technolog/ansible
1
0
Fork 0
Code Issues Pull Requests Activity

Created compliance script

Browse Source
This commit is contained in:
iRaven 2024-04-25 02:08:36 -05:00
parent 18ccf9a6ec
commit 9d10bb93c8
1 changed files with 67 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
linux/compliance.yaml Normal file
View File

@ -0,0 +1,67 @@
---
## Checks/deploys a Linux system to be managed with Ansible.
- hosts: all
gather_facts: yes
become: yes
tasks:
# User account (ansible) configuration
- name: Add deployment user.
user:
name: ansible
state: present
# Ansible user SSH pub key
- name: Add deployment user's SSH key.
ansible.posix.authorized_key:
user: ansible
state: present
key: "{{ ansiblesvc_key }}"
# Give ansible sudo rights with no password required.
- name: Add sudo rights with no password for deployment user.
lineinfile:
dest: /etc/sudoers
regexp: '^ansible'
line: 'johndoe ALL=(ALL) NOPASSWD: ALL'
state: present
validate: 'visudo -cf %s'
# Configure firewalld (if installed) to be disabled (especially if an internal server.) Firewall rules are managed by UniFi.
- name: Stop and disable firewalld.
service:
name: firewalld
state: stopped
enabled: False
ignore_errors: True
# User account (nhadmin) configuration, for sysadmin use
- name: Create user nhadmin.
user:
name: nhadmin
state: present
password: "{{ nhadmin_password | password_hash('sha512') }}"
# add to sudo
groups: sudo
append: yes
# SSH config updating
- name: Update SSH configuration to be more secure.
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
validate: 'sshd -t -f %s'
with_items:
- regexp: "^PermitRootLogin"
line: "PermitRootLogin no"
notify: restart ssh
# Delete our network ansible key from the root user.
- name: Delete our network ansible key from the root user.
ansible.builtin.file:
path: /root/.ssh/authorized_keys
state: absent
ignore_errors: yes