Murat ÖZDEMİR
6798426841
Centralize and manage multiple administrator SSH public keys for server access and streamline administrative tasks. This change: - Allows provisioning of multiple admin SSH keys to the `iklim` user for human access. - Adds the same admin SSH keys to the `root` user for emergency or bootstrap scenarios. - Grants the `iklim` user passwordless sudo privileges to simplify administrative operations. - Replaces the single `admin_ssh_public_key_path` variable with a list of keys, accommodating multiple administrators.
108 lines
2.9 KiB
YAML
108 lines
2.9 KiB
YAML
---
|
|
- name: Disable SELinux
|
|
ansible.posix.selinux:
|
|
state: disabled
|
|
register: selinux_status
|
|
|
|
- name: Reboot if SELinux changed
|
|
ansible.builtin.reboot:
|
|
when: selinux_status.changed
|
|
|
|
- name: Configure SSH Hardening
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "{{ item.regexp }}"
|
|
line: "{{ item.line }}"
|
|
state: present
|
|
loop:
|
|
- { regexp: "^PasswordAuthentication", line: "PasswordAuthentication no" }
|
|
- { regexp: "^PermitRootLogin", line: "PermitRootLogin prohibit-password" }
|
|
- { regexp: "^PermitEmptyPasswords", line: "PermitEmptyPasswords no" }
|
|
- { regexp: "^MaxAuthTries", line: "MaxAuthTries 3" }
|
|
notify: Restart sshd
|
|
|
|
- name: Install dnf-automatic
|
|
ansible.builtin.dnf:
|
|
name: dnf-automatic
|
|
state: present
|
|
|
|
- name: Enable dnf-automatic timer
|
|
ansible.builtin.systemd:
|
|
name: dnf-automatic.timer
|
|
state: started
|
|
enabled: yes
|
|
|
|
- name: Configure fail2ban jail
|
|
ansible.builtin.template:
|
|
src: jail.local.j2
|
|
dest: /etc/fail2ban/jail.local
|
|
notify: Restart fail2ban
|
|
|
|
- name: Ensure fail2ban is running and enabled
|
|
ansible.builtin.service:
|
|
name: fail2ban
|
|
state: started
|
|
enabled: yes
|
|
|
|
- name: Ensure firewalld is running
|
|
ansible.builtin.service:
|
|
name: firewalld
|
|
state: started
|
|
enabled: yes
|
|
|
|
- name: Allow SSH in firewalld from admin CIDRs
|
|
ansible.posix.firewalld:
|
|
rich_rule: 'rule family="ipv4" source address="{{ item }}" service name="ssh" accept'
|
|
zone: drop
|
|
state: enabled
|
|
permanent: yes
|
|
immediate: yes
|
|
loop: "{{ admin_allowed_cidrs.split(' ') }}"
|
|
|
|
- name: Configure firewalld default zone
|
|
ansible.builtin.shell: firewall-cmd --set-default-zone=drop
|
|
changed_when: false
|
|
|
|
- name: Create iklim user
|
|
ansible.builtin.user:
|
|
name: iklim
|
|
password: "{{ iklim_password | password_hash('sha512') }}"
|
|
groups: wheel
|
|
append: yes
|
|
shell: /bin/bash
|
|
create_home: yes
|
|
state: present
|
|
|
|
- name: Allow iklim user to use sudo without password
|
|
ansible.builtin.copy:
|
|
content: "iklim ALL=(ALL) NOPASSWD:ALL"
|
|
dest: /etc/sudoers.d/iklim
|
|
mode: '0440'
|
|
validate: /usr/sbin/visudo -cf %s
|
|
|
|
- name: Add multiple SSH keys to iklim user (for human access)
|
|
ansible.posix.authorized_key:
|
|
user: iklim
|
|
state: present
|
|
key: "{{ item }}"
|
|
loop: "{{ admin_ssh_public_keys }}"
|
|
|
|
- name: Add admin SSH keys to root as well (for emergency/bootstrap/ansible)
|
|
ansible.posix.authorized_key:
|
|
user: root
|
|
state: present
|
|
key: "{{ item }}"
|
|
loop: "{{ admin_ssh_public_keys }}"
|
|
|
|
- name: Configure journald log limits
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/systemd/journald.conf
|
|
regexp: "{{ item.regexp }}"
|
|
line: "{{ item.line }}"
|
|
state: present
|
|
create: yes
|
|
loop:
|
|
- { regexp: "^#?MaxRetentionSec=", line: "MaxRetentionSec=7day" }
|
|
- { regexp: "^#?SystemMaxUse=", line: "SystemMaxUse=500M" }
|
|
notify: Restart journald
|