diff --git a/linux/compliance_Alpine.yaml b/linux/compliance_Alpine.yaml index a0a7ecc..c23a02c 100644 --- a/linux/compliance_Alpine.yaml +++ b/linux/compliance_Alpine.yaml @@ -1,156 +1,126 @@ --- ## Checks/deploys a Linux system to be managed with Ansible. -- hosts: all - gather_facts: yes - become: yes - become_method: doas +gather_facts: yes +become: yes +become_method: doas +tasks: + # Gather system groups + - name: Gather all system groups + ansible.builtin.getent: + database: group + split: ':' - tasks: + # Add doas package + - name: Install doas (for Alpine systems). + ansible.builtin.package: + name: + - doas + state: present - # Gather system groups - - name: Gather all system groups - ansible.builtin.getent: - database: group - split: ':' + # User account (ansible) configuration + - name: Add deployment user. + user: + name: ansible + state: present + - name: Add deployment user to wheel group. + user: + name: ansible + groups: wheel + append: yes + when: "'wheel' in ansible_facts.getent_group" - # Add doas package - - name: Install doas (for Alpine systems). - ansible.builtin.package: - name: - - doas - state: present + # Ansible user SSH pub key + # This is a really stupid way to do it, but alas. + # This uses an environment variable named ansiblesvc_key in Semaphore which has the ssh-rsa pubkey. + - name: Create ssh directory for deployment user. + file: + path: /home/ansible/.ssh + state: directory + owner: ansible + group: ansible + - name: Add deployment user's SSH key. + copy: + content: "{{ ansiblesvc_key }}" + dest: /home/ansible/.ssh/authorized_keys + owner: ansible + group: ansible + + # Add required packages because Debian is lame + - name: Install standard packages if not already installed. + # Looking at you LXCs. >.> + ansible.builtin.package: + name: + - curl + - net-tools + - wget + - util-linux + - python3 + - iftop + state: present - # User account (ansible) configuration - - name: Add deployment user. - user: - name: ansible - state: present - - name: Add deployment user to wheel group. - user: - name: ansible - groups: wheel - append: yes - when: "'wheel' in ansible_facts.getent_group" + # Give ansible doas rights with no password required. + - name: Add doas rights with no password for deployment user (Alpine only) + lineinfile: + dest: /etc/doas.conf + regexp: '^ansible' + line: 'permit keepenv nopass :ansible' + state: present + validate: 'doas -C %s' - # Ansible user SSH pub key - # This is a really stupid way to do it, but alas. - # This uses an environment variable named ansiblesvc_key in Semaphore which has the ssh-rsa pubkey. - - name: Create ssh directory for deployment user. - file: - path: /home/ansible/.ssh - state: directory - owner: ansible - group: ansible + # User account (nhadmin) configuration, for sysadmin use + - name: Create user nhadmin. + user: + name: nhadmin + state: present + password: "{{ nhadmin_password | password_hash('sha512') }}" + shell: /bin/bash - - name: Add deployment user's SSH key. - copy: - content: "{{ ansiblesvc_key }}" - dest: /home/ansible/.ssh/authorized_keys - owner: ansible - group: ansible - # shell: - # cmd: echo "{{ ansiblesvc_key }}" > /home/ansible/.ssh/authorized_keys - # creates: /home/ansible/.ssh/authorized_keys + - name: Add nhadmin to wheel group. + user: + name: nhadmin + groups: wheel + append: yes + when: "'wheel' in ansible_facts.getent_group" - # Add required packages because Debian is lame - - name: Install standard packages if not already installed. - # Looking at you LXCs. >.> - ansible.builtin.package: - name: - - curl - - net-tools - - wget - - util-linux - - python3 - - iftop - state: present - - # Give ansible doas rights with no password required. - - name: Add doas rights with no password for deployment user (Alpine only) - lineinfile: - dest: /etc/doas.conf - regexp: '^ansible' - line: 'permit keepenv nopass :ansible' - state: present - validate: 'doas -C %s' + # Sysadmin user SSH pub key + # This is a really stupid way to do it, but alas. + # This uses an environment variable named nhadmin_key in Semaphore which has the ssh-rsa pubkey. + - name: Create ssh directory for nhadmin. + file: + path: /home/nhadmin/.ssh + state: directory + owner: nhadmin + group: nhadmin + - name: Add nhadmin user's SSH key. + copy: + content: "{{ nhadmin_key }}" + dest: /home/nhadmin/.ssh/authorized_keys + owner: nhadmin + group: nhadmin - # User account (nhadmin) configuration, for sysadmin use - - name: Create user nhadmin. - user: - name: nhadmin - state: present - password: "{{ nhadmin_password | password_hash('sha512') }}" - shell: /bin/bash + # SSH config updating + - name: Update SSH configuration to disallow root login and disable password authentication. + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + state: present + validate: 'sshd -t -f %s' + with_items: + - regexp: "^PermitRootLogin" + line: "PermitRootLogin no" + - regexp: "^PasswordAuthentication" + line: "PasswordAuthentication no" + - regexp: "^PubkeyAuthentication" + line: "PubkeyAuthentication yes" + - name: Restart SSH service. + service: + name: sshd + state: restarted - - name: Add nhadmin to wheel group. - user: - name: nhadmin - groups: wheel - append: yes - when: "'wheel' in ansible_facts.getent_group" - - - name: Add nhadmin to sudo group. - user: - name: nhadmin - groups: sudo - append: yes - when: "'sudo' in ansible_facts.getent_group" - - - name: Add nhadmin to systemd-journal group. - user: - name: nhadmin - groups: systemd-journal - append: yes - when: "'systemd-journal' in ansible_facts.getent_group" - - - # Sysadmin user SSH pub key - # This is a really stupid way to do it, but alas. - # This uses an environment variable named nhadmin_key in Semaphore which has the ssh-rsa pubkey. - - name: Create ssh directory for nhadmin. - file: - path: /home/nhadmin/.ssh - state: directory - owner: nhadmin - group: nhadmin - - name: Add nhadmin user's SSH key. - copy: - content: "{{ nhadmin_key }}" - dest: /home/nhadmin/.ssh/authorized_keys - owner: nhadmin - group: nhadmin - # shell: - # cmd: echo "{{ nhadmin_key }}" > /home/nhadmin/.ssh/authorized_keys - # creates: /home/nhadmin/.ssh/authorized_keys - - # SSH config updating - - name: Update SSH configuration to disallow root login and disable password authentication. - lineinfile: - dest: /etc/ssh/sshd_config - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - state: present - validate: 'sshd -t -f %s' - with_items: - - regexp: "^PermitRootLogin" - line: "PermitRootLogin no" - - regexp: "^PasswordAuthentication" - line: "PasswordAuthentication no" - - regexp: "^PubkeyAuthentication" - line: "PubkeyAuthentication yes" - - name: Restart SSH service. - service: - name: sshd - state: restarted - - # Delete our network ansible key from the root user. - - name: Delete our network ansible key (and other keys) from the root user. - file: - path: /root/.ssh/authorized_keys - state: absent - - # Upgrade all apt packages for good measure. - - name: Upgrade all apt packages - apt: upgrade=dist force_apt_get=yes - when: aptfolder.stat.exists \ No newline at end of file + # Delete our network ansible key from the root user. + - name: Delete our network ansible key (and other keys) from the root user. + file: + path: /root/.ssh/authorized_keys + state: absent \ No newline at end of file