36 lines
1,015 B
YAML
36 lines
1,015 B
YAML
---
|
|
- name: 'Configure access permissions'
|
|
hosts: 'all'
|
|
|
|
vars:
|
|
ssh_public_keys_exclusive: true
|
|
|
|
tasks:
|
|
- name: 'Install ssh keys in target system'
|
|
ansible.posix.authorized_key:
|
|
user: '{{ ansible_user }}'
|
|
key: '{{ ssh_public_keys }}'
|
|
exclusive: '{{ ssh_public_keys_exclusive }}'
|
|
|
|
- name: 'Allow ansible user to use sudo'
|
|
become: true
|
|
ansible.builtin.template:
|
|
src: 'sudoers.d/ansible.j2'
|
|
dest: '/etc/sudoers.d/ansible'
|
|
owner: 'root'
|
|
group: 'root'
|
|
mode: 'u=rw,g=r,o='
|
|
|
|
- name: 'Disallow ssh password login'
|
|
become: true
|
|
ansible.builtin.lineinfile:
|
|
path: '/etc/ssh/sshd_config'
|
|
regexp: '^#?PasswordAuthentication '
|
|
line: 'PasswordAuthentication no'
|
|
|
|
- name: 'Disallow ssh root login without key'
|
|
become: true
|
|
ansible.builtin.lineinfile:
|
|
path: '/etc/ssh/sshd_config'
|
|
regexp: '^#?PermitRootLogin '
|
|
line: 'PermitRootLogin prohibit-password'
|