first commit

playbook.yml

@@ -0,0 +1,122 @@
+#################################################
+# DO Community Playbooks: Initial Server Setup
+#################################################
+---
+- hosts: all
+  become: true
+  vars_files:
+    - vars/default.yml
+
+  tasks:
+#    - name: Install Prerequisites
+#      apt: name=aptitude update_cache=yes state=latest force_apt_get=yes
+
+ #Sudo Group Setup
+    - name: Make sure we have a 'wheel' group
+      group:
+        name: "{{ create_user }}"
+        state: present
+
+#    - name: Allow 'wheel' group to have passwordless sudo
+#      lineinfile:
+#        path: /etc/sudoers
+#        state: present
+#        regexp: '^%wheel'
+#        line: '%wheel ALL=(ALL) NOPASSWD: ALL'
+#        validate: '/usr/sbin/visudo -cf %s'
+
+# User + Key Setup
+    - name: Create a new regular user with sudo privileges
+      user:
+        name: "{{ create_user }}"
+        state: present
+        groups: "{{ create_user }}"
+        append: true
+        create_home: true
+        shell: /bin/bash
+
+    - name: Set authorized key for remote user
+      authorized_key:
+        user: "{{ create_user }}"
+        state: present
+        key: "{{ copy_local_key }}"
+
+#    - name: Disable password authentication for root
+#      lineinfile:
+#        path: /etc/ssh/sshd_config
+#        state: present
+#        regexp: '^#?PermitRootLogin'
+#        line: 'PermitRootLogin prohibit-password'
+
+# Install Packages
+    - name: Update apt
+      apt: update_cache=yes
+
+#    - name: Install required system packages
+#      apt: name={{ sys_packages }} state=latest
+      
+#    - name: Upgrade installed apt packages 
+#      apt:
+#        upgrade: dist
+#      register: upgrade
+#      retries: 15
+#      delay: 5
+#      until: upgrade is success
+
+      
+    - name: Ensure that these software packages are installed
+      apt:
+        pkg:
+          - build-essential
+#          - fail2ban
+#          - needrestart
+#          - pwgen
+#          - resolvconf
+#          - unbound
+          - unzip
+        state: latest
+        
+    - name: Set ssh '{{ ssh_port }}' port number
+      lineinfile:
+        dest: /etc/ssh/sshd_config
+        regexp: 'Port '
+        line: 'Port {{ ssh_port }}'
+        state: present
+      notify:
+        - restart sshd
+
+        
+    - name: Allow ssh port '{{ ssh_port }}'.
+      ufw:
+        rule: allow
+        proto: tcp
+        port: '{{ ssh_port }}'
+        state: enabled
+        
+      
+    - name: set timezone
+      timezone:
+        name: "{{ tmzone }}"
+      
+# UFW Setup
+    - name: UFW - Allow SSH connections
+      ufw:
+        rule: allow
+        name: OpenSSH
+
+    - name: UFW - Deny all other incoming traffic by default
+      ufw:
+        state: enabled
+        policy: deny
+        direction: incoming
+
+        
+  handlers:
+    - name: restart sshd
+      service:
+        name: sshd
+        state: restarted
+        debug:
+         msg: "Restarting sshd"        
+#      when: reboot_required.stat.exists == false
+