diff --git a/linux/compliance.yaml b/linux/compliance.yaml index 334e63d..a81542f 100644 --- a/linux/compliance.yaml +++ b/linux/compliance.yaml @@ -9,10 +9,82 @@ ansible_become_method: doas when: "ansible_distribution == 'Alpine'" - - name: "Set become to true" + - name: "Set become to true if we are not root" set_fact: ansible_become: true when: "ansible_user_id != 'root'" - + + # User account (ansible) configuration + - name: Add deployment user. + user: + name: ansible + state: present + + # Ansible user SSH pub key + # This is a really stupid way to do it, but alas. + # This uses an environment variable named ansiblesvc_key in Semaphore which has the ssh-rsa pubkey. + - name: Create ssh directory for deployment user. + file: + path: /home/ansible/.ssh + state: directory + owner: ansible + group: ansible + - name: Add deployment user's SSH key. + copy: + content: "{{ ansiblesvc_key }}" + dest: /home/ansible/.ssh/authorized_keys + owner: ansible + group: ansible + + # User account (nhadmin) configuration, for sysadmin use + - name: Create user nhadmin. + user: + name: nhadmin + state: present + password: "{{ nhadmin_password | password_hash('sha512') }}" + shell: /bin/bash + + # Sysadmin user SSH pub key + # This is a really stupid way to do it, but alas. + # This uses an environment variable named nhadmin_key in Semaphore which has the ssh-rsa pubkey. + - name: Create ssh directory for nhadmin. + file: + path: /home/nhadmin/.ssh + state: directory + owner: nhadmin + group: nhadmin + - name: Add nhadmin user's SSH key. + copy: + content: "{{ nhadmin_key }}" + dest: /home/nhadmin/.ssh/authorized_keys + owner: nhadmin + group: nhadmin + + # SSH config updating + - name: Update SSH configuration to disallow root login and disable password authentication. + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + state: present + validate: 'sshd -t -f %s' + with_items: + - regexp: "^PermitRootLogin" + line: "PermitRootLogin no" + - regexp: "^PasswordAuthentication" + line: "PasswordAuthentication no" + - regexp: "^PubkeyAuthentication" + line: "PubkeyAuthentication yes" + - name: Restart SSH service. + service: + name: sshd + state: restarted + + # Delete our network ansible key from the root user. + - name: Delete our network ansible key (and other keys) from the root user. + file: + path: /root/.ssh/authorized_keys + state: absent + - name: "Include OS specific tasks" ansible.builtin.include_tasks: "compliance_{{ ansible_distribution }}.yaml" \ No newline at end of file diff --git a/linux/compliance_Alpine.yaml b/linux/compliance_Alpine.yaml index 6daf638..a0145d5 100644 --- a/linux/compliance_Alpine.yaml +++ b/linux/compliance_Alpine.yaml @@ -1,50 +1,11 @@ --- -## Checks/deploys a Linux system to be managed with Ansible. - -- name: Gather all system groups - ansible.builtin.getent: - database: group - split: ':' - -# Add doas package -- name: Install doas (for Alpine systems). - ansible.builtin.package: - name: - - doas - state: present - -# User account (ansible) configuration -- name: Add deployment user. - user: - name: ansible - state: present -- name: Add deployment user to wheel group. - user: - name: ansible - groups: wheel - append: yes - # when: "'wheel' in ansible_facts.getent_group" - -# Ansible user SSH pub key -# This is a really stupid way to do it, but alas. -# This uses an environment variable named ansiblesvc_key in Semaphore which has the ssh-rsa pubkey. -- name: Create ssh directory for deployment user. - file: - path: /home/ansible/.ssh - state: directory - owner: ansible - group: ansible -- name: Add deployment user's SSH key. - copy: - content: "{{ ansiblesvc_key }}" - dest: /home/ansible/.ssh/authorized_keys - owner: ansible - group: ansible +## Checks/deploys an Alpine Linux system to be managed with Ansible. - name: Install standard packages if not already installed. # Looking at you LXCs. >.