deploy' to /etc/sudoers to enable sudo access
	# 5. Disallow password login for all accounts
	# 6. Disallow root ssh access
	# 7. (Leave ssh port set to default of 22 - commented out)
	#
	# The script ssh's into the host and uses the root password for
	# authentication. It can never be re-run on the host because
	# passwords and root access are both disallowed.
	#
	# You only need to run this playbook one time for a new VPS. After that
	# all future connections to the host should use the 'deploy' user.
	#
	# ----------------
	#
	# To run the script, enter the following command:
	#
	# ansible-playbook -i "hostname," setup_accounts.yml -k
	#
	# Substitute the hostname as needed (keep the trailing comma (",").
	# You will be prompted to enter the root password, then you will be
	# prompted to enter a password (twice) for the 'deploy' user.
	#
	# If you see "Please add this host's fingerprint to your known_hosts file"
	# you need to ssh root@hostname one time to set the fingerprint.
	# Then re-run the ansible-playbook command (above)
	#
	# ----------------
	#
	# Copyright (c) 2020 Rich Brown
	# Blueberry Hill Software
	# [email protected]
	# GPL v2 - use it, enjoy it, and let me know if it helps!
	#
	# Provenance: Original ideas came from:
	# https://github.com/jedelman8/server-build-ansible/blob/master/server_one_time_run.yml
	# referred from http://jedelman.com/home/server-bootstrap-prep-with-ansible/
	# Seasoned with info from Ryan Eschinger's first-time setup
	# Those playbooks needed to be refreshed for the (current) Ansible 2.9 syntax
	# Tested with Ansible 2.9.6 - 6Apr2020
	#
	##############################################################

	- name: Set Up Accounts on a New Host (First run - never again)
	hosts: all
	gather_facts: no
	remote_user: root

	vars_prompt:
	- name: deploy_password
	prompt: "What is the password for the 'deploy' user?"
	private: yes
	- name: deploy_password2
	prompt: " Enter the 'deploy' password one more time"
	private: yes

	vars:
	ubuntu_common_deploy_user_name: deploy
	hashed_password: "{{ deploy_password \| password_hash('sha512') }}"
	copy_of_my_ssh_key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"
	# ubuntu_common_ssh_port: 22

	tasks:

	#check if params are valid: abort the remaining tasks if not
	- assert:
	that:
	- deploy_password is defined
	- deploy_password2 is defined
	- deploy_password == deploy_password2
	success_msg: "Passwords are OK"
	fail_msg: "Passwords are missing or do not match"

	- name: 'Add deploy user'
	user: name={{ ubuntu_common_deploy_user_name }} password="{{ hashed_password }}" shell=/bin/bash

	- name: 'Add authorized key taken from HOME public key'
	authorized_key:
	user: deploy
	state: present
	key: "{{ copy_of_my_ssh_key }}"

	- name: 'Add deploy user to sudoers'
	lineinfile: dest=/etc/sudoers
	regexp="{{ ubuntu_common_deploy_user_name }} ALL"
	line="{{ ubuntu_common_deploy_user_name }} ALL=(ALL) ALL"
	state=present

	- name: 'Disallow password authentication'
	lineinfile: dest=/etc/ssh/sshd_config
	regexp="^PasswordAuthentication"
	line="PasswordAuthentication no"
	state=present
	notify: Restart ssh

	- name: 'Disallow root SSH access'
	lineinfile: dest=/etc/ssh/sshd_config
	regexp="^PermitRootLogin"
	line="PermitRootLogin no"
	state=present
	notify: Restart ssh

	# - name: 'Change ssh port'
	# lineinfile: dest=/etc/ssh/sshd_config
	# regexp="^Port\s"
	# line="Port {{ ubuntu_common_ssh_port }}"
	# state=present
	# notify: Restart ssh

	handlers:
	- name: Restart ssh
	service: name=ssh state=restarted