bootstrap.yml

---
- hosts: all
  become: yes
  become_user: root

  vars:
    SSH_PORT: 22
    DEFAULT_PACKAGES:
      - ufw
      - fail2ban

  tasks:
    - include_vars: secrets.yml

    - debug: msg="Admin username {{ ADMIN_USERNAME }}"
    - debug: msg="Ssh port {{ SSH_PORT }}"

    - name: change root password
      user: name=root password={{ ROOT_PASSWORD | password_hash('sha512') }}

    - name: add admin user
      user: name={{ ADMIN_USERNAME }} password={{ ADMIN_PASSWORD | password_hash('sha512') }} shell=/bin/bash

    - name: add authorized keys for admin user
      authorized_key: user={{ ADMIN_USERNAME }} key="{{ lookup('file', item) }}"
      with_items: "{{ PUBLIC_KEYS }}"

    - name: create sudoers.d directory
      file:
        path: /etc/sudoers.d
        owner: root
        group: root
        mode: 0755
        state: directory

    - name: set includedir in sudoers
      lineinfile:
        dest: /etc/sudoers
        line: "#includedir /etc/sudoers.d"
        state: present
        validate: "/usr/sbin/visudo -cf %s"

    - name: create sudoer file for admin
      template:
        src: sudoers.d.j2
        dest: "/etc/sudoers.d/{{ ADMIN_USERNAME }}"
        mode: 0440
        owner: root
        group: root
        validate: "/usr/sbin/visudo -cf %s"

    - name: update APT package cache
      apt: update_cache=yes cache_valid_time=3600

    - name: upgrade APT to the latest packages
      apt: upgrade=safe

    - name: install required packages
      apt: state=installed pkg={{ item }}
      with_items: DEFAULT_PACKAGES

    - name: install extra packages defined in secrets.yml
      apt: state=installed pkg={{ item }}
      with_items: "{{ EXTRA_PACKAGES|default([]) }}"

    - name: setup ufw
      ufw: state=enabled policy=deny

    - name: allow ssh traffic
      ufw: rule=allow port={{ SSH_PORT }} proto=tcp

    - name: change ssh port
      lineinfile: dest=/etc/ssh/sshd_config
                  regexp="^Port\s"
                  line="Port {{ SSH_PORT }}"
                  state=present
      notify: restart ssh

    - name: disallow password authentication
      lineinfile: dest=/etc/ssh/sshd_config
                  regexp="^PasswordAuthentication"
                  line="PasswordAuthentication no"
                  state=present
      notify: restart ssh

    - name: disallow root SSH access
      lineinfile: dest=/etc/ssh/sshd_config
                  regexp="^PermitRootLogin"
                  line="PermitRootLogin no"
                  state=present
      notify: restart ssh

  handlers:
    - name: restart ssh
      service: name=ssh state=restarted