125 lines
2.8 KiB
YAML
125 lines
2.8 KiB
YAML
- hosts: '{{ target }}'
|
|
gather_facts: false
|
|
become: true
|
|
remote_user: root
|
|
any_errors_fatal: yes
|
|
tasks:
|
|
- name: stop firewalld
|
|
service:
|
|
name: firewalld
|
|
state: stopped
|
|
|
|
- name: dnf add repo
|
|
get_url:
|
|
url: "https://download.docker.com/linux/centos/docker-ce.repo"
|
|
dest: /etc/yum.repos.d/docker-ce.repo
|
|
|
|
- name: dnf install epel
|
|
dnf:
|
|
name: "epel-release"
|
|
state: latest
|
|
|
|
- name: dnf update
|
|
dnf:
|
|
name: "*"
|
|
state: latest
|
|
|
|
- name: dnf install
|
|
dnf:
|
|
name: ['git', 'vim', 'curl', 'yum-utils', 'policycoreutils-python-utils', 'zsh', 'docker-ce']
|
|
state: latest
|
|
update_cache: True
|
|
|
|
- name: Change root password
|
|
user:
|
|
name: root
|
|
update_password: always
|
|
password: "{{ root_password | password_hash('sha512', user_salt) }}"
|
|
|
|
- name: add user
|
|
user:
|
|
name: quackerd
|
|
password: "{{ user_password | password_hash('sha512', user_salt) }}"
|
|
shell: /usr/bin/bash
|
|
groups: wheel
|
|
append: yes
|
|
state: present
|
|
|
|
- name: add user ssh key
|
|
ansible.posix.authorized_key:
|
|
user: quackerd
|
|
state: present
|
|
key: "{{ lookup('file', '../ssh_pub') }}"
|
|
|
|
- name: configure sshd
|
|
lineinfile:
|
|
path: "/etc/ssh/sshd_config"
|
|
regexp: "^(#)?{{item.key}}"
|
|
line: "{{item.key}} {{item.value}}"
|
|
state: present
|
|
validate: "/usr/sbin/sshd -t -f %s"
|
|
loop:
|
|
- { key: "PermitRootLogin", value: "without-password" }
|
|
- { key: "PasswordAuthentication", value: "yes" }
|
|
- { key: "Port", value: "77" }
|
|
|
|
- name: enable selinux
|
|
lineinfile:
|
|
path: "/etc/selinux/config"
|
|
regexp: "^(#)?{{item.key}}=.*"
|
|
line: "{{item.key}}={{item.value}}"
|
|
state: present
|
|
loop:
|
|
- { key: "SELINUX", value: "enforcing" }
|
|
|
|
- name: configure selinux
|
|
seport:
|
|
ports: 77
|
|
proto: tcp
|
|
setype: ssh_port_t
|
|
state: present
|
|
|
|
- name: allow ssh port in firewalld
|
|
ansible.posix.firewalld:
|
|
port: 77/tcp
|
|
permanent: yes
|
|
state: enabled
|
|
offline: yes
|
|
|
|
- name: disallow cockpit in firewalld
|
|
ansible.posix.firewalld:
|
|
service: cockpit
|
|
permanent: yes
|
|
state: disabled
|
|
offline: yes
|
|
|
|
- name: disallow dhcpv6-client in firewalld
|
|
ansible.posix.firewalld:
|
|
service: dhcpv6-client
|
|
permanent: yes
|
|
state: disabled
|
|
offline: yes
|
|
|
|
- name: disallow default ssh port
|
|
ansible.posix.firewalld:
|
|
service: ssh
|
|
permanent: yes
|
|
state: disabled
|
|
offline: yes
|
|
|
|
- name: enable docker
|
|
service:
|
|
name: docker
|
|
state: started
|
|
enabled: yes
|
|
|
|
- name: start firewalld
|
|
service:
|
|
name: firewalld
|
|
state: started
|
|
enabled: yes
|
|
|
|
- name: reload sshd
|
|
service:
|
|
name: sshd
|
|
state: reloaded |