Doc/bootstraps4ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

First commit. Added Debian 12 OpenVZ

Browse Source
This commit is contained in:
Doc
2025-12-09 16:27:54 -05:00
parent aaf4311e50
commit de5125048e
2 changed files with 96 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
README.md
View File

@@ -1,3 +1,10 @@
# bootstraps4ansible # bootstraps4ansible
A collection of scripts for bootstrapping Ansible on various machines. A collection of scripts for bootstrapping Ansible on various machines.
| Script | Description |
| --------------------------------- | ------------------------------- |
| [bootstrap-vps-debian12][vzdeb12] | Debian 12 OpenVZ container |
[vzdeb12]: scripts/bootstrap-vps-debian12.sh

88
scripts/bootstrap-vps-debian12.sh Normal file
View File

@@ -0,0 +1,88 @@
#!/usr/bin/env bash
#
# https://gitea.wolfeden.online/Doc/bootstraps4ansible/scripts/bootstrap-vps-debian12.sh
#
# Bootstrap a clean system for use with Ansible
if [[ "${UID}" -ne 0 ]]; then
echo " You need to run this script as root"
exit 1
fi
ANSIUSER=ansiuser
ANSIUSERDIR=/home/$ANSIUSER
TMP_PORT=46347
# Update to current
apt update && apt upgrade -y --no-recommends
# Install requirements
apt install -y --no-recommends openssh-client openssh-server sudo
# Create a user for Ansible
useradd -m -s /bin/bash -c "Ansible User" $ANSIUSER
echo "Configuring sudo for user $ANSIUSER"
usermod -aG sudo $ANSIUSER
mkdir -p /etc/sudoers.d
cat << EOF > /etc/sudoers.d/99-ansible-user
$ANSIUSER ALL=(ALL) NOPASSWD:ALL
EOF
echo ""
mkdir -p $ANSIUSERDIR/.ssh
# Prompt to paste public key
echo "Paste public key for $ANSIUSER. Ctl+d when done." ; cat >> $ANSIUSERDIR/.ssh/authorized_keys
echo ""
echo "Configuring ssh..."
chown -Rc ${ANSIUSER}:${ANSIUSER} $ANSIUSERDIR/.ssh
chmod 700 $ANSIUSERDIR/.ssh && chmod 600 $ANSIUSERDIR/.ssh/authorized_keys
rm -rf /etc/ssh/sshd_config.d/*.*
cat << EOF > /etc/ssh/sshd_config
Include /etc/ssh/sshd_config.d/*.conf
PermitEmptyPasswords no
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AuthenticationMethods publickey
UsePAM yes
# Change port to temp reduce attacks before Ansible connects
Port $TMP_PORT
MaxAuthTries 3
KbdInteractiveAuthentication no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
EOF
cat << EOF > /etc/ssh/sshd_config.d/enable_$ANSIUSER.conf
AllowUsers $ANSIUSER
EOF
if command -v ufw &> /dev/null; then
echo "Opening port $TMP_PORT with ufw..."
ufw allow $TMP_PORT/tcp comment 'Allow temporary SSH port'
elif command -v firewall-cmd &> /dev/null; then
echo "Opening port $TMP_PORT with firewalld..."
firewall-cmd --permanent --add-port=$TMP_PORT/tcp
firewall-cmd --reload
elif command -v iptables &> /dev/null; then
echo "Temporarily opening port $TMP_PORT with iptables (this session only)..."
iptables -I INPUT -p tcp --dport $TMP_PORT -j ACCEPT
fi
echo "User: $ANSIUSER"
echo "Port: $TMP_PORT"
echo ""
# Partially redact authorized_keys
echo "--- Authorized Keys ---"
grep -Poi 'ssh\-.*' $ANSIUSERDIR/.ssh/authorized_keys | awk '{ print $1, substr($2, 1, 4)".."substr($2, length($2) - 3, 4), $3 }'
echo "-----------------------"
echo ""
echo "Restarting SSH server and ending script"
systemctl restart sshd