user.yml

---

- name: configure a user
  hosts: ansibleexample
  become: yes
  gather_facts: False

  vars:
    # created with: openssl passwd -1 "123"
    cloudgenius_password: $1$Aj02So58$YWne25ZH80FNjvTM.AkMO/

  tasks:

    - name: Install the package "sudo"
      apt:
        name: sudo
        state: present

    - name: Add user cloudgenius
      user: name=cloudgenius password={{cloudgenius_password}} shell=/bin/bash groups=root append=yes

    - name: Add user cloudgenius to sudoers
      lineinfile:
        "path=/etc/sudoers
        regexp='^cloudgenius ALL'
        line='cloudgenius ALL=(ALL) NOPASSWD: ALL'
        state=present"

    - name: Add SSH public key to user cloudgenius in remote machine
      authorized_key:
        user=cloudgenius
        key="{{ lookup('file', "~/.ssh/id_rsa.pub") }}"
        state=present

    - name: Disallow root SSH access
      lineinfile:
        path=/etc/ssh/sshd_config
        regexp="^PermitRootLogin"
        line="PermitRootLogin no"
        state=present
      notify:
        - restart ssh

    - name: Disallow SSH password authentication
      lineinfile:
        path=/etc/ssh/sshd_config
        regexp="^PasswordAuthentication"
        line="PasswordAuthentication no"
        state=present
      notify:
        - restart ssh

    - name: Totally block root access
      file:
        path=/root/.ssh/authorized_keys
        state=absent
    
    - name: Disallow SSH GSS API authentication
      lineinfile:
        path=/etc/ssh/sshd_config
        regexp="^GSSAPIAuthentication"
        line="GSSAPIAuthentication no"
        state=present
      notify:
        - restart ssh

  handlers:
  - name: restart ssh
    service:
      name=ssh
      state=restarted