From 5722a2462737b431ae08bbfc6d68dc26ffd57a52 Mon Sep 17 00:00:00 2001 From: iRaven4522 Date: Sun, 30 Nov 2025 17:41:44 -0600 Subject: [PATCH] Trying to understand this ugh --- linux/compliance.yaml | 10 ++ linux/compliance_Alpine.yaml | 231 ++++++++++++++++------------------- 2 files changed, 118 insertions(+), 123 deletions(-) diff --git a/linux/compliance.yaml b/linux/compliance.yaml index 1a53cf6..7d3fc97 100644 --- a/linux/compliance.yaml +++ b/linux/compliance.yaml @@ -2,6 +2,16 @@ ## Checks/deploys a Linux system to be managed with Ansible. - hosts: all + gather_facts: yes tasks: + - name: "Set become method to doas (Alpine)" + vars: + ansible_become_method: doas + when: "ansible_distribution == 'Alpine'" + + - name: "Set become to true" + vars: + ansible_become: true + - name: "Include OS specific tasks" ansible.builtin.include_tasks: "compliance_{{ ansible_distribution }}.yaml" \ No newline at end of file diff --git a/linux/compliance_Alpine.yaml b/linux/compliance_Alpine.yaml index c23a02c..2421a86 100644 --- a/linux/compliance_Alpine.yaml +++ b/linux/compliance_Alpine.yaml @@ -1,126 +1,111 @@ --- ## Checks/deploys a Linux system to be managed with Ansible. -gather_facts: yes -become: yes -become_method: doas -tasks: - # Gather system groups - - name: Gather all system groups - ansible.builtin.getent: - database: group - split: ':' - - # Add doas package - - name: Install doas (for Alpine systems). - ansible.builtin.package: - name: - - doas - state: present - - # User account (ansible) configuration - - name: Add deployment user. - user: - name: ansible - state: present - - name: Add deployment user to wheel group. - user: - name: ansible - groups: wheel - append: yes - when: "'wheel' in ansible_facts.getent_group" - - # Ansible user SSH pub key - # This is a really stupid way to do it, but alas. - # This uses an environment variable named ansiblesvc_key in Semaphore which has the ssh-rsa pubkey. - - name: Create ssh directory for deployment user. - file: - path: /home/ansible/.ssh - state: directory - owner: ansible - group: ansible - - name: Add deployment user's SSH key. - copy: - content: "{{ ansiblesvc_key }}" - dest: /home/ansible/.ssh/authorized_keys - owner: ansible - group: ansible - - # Add required packages because Debian is lame - - name: Install standard packages if not already installed. - # Looking at you LXCs. >.> - ansible.builtin.package: - name: - - curl - - net-tools - - wget - - util-linux - - python3 - - iftop - state: present - - # Give ansible doas rights with no password required. - - name: Add doas rights with no password for deployment user (Alpine only) - lineinfile: - dest: /etc/doas.conf - regexp: '^ansible' - line: 'permit keepenv nopass :ansible' - state: present - validate: 'doas -C %s' - - # User account (nhadmin) configuration, for sysadmin use - - name: Create user nhadmin. - user: - name: nhadmin - state: present - password: "{{ nhadmin_password | password_hash('sha512') }}" - shell: /bin/bash - - - name: Add nhadmin to wheel group. - user: - name: nhadmin - groups: wheel - append: yes - when: "'wheel' in ansible_facts.getent_group" - - # Sysadmin user SSH pub key - # This is a really stupid way to do it, but alas. - # This uses an environment variable named nhadmin_key in Semaphore which has the ssh-rsa pubkey. - - name: Create ssh directory for nhadmin. - file: - path: /home/nhadmin/.ssh - state: directory - owner: nhadmin - group: nhadmin - - name: Add nhadmin user's SSH key. - copy: - content: "{{ nhadmin_key }}" - dest: /home/nhadmin/.ssh/authorized_keys - owner: nhadmin - group: nhadmin - - # SSH config updating - - name: Update SSH configuration to disallow root login and disable password authentication. - lineinfile: - dest: /etc/ssh/sshd_config - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - state: present - validate: 'sshd -t -f %s' - with_items: - - regexp: "^PermitRootLogin" - line: "PermitRootLogin no" - - regexp: "^PasswordAuthentication" - line: "PasswordAuthentication no" - - regexp: "^PubkeyAuthentication" - line: "PubkeyAuthentication yes" - - name: Restart SSH service. - service: - name: sshd - state: restarted - - # Delete our network ansible key from the root user. - - name: Delete our network ansible key (and other keys) from the root user. - file: - path: /root/.ssh/authorized_keys - state: absent \ No newline at end of file +- name: Gather all system groups + ansible.builtin.getent: + database: group + split: ':' +# Add doas package +- name: Install doas (for Alpine systems). + ansible.builtin.package: + name: + - doas + state: present +# User account (ansible) configuration +- name: Add deployment user. + user: + name: ansible + state: present +- name: Add deployment user to wheel group. + user: + name: ansible + groups: wheel + append: yes + when: "'wheel' in ansible_facts.getent_group" +# Ansible user SSH pub key +# This is a really stupid way to do it, but alas. +# This uses an environment variable named ansiblesvc_key in Semaphore which has the ssh-rsa pubkey. +- name: Create ssh directory for deployment user. + file: + path: /home/ansible/.ssh + state: directory + owner: ansible + group: ansible +- name: Add deployment user's SSH key. + copy: + content: "{{ ansiblesvc_key }}" + dest: /home/ansible/.ssh/authorized_keys + owner: ansible + group: ansible +# Add required packages because Debian is lame +- name: Install standard packages if not already installed. + # Looking at you LXCs. >.> + ansible.builtin.package: + name: + - curl + - net-tools + - wget + - util-linux + - python3 + - iftop + state: present +# Give ansible doas rights with no password required. +- name: Add doas rights with no password for deployment user (Alpine only) + lineinfile: + dest: /etc/doas.conf + regexp: '^ansible' + line: 'permit keepenv nopass :ansible' + state: present + validate: 'doas -C %s' +# User account (nhadmin) configuration, for sysadmin use +- name: Create user nhadmin. + user: + name: nhadmin + state: present + password: "{{ nhadmin_password | password_hash('sha512') }}" + shell: /bin/bash +- name: Add nhadmin to wheel group. + user: + name: nhadmin + groups: wheel + append: yes + when: "'wheel' in ansible_facts.getent_group" +# Sysadmin user SSH pub key +# This is a really stupid way to do it, but alas. +# This uses an environment variable named nhadmin_key in Semaphore which has the ssh-rsa pubkey. +- name: Create ssh directory for nhadmin. + file: + path: /home/nhadmin/.ssh + state: directory + owner: nhadmin + group: nhadmin +- name: Add nhadmin user's SSH key. + copy: + content: "{{ nhadmin_key }}" + dest: /home/nhadmin/.ssh/authorized_keys + owner: nhadmin + group: nhadmin +# SSH config updating +- name: Update SSH configuration to disallow root login and disable password authentication. + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + state: present + validate: 'sshd -t -f %s' + with_items: + - regexp: "^PermitRootLogin" + line: "PermitRootLogin no" + - regexp: "^PasswordAuthentication" + line: "PasswordAuthentication no" + - regexp: "^PubkeyAuthentication" + line: "PubkeyAuthentication yes" +- name: Restart SSH service. + service: + name: sshd + state: restarted +# Delete our network ansible key from the root user. +- name: Delete our network ansible key (and other keys) from the root user. + file: + path: /root/.ssh/authorized_keys + state: absent \ No newline at end of file