technolog/ansible
1
0
Fork 0
Code Issues Pull Requests Activity

Compliance - spreading out tasks

Browse Source
This commit is contained in:
iRaven
2025-11-30 18:12:30 -06:00
parent 8b9759e1c1
commit 2dc31753d0
3 changed files with 129 additions and 239 deletions
Download Patch File Download Diff File Expand all files Collapse all files

76
linux/compliance.yaml
View File

@@ -9,10 +9,82 @@
ansible_become_method: doas ansible_become_method: doas
when: "ansible_distribution == 'Alpine'" when: "ansible_distribution == 'Alpine'"
- name: "Set become to true" - name: "Set become to true if we are not root"
set_fact: set_fact:
ansible_become: true ansible_become: true
when: "ansible_user_id != 'root'" when: "ansible_user_id != 'root'"
# User account (ansible) configuration
- name: Add deployment user.
user:
name: ansible
state: present
# Ansible user SSH pub key
# This is a really stupid way to do it, but alas.
# This uses an environment variable named ansiblesvc_key in Semaphore which has the ssh-rsa pubkey.
- name: Create ssh directory for deployment user.
file:
path: /home/ansible/.ssh
state: directory
owner: ansible
group: ansible
- name: Add deployment user's SSH key.
copy:
content: "{{ ansiblesvc_key }}"
dest: /home/ansible/.ssh/authorized_keys
owner: ansible
group: ansible
# User account (nhadmin) configuration, for sysadmin use
- name: Create user nhadmin.
user:
name: nhadmin
state: present
password: "{{ nhadmin_password | password_hash('sha512') }}"
shell: /bin/bash
# Sysadmin user SSH pub key
# This is a really stupid way to do it, but alas.
# This uses an environment variable named nhadmin_key in Semaphore which has the ssh-rsa pubkey.
- name: Create ssh directory for nhadmin.
file:
path: /home/nhadmin/.ssh
state: directory
owner: nhadmin
group: nhadmin
- name: Add nhadmin user's SSH key.
copy:
content: "{{ nhadmin_key }}"
dest: /home/nhadmin/.ssh/authorized_keys
owner: nhadmin
group: nhadmin
# SSH config updating
- name: Update SSH configuration to disallow root login and disable password authentication.
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
validate: 'sshd -t -f %s'
with_items:
- regexp: "^PermitRootLogin"
line: "PermitRootLogin no"
- regexp: "^PasswordAuthentication"
line: "PasswordAuthentication no"
- regexp: "^PubkeyAuthentication"
line: "PubkeyAuthentication yes"
- name: Restart SSH service.
service:
name: sshd
state: restarted
# Delete our network ansible key from the root user.
- name: Delete our network ansible key (and other keys) from the root user.
file:
path: /root/.ssh/authorized_keys
state: absent
- name: "Include OS specific tasks" - name: "Include OS specific tasks"
ansible.builtin.include_tasks: "compliance_{{ ansible_distribution }}.yaml" ansible.builtin.include_tasks: "compliance_{{ ansible_distribution }}.yaml"