> ansible.builtin.package: name: + - doas - curl - net-tools - wget @@ -54,63 +15,17 @@ state: present # Give ansible doas rights with no password required. -- name: Add doas rights with no password for deployment user (Alpine only) +- name: Add doas rights with no password for deployment user lineinfile: dest: /etc/doas.conf regexp: '^ansible' line: 'permit keepenv nopass :ansible' state: present validate: 'doas -C %s' -# User account (nhadmin) configuration, for sysadmin use -- name: Create user nhadmin. - user: - name: nhadmin - state: present - password: "{{ nhadmin_password | password_hash('sha512') }}" - shell: /bin/bash + - name: Add nhadmin to wheel group. user: name: nhadmin groups: wheel append: yes - # when: "'wheel' in ansible_facts.getent_group" - -# Sysadmin user SSH pub key -# This is a really stupid way to do it, but alas. -# This uses an environment variable named nhadmin_key in Semaphore which has the ssh-rsa pubkey. -- name: Create ssh directory for nhadmin. - file: - path: /home/nhadmin/.ssh - state: directory - owner: nhadmin - group: nhadmin -- name: Add nhadmin user's SSH key. - copy: - content: "{{ nhadmin_key }}" - dest: /home/nhadmin/.ssh/authorized_keys - owner: nhadmin - group: nhadmin -# SSH config updating -- name: Update SSH configuration to disallow root login and disable password authentication. - lineinfile: - dest: /etc/ssh/sshd_config - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - state: present - validate: 'sshd -t -f %s' - with_items: - - regexp: "^PermitRootLogin" - line: "PermitRootLogin no" - - regexp: "^PasswordAuthentication" - line: "PasswordAuthentication no" - - regexp: "^PubkeyAuthentication" - line: "PubkeyAuthentication yes" -- name: Restart SSH service. - service: - name: sshd - state: restarted -# Delete our network ansible key from the root user. -- name: Delete our network ansible key (and other keys) from the root user. - file: - path: /root/.ssh/authorized_keys - state: absent \ No newline at end of file + when: "'wheel' in ansible_facts.getent_group" \ No newline at end of file diff --git a/linux/compliance_Debian.yaml b/linux/compliance_Debian.yaml index 9219d8c..79f54f4 100644 --- a/linux/compliance_Debian.yaml +++ b/linux/compliance_Debian.yaml @@ -1,155 +1,58 @@ --- -## Checks/deploys a Linux system to be managed with Ansible. +## Checks/deploys a Debian Linux system to be managed with Ansible. -- hosts: all - gather_facts: yes - become: yes +# Add sudo package +- name: Install sudo if not already installed. +# Looking at you LXCs. >.> + ansible.builtin.package: + name: + - sudo + state: present - tasks: +# APT Cacher-NG Configuration +- name: Add APT-Cacher-NG Configuration + copy: + content: "{{ aptcacher_config }}" + dest: /etc/apt/apt.conf.d/proxy +- name: Remove redundant APT configuration + file: + path: /etc/apt/apt.conf + state: absent - # Gather system groups - - name: Gather all system groups - ansible.builtin.getent: - database: group - split: ':' - - # Add sudo package - - name: Install sudo if not already installed. - # Looking at you LXCs. >.> - ansible.builtin.package: - name: - - sudo - state: present - - # APT Cacher-NG Configuration - - name: Add APT-Cacher-NG Configuration - copy: - content: "{{ aptcacher_config }}" - dest: /etc/apt/apt.conf.d/proxy - - - name: Remove redundant APT configuration - file: - path: /etc/apt/apt.conf - state: absent - - # Update apt package lists after adding our proxy - - name: Update apt repo package lists from cacher - apt: update_cache=yes force_apt_get=yes cache_valid_time=3600 +# Update apt package lists after adding our proxy +- name: Update apt repo package lists from cacher + apt: update_cache=yes force_apt_get=yes cache_valid_time=3600 - # User account (ansible) configuration - - name: Add deployment user. - user: - name: ansible - state: present +# Add required packages because Debian is lame +- name: