Compliance - spreading out tasks

2025-11-30 18:12:30 -06:00
parent 8b9759e1c1
commit 2dc31753d0
3 changed files with 129 additions and 239 deletions
--- a/linux/compliance.yaml
+++ b/linux/compliance.yaml
@@ -9,10 +9,82 @@
        ansible_become_method: doas
      when: "ansible_distribution == 'Alpine'"
    
-    - name: "Set become to true"
+    - name: "Set become to true if we are not root"
      set_fact:
        ansible_become: true
      when: "ansible_user_id != 'root'"
-      
+
+    # User account (ansible) configuration
+    - name: Add deployment user.
+      user:
+        name: ansible
+      state: present
+
+    # Ansible user SSH pub key
+    # This is a really stupid way to do it, but alas.
+    # This uses an environment variable named ansiblesvc_key in Semaphore which has the ssh-rsa pubkey.
+    - name: Create ssh directory for deployment user.
+      file:
+        path: /home/ansible/.ssh
+        state: directory
+        owner: ansible
+        group: ansible
+    - name: Add deployment user's SSH key.
+      copy:
+        content: "{{ ansiblesvc_key }}"
+        dest: /home/ansible/.ssh/authorized_keys
+        owner: ansible
+        group: ansible
+
+    # User account (nhadmin) configuration, for sysadmin use
+    - name: Create user nhadmin.
+      user:
+        name: nhadmin
+        state: present
+        password: "{{ nhadmin_password | password_hash('sha512') }}"
+        shell: /bin/bash
+
+    # Sysadmin user SSH pub key
+    # This is a really stupid way to do it, but alas.
+    # This uses an environment variable named nhadmin_key in Semaphore which has the ssh-rsa pubkey.
+    - name: Create ssh directory for nhadmin.
+      file:
+        path: /home/nhadmin/.ssh
+        state: directory
+        owner: nhadmin
+        group: nhadmin
+    - name: Add nhadmin user's SSH key.
+      copy:
+        content: "{{ nhadmin_key }}"
+        dest: /home/nhadmin/.ssh/authorized_keys
+        owner: nhadmin
+        group: nhadmin
+        
+    # SSH config updating
+    - name: Update SSH configuration to disallow root login and disable password authentication.
+      lineinfile:
+        dest: /etc/ssh/sshd_config
+        regexp: "{{ item.regexp }}"
+        line: "{{ item.line }}"
+        state: present
+        validate: 'sshd -t -f %s'
+      with_items:
+        - regexp: "^PermitRootLogin"
+          line: "PermitRootLogin no"
+        - regexp: "^PasswordAuthentication"
+          line: "PasswordAuthentication no"
+        - regexp: "^PubkeyAuthentication"
+          line: "PubkeyAuthentication yes"
+    - name: Restart SSH service.
+      service:
+        name: sshd
+        state: restarted
+
+    # Delete our network ansible key from the root user.
+    - name: Delete our network ansible key (and other keys) from the root user.
+      file:
+        path: /root/.ssh/authorized_keys
+        state: absent
+    
    - name: "Include OS specific tasks"
      ansible.builtin.include_tasks: "compliance_{{ ansible_distribution }}.yaml"