95
linux/compliance_Alpine.yaml
View File

@@ -1,50 +1,11 @@
--- ---
## Checks/deploys a Linux system to be managed with Ansible. ## Checks/deploys an Alpine Linux system to be managed with Ansible.
- name: Gather all system groups
ansible.builtin.getent:
database: group
split: ':'
# Add doas package
- name: Install doas (for Alpine systems).
ansible.builtin.package:
name:
- doas
state: present
# User account (ansible) configuration
- name: Add deployment user.
user:
name: ansible
state: present
- name: Add deployment user to wheel group.
user:
name: ansible
groups: wheel
append: yes
# when: "'wheel' in ansible_facts.getent_group"
# Ansible user SSH pub key
# This is a really stupid way to do it, but alas.
# This uses an environment variable named ansiblesvc_key in Semaphore which has the ssh-rsa pubkey.
- name: Create ssh directory for deployment user.
file:
path: /home/ansible/.ssh
state: directory
owner: ansible
group: ansible
- name: Add deployment user's SSH key.
copy:
content: "{{ ansiblesvc_key }}"
dest: /home/ansible/.ssh/authorized_keys
owner: ansible
group: ansible
- name: Install standard packages if not already installed. - name: Install standard packages if not already installed.
# Looking at you LXCs. >.> # Looking at you LXCs. >.>
ansible.builtin.package: ansible.builtin.package:
name: name:
- doas
- curl - curl
- net-tools - net-tools
- wget - wget
@@ -54,63 +15,17 @@
state: present state: present
# Give ansible doas rights with no password required. # Give ansible doas rights with no password required.
- name: Add doas rights with no password for deployment user (Alpine only) - name: Add doas rights with no password for deployment user
lineinfile: lineinfile:
dest: /etc/doas.conf dest: /etc/doas.conf
regexp: '^ansible' regexp: '^ansible'
line: 'permit keepenv nopass :ansible' line: 'permit keepenv nopass :ansible'
state: present state: present
validate: 'doas -C %s' validate: 'doas -C %s'
# User account (nhadmin) configuration, for sysadmin use
- name: Create user nhadmin.
user:
name: nhadmin
state: present
password: "{{ nhadmin_password | password_hash('sha512') }}"
shell: /bin/bash
- name: Add nhadmin to wheel group. - name: Add nhadmin to wheel group.
user: user:
name: nhadmin name: nhadmin
groups: wheel groups: wheel
append: yes append: yes
# when: "'wheel' in ansible_facts.getent_group" when: "'wheel' in ansible_facts.getent_group"
# Sysadmin user SSH pub key
# This is a really stupid way to do it, but alas.
# This uses an environment variable named nhadmin_key in Semaphore which has the ssh-rsa pubkey.
- name: Create ssh directory for nhadmin.
file:
path: /home/nhadmin/.ssh
state: directory
owner: nhadmin
group: nhadmin
- name: Add nhadmin user's SSH key.
copy:
content: "{{ nhadmin_key }}"
dest: /home/nhadmin/.ssh/authorized_keys
owner: nhadmin
group: nhadmin
# SSH config updating
- name: Update SSH configuration to disallow root login and disable password authentication.
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
validate: 'sshd -t -f %s'
with_items:
- regexp: "^PermitRootLogin"
line: "PermitRootLogin no"
- regexp: "^PasswordAuthentication"
line: "PasswordAuthentication no"
- regexp: "^PubkeyAuthentication"
line: "PubkeyAuthentication yes"
- name: Restart SSH service.
service:
name: sshd
state: restarted
# Delete our network ansible key from the root user.
- name: Delete our network ansible key (and other keys) from the root user.
file:
path: /root/.ssh/authorized_keys
state: absent

