Add playbook
This commit is contained in:
eliot
81
ssh_config.yml
Normal file
81
ssh_config.yml
Normal file
@@ -0,0 +1,81 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Configure SSH settings
|
||||||
|
hosts: all
|
||||||
|
become: true
|
||||||
|
tasks:
|
||||||
|
|
||||||
|
- name: Install SSH
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name: openssh-server
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Create SSH directory for user pleb
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: /home/pleb/.ssh
|
||||||
|
state: directory
|
||||||
|
owner: pleb
|
||||||
|
group: pleb
|
||||||
|
mode: '0700'
|
||||||
|
|
||||||
|
- name: Add SSH public key
|
||||||
|
ansible.posix.authorized_key:
|
||||||
|
user: pleb
|
||||||
|
state: present
|
||||||
|
key: "{{ lookup('file', '/home/pleb/.ssh/bikiniBottom.pub') }}"
|
||||||
|
|
||||||
|
- name: Configure SSH daemon settings
|
||||||
|
ansible.builtin.lineinfile:
|
||||||
|
path: /etc/ssh/sshd_config
|
||||||
|
regexp: '{{ item.regexp }}'
|
||||||
|
line: '{{ item.line }}'
|
||||||
|
state: present
|
||||||
|
insertafter: EOF
|
||||||
|
loop:
|
||||||
|
- { regexp: '^#Port', line: 'Port 22' }
|
||||||
|
- { regexp: '^#PermitRootLogin', line: 'PermitRootLogin no' }
|
||||||
|
- { regexp: '^#PasswordAuthentication', line: 'PasswordAuthentication no' }
|
||||||
|
- { regexp: '^#ChallengeResponseAuthentication', line: 'ChallengeResponseAuthentication no' }
|
||||||
|
- { regexp: '^#UsePAM', line: 'UsePAM yes' }
|
||||||
|
- { regexp: '^#AllowUsers', line: 'AllowUsers pleb' }
|
||||||
|
- { regexp: '^#MaxAuthTries', line: 'MaxAuthTries 5' }
|
||||||
|
notify: restart ssh
|
||||||
|
|
||||||
|
handlers:
|
||||||
|
- name: restart ssh
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: ssh
|
||||||
|
state: restarted
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
- name: Configure Fail2Ban settings
|
||||||
|
hosts: all
|
||||||
|
become: true
|
||||||
|
tasks:
|
||||||
|
|
||||||
|
- name: Install Fail2Ban
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name: fail2ban
|
||||||
|
state: present
|
||||||
|
update_cache: true
|
||||||
|
|
||||||
|
- name: Configure Fail2Ban for SSH
|
||||||
|
ansible.builtin.copy:
|
||||||
|
dest: /etc/fail2ban/jail.local
|
||||||
|
content: |
|
||||||
|
[sshd]
|
||||||
|
enabled = true
|
||||||
|
port = 22
|
||||||
|
filter = sshd
|
||||||
|
logpath = /var/log/auth.log
|
||||||
|
maxretry = 5
|
||||||
|
bantime = 3600
|
||||||
|
mode: '0644'
|
||||||
|
notify: restart fail2ban
|
||||||
|
|
||||||
|
handlers:
|
||||||
|
- name: restart fail2ban
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: fail2ban
|
||||||
|
state: restarted
|
||||||
|
enabled: true
|
||||||
Reference in New Issue
Block a user