Install standard packages if not already installed. + ansible.builtin.package: + name: + - curl + - net-tools + - wget + - iftop + - htop + state: present - # Ansible user SSH pub key - # This is a really stupid way to do it, but alas. - # This uses an environment variable named ansiblesvc_key in Semaphore which has the ssh-rsa pubkey. - - name: Create ssh directory for deployment user. - file: - path: /home/ansible/.ssh - state: directory - owner: ansible - group: ansible +# Give ansible sudo rights with no password required. +- name: Add sudo rights with no password for deployment user. + lineinfile: + dest: /etc/sudoers + regexp: '^ansible' + line: 'ansible ALL=(ALL) NOPASSWD: ALL' + state: present + validate: 'visudo -cf %s' - - name: Add deployment user's SSH key. - copy: - content: "{{ ansiblesvc_key }}" - dest: /home/ansible/.ssh/authorized_keys - owner: ansible - group: ansible - # shell: - # cmd: echo "{{ ansiblesvc_key }}" > /home/ansible/.ssh/authorized_keys - # creates: /home/ansible/.ssh/authorized_keys +- name: Add nhadmin to sudo group. + user: + name: nhadmin + groups: sudo + append: yes + when: "'sudo' in ansible_facts.getent_group" - # Add required packages because Debian is lame - - name: Install standard packages if not already installed. - # Looking at you LXCs. >.> - ansible.builtin.package: - name: - - curl - - net-tools - - wget - - iftop - state: present - - # Give ansible sudo rights with no password required. - - name: Add sudo rights with no password for deployment user. - lineinfile: - dest: /etc/sudoers - regexp: '^ansible' - line: 'ansible ALL=(ALL) NOPASSWD: ALL' - state: present - validate: 'visudo -cf %s' - - # User account (nhadmin) configuration, for sysadmin use - - name: Create user nhadmin. - user: - name: nhadmin - state: present - password: "{{ nhadmin_password | password_hash('sha512') }}" - shell: /bin/bash - - - name: Add nhadmin to sudo group. - user: - name: nhadmin - groups: sudo - append: yes - when: "'sudo' in ansible_facts.getent_group" - - - name: Add nhadmin to systemd-journal group. - user: - name: nhadmin - groups: systemd-journal - append: yes - when: "'systemd-journal' in ansible_facts.getent_group" - - - # Sysadmin user SSH pub key - # This is a really stupid way to do it, but alas. - # This uses an environment variable named nhadmin_key in Semaphore which has the ssh-rsa pubkey. - - name: Create ssh directory for nhadmin. - file: - path: /home/nhadmin/.ssh - state: directory - owner: nhadmin - group: nhadmin - - name: Add nhadmin user's SSH key. - copy: - content: "{{ nhadmin_key }}" - dest: /home/nhadmin/.ssh/authorized_keys - owner: nhadmin - group: nhadmin - # shell: - # cmd: echo "{{ nhadmin_key }}" > /home/nhadmin/.ssh/authorized_keys - # creates: /home/nhadmin/.ssh/authorized_keys - - # SSH config updating - - name: Update SSH configuration to disallow root login and disable password authentication. - lineinfile: - dest: /etc/ssh/sshd_config - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - state: present - validate: 'sshd -t -f %s' - with_items: - - regexp: "^PermitRootLogin" - line: "PermitRootLogin no" - - regexp: "^PasswordAuthentication" - line: "PasswordAuthentication no" - - regexp: "^PubkeyAuthentication" - line: "PubkeyAuthentication yes" - - name: Restart SSH service. - service: - name: sshd - state: restarted - - # Delete our network ansible key from the root user. - - name: Delete our network ansible key (and other keys) from the root user. - file: - path: /root/.ssh/authorized_keys - state: absent - - # Upgrade all apt packages for good measure. - - name: Upgrade all apt packages - apt: upgrade=dist force_apt_get=yes \ No newline at end of file +- name: Add nhadmin to systemd-journal group. + user: + name: nhadmin + groups: systemd-journal + append: yes + when: "'systemd-journal' in ansible_facts.getent_group" \ No newline at end of file