197
linux/compliance_Debian.yaml
View File

@@ -1,155 +1,58 @@
--- ---
## Checks/deploys a Linux system to be managed with Ansible. ## Checks/deploys a Debian Linux system to be managed with Ansible.
- hosts: all # Add sudo package
gather_facts: yes - name: Install sudo if not already installed.
become: yes # Looking at you LXCs. >.>
ansible.builtin.package:
name:
- sudo
state: present
tasks: # APT Cacher-NG Configuration
- name: Add APT-Cacher-NG Configuration
copy:
content: "{{ aptcacher_config }}"
dest: /etc/apt/apt.conf.d/proxy
- name: Remove redundant APT configuration
file:
path: /etc/apt/apt.conf
state: absent
# Gather system groups # Update apt package lists after adding our proxy
- name: Gather all system groups - name: Update apt repo package lists from cacher
ansible.builtin.getent: apt: update_cache=yes force_apt_get=yes cache_valid_time=3600
database: group
split: ':'
# Add sudo package
- name: Install sudo if not already installed.
# Looking at you LXCs. >.>
ansible.builtin.package:
name:
- sudo
state: present
# APT Cacher-NG Configuration
- name: Add APT-Cacher-NG Configuration
copy:
content: "{{ aptcacher_config }}"
dest: /etc/apt/apt.conf.d/proxy
- name: Remove redundant APT configuration
file:
path: /etc/apt/apt.conf
state: absent
# Update apt package lists after adding our proxy
- name: Update apt repo package lists from cacher
apt: update_cache=yes force_apt_get=yes cache_valid_time=3600
# User account (ansible) configuration # Add required packages because Debian is lame
- name: Add deployment user. - name: Install standard packages if not already installed.
user: ansible.builtin.package:
name: ansible name:
state: present - curl
- net-tools
- wget
- iftop
- htop
state: present
# Ansible user SSH pub key # Give ansible sudo rights with no password required.
# This is a really stupid way to do it, but alas. - name: Add sudo rights with no password for deployment user.
# This uses an environment variable named ansiblesvc_key in Semaphore which has the ssh-rsa pubkey. lineinfile:
- name: Create ssh directory for deployment user. dest: /etc/sudoers
file: regexp: '^ansible'
path: /home/ansible/.ssh line: 'ansible ALL=(ALL) NOPASSWD: ALL'
state: directory state: present
owner: ansible validate: 'visudo -cf %s'
group: ansible
- name: Add deployment user's SSH key. - name: Add nhadmin to sudo group.
copy: user:
content: "{{ ansiblesvc_key }}" name: nhadmin
dest: /home/ansible/.ssh/authorized_keys groups: sudo
owner: ansible append: yes
group: ansible when: "'sudo' in ansible_facts.getent_group"
# shell:
# cmd: echo "{{ ansiblesvc_key }}" > /home/ansible/.ssh/authorized_keys
# creates: /home/ansible/.ssh/authorized_keys
# Add required packages because Debian is lame - name: Add nhadmin to systemd-journal group.
- name: Install standard packages if not already installed. user:
# Looking at you LXCs. >.> name: nhadmin
ansible.builtin.package: groups: systemd-journal
name: append: yes
- curl when: "'systemd-journal' in ansible_facts.getent_group"
- net-tools
- wget
- iftop
state: present
# Give ansible sudo rights with no password required.
- name: Add sudo rights with no password for deployment user.
lineinfile:
dest: /etc/sudoers
regexp: '^ansible'
line: 'ansible ALL=(ALL) NOPASSWD: ALL'
state: present
validate: 'visudo -cf %s'
# User account (nhadmin) configuration, for sysadmin use
- name: Create user nhadmin.
user:
name: nhadmin
state: present
password: "{{ nhadmin_password | password_hash('sha512') }}"
shell: /bin/bash
- name: Add nhadmin to sudo group.
user:
name: nhadmin
groups: sudo
append: yes
when: "'sudo' in ansible_facts.getent_group"
- name: Add nhadmin to systemd-journal group.
user:
name: nhadmin
groups: systemd-journal
append: yes
when: "'systemd-journal' in ansible_facts.getent_group"
# Sysadmin user SSH pub key
# This is a really stupid way to do it, but alas.
# This uses an environment variable named nhadmin_key in Semaphore which has the ssh-rsa pubkey.
- name: Create ssh directory for nhadmin.
file:
path: /home/nhadmin/.ssh
state: directory
owner: nhadmin
group: nhadmin
- name: Add nhadmin user's SSH key.
copy:
content: "{{ nhadmin_key }}"
dest: /home/nhadmin/.ssh/authorized_keys
owner: nhadmin
group: nhadmin
# shell:
# cmd: echo "{{ nhadmin_key }}" > /home/nhadmin/.ssh/authorized_keys
# creates: /home/nhadmin/.ssh/authorized_keys
# SSH config updating
- name: Update SSH configuration to disallow root login and disable password authentication.
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
validate: 'sshd -t -f %s'
with_items:
- regexp: "^PermitRootLogin"
line: "PermitRootLogin no"
- regexp: "^PasswordAuthentication"
line: "PasswordAuthentication no"
- regexp: "^PubkeyAuthentication"
line: "PubkeyAuthentication yes"
- name: Restart SSH service.
service:
name: sshd
state: restarted
# Delete our network ansible key from the root user.
- name: Delete our network ansible key (and other keys) from the root user.
file:
path: /root/.ssh/authorized_keys
state: absent
# Upgrade all apt packages for good measure.
- name: Upgrade all apt packages
apt: upgrade=dist force_apt_get=yes