140 lines
3.7 KiB
YAML
140 lines
3.7 KiB
YAML
---
|
|
- name: RHEL-compatible server setup
|
|
hosts: new-rhel-servers
|
|
gather_facts: true
|
|
become: true
|
|
vars:
|
|
created_username:
|
|
tailscale_repo_url: "https://pkgs.tailscale.com/stable/rhel/9/tailscale.repo"
|
|
|
|
tasks:
|
|
- name: Configure DNF plugins
|
|
ansible.builtin.blockinfile:
|
|
path: /etc/dnf/dnf.conf
|
|
state: present
|
|
block: |
|
|
fastestmirror=True
|
|
deltarpm=True
|
|
max_parallel_downloads=10
|
|
|
|
- name: Update system
|
|
ansible.builtin.dnf:
|
|
name: "*"
|
|
state: latest
|
|
|
|
- name: Reboot the machine (Wait for 5 minutes)
|
|
tags: [reboot]
|
|
ansible.builtin.reboot:
|
|
reboot_timeout: 300
|
|
|
|
- name: Create a new user
|
|
ansible.builtin.user:
|
|
name: "{{ created_username }}"
|
|
state: present
|
|
create_home: true
|
|
|
|
- name: Set authorized key for remote user
|
|
ansible.posix.authorized_key:
|
|
user: "{{ created_username }}"
|
|
state: present
|
|
key: "{{ lookup('file', lookup('env', 'HOME') + '/.ssh/id_ed25519.pub') }}"
|
|
|
|
- name: Setup passwordless sudo for {{ created_username }}
|
|
ansible.builtin.lineinfile:
|
|
path: "/etc/sudoers.d/{{ created_username }}"
|
|
state: present
|
|
create: true
|
|
line: "{{ created_username }} ALL=(ALL) NOPASSWD: ALL"
|
|
validate: "/usr/sbin/visudo -cf %s"
|
|
|
|
- name: Disable password authentication for root
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
state: present
|
|
regexp: "^#?PermitRootLogin"
|
|
line: "PermitRootLogin prohibit-password"
|
|
|
|
- name: Disable password authentication for other users
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
state: present
|
|
regexp: "^#?PasswordAuthentication"
|
|
line: "PasswordAuthentication no"
|
|
|
|
- name: Enable public key authentication for all users
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
state: present
|
|
regexp: "^#?PubkeyAuthentication"
|
|
line: "PubkeyAuthentication yes"
|
|
|
|
- name: Install essential packages
|
|
ansible.builtin.dnf:
|
|
name:
|
|
- epel-release
|
|
- git
|
|
- vim
|
|
- firewalld
|
|
- dnf-automatic
|
|
state: latest
|
|
update_cache: true
|
|
|
|
- name: Install EPEL packages
|
|
ansible.builtin.dnf:
|
|
name:
|
|
- atop
|
|
- bat
|
|
- exa
|
|
- fail2ban
|
|
- fd-find
|
|
- htop
|
|
- lynis
|
|
- ncdu
|
|
- nethogs
|
|
- ripgrep
|
|
- tldr
|
|
- tuptime
|
|
state: latest
|
|
update_cache: true
|
|
|
|
- name: Enable and start systemd services and timers
|
|
ansible.builtin.systemd:
|
|
name: "{{ item }}"
|
|
state: started
|
|
enabled: true
|
|
with_items:
|
|
- atop.service
|
|
- atop-rotate.timer
|
|
- dnf-automatic.timer
|
|
- fail2ban.service
|
|
- firewalld.service
|
|
- tuptime.service
|
|
- tuptime-sync.timer
|
|
|
|
- name: Set dnf-automatic to apply updates automatically
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/dnf/automatic.conf
|
|
state: present
|
|
regexp: "^#?apply_updates"
|
|
line: "apply_updates = yes"
|
|
|
|
- name: Setup Tailscale repository
|
|
tags: [tailscale]
|
|
ansible.builtin.command: dnf config-manager --add-repo "{{ tailscale_repo_url }}"
|
|
args:
|
|
creates: /etc/yum.repos.d/tailscale.repo
|
|
|
|
- name: Install Tailscale
|
|
tags: [tailscale]
|
|
ansible.builtin.dnf:
|
|
name: tailscale
|
|
update_cache: true
|
|
state: latest
|
|
|
|
- name: Start and enable Tailscale systemd service
|
|
tags: [tailscale]
|
|
ansible.builtin.systemd:
|
|
name: tailscaled.service
|
|
state: started
|
|
enabled: true
|