Trying to understand this ugh
This commit is contained in:
@@ -1,126 +1,111 @@
|
||||
---
|
||||
## Checks/deploys a Linux system to be managed with Ansible.
|
||||
|
||||
gather_facts: yes
|
||||
become: yes
|
||||
become_method: doas
|
||||
tasks:
|
||||
# Gather system groups
|
||||
- name: Gather all system groups
|
||||
ansible.builtin.getent:
|
||||
database: group
|
||||
split: ':'
|
||||
|
||||
# Add doas package
|
||||
- name: Install doas (for Alpine systems).
|
||||
ansible.builtin.package:
|
||||
name:
|
||||
- doas
|
||||
state: present
|
||||
|
||||
# User account (ansible) configuration
|
||||
- name: Add deployment user.
|
||||
user:
|
||||
name: ansible
|
||||
state: present
|
||||
- name: Add deployment user to wheel group.
|
||||
user:
|
||||
name: ansible
|
||||
groups: wheel
|
||||
append: yes
|
||||
when: "'wheel' in ansible_facts.getent_group"
|
||||
|
||||
# Ansible user SSH pub key
|
||||
# This is a really stupid way to do it, but alas.
|
||||
# This uses an environment variable named ansiblesvc_key in Semaphore which has the ssh-rsa pubkey.
|
||||
- name: Create ssh directory for deployment user.
|
||||
file:
|
||||
path: /home/ansible/.ssh
|
||||
state: directory
|
||||
owner: ansible
|
||||
group: ansible
|
||||
- name: Add deployment user's SSH key.
|
||||
copy:
|
||||
content: "{{ ansiblesvc_key }}"
|
||||
dest: /home/ansible/.ssh/authorized_keys
|
||||
owner: ansible
|
||||
group: ansible
|
||||
|
||||
# Add required packages because Debian is lame
|
||||
- name: Install standard packages if not already installed.
|
||||
# Looking at you LXCs. >.>
|
||||
ansible.builtin.package:
|
||||
name:
|
||||
- curl
|
||||
- net-tools
|
||||
- wget
|
||||
- util-linux
|
||||
- python3
|
||||
- iftop
|
||||
state: present
|
||||
|
||||
# Give ansible doas rights with no password required.
|
||||
- name: Add doas rights with no password for deployment user (Alpine only)
|
||||
lineinfile:
|
||||
dest: /etc/doas.conf
|
||||
regexp: '^ansible'
|
||||
line: 'permit keepenv nopass :ansible'
|
||||
state: present
|
||||
validate: 'doas -C %s'
|
||||
|
||||
# User account (nhadmin) configuration, for sysadmin use
|
||||
- name: Create user nhadmin.
|
||||
user:
|
||||
name: nhadmin
|
||||
state: present
|
||||
password: "{{ nhadmin_password | password_hash('sha512') }}"
|
||||
shell: /bin/bash
|
||||
|
||||
- name: Add nhadmin to wheel group.
|
||||
user:
|
||||
name: nhadmin
|
||||
groups: wheel
|
||||
append: yes
|
||||
when: "'wheel' in ansible_facts.getent_group"
|
||||
|
||||
# Sysadmin user SSH pub key
|
||||
# This is a really stupid way to do it, but alas.
|
||||
# This uses an environment variable named nhadmin_key in Semaphore which has the ssh-rsa pubkey.
|
||||
- name: Create ssh directory for nhadmin.
|
||||
file:
|
||||
path: /home/nhadmin/.ssh
|
||||
state: directory
|
||||
owner: nhadmin
|
||||
group: nhadmin
|
||||
- name: Add nhadmin user's SSH key.
|
||||
copy:
|
||||
content: "{{ nhadmin_key }}"
|
||||
dest: /home/nhadmin/.ssh/authorized_keys
|
||||
owner: nhadmin
|
||||
group: nhadmin
|
||||
|
||||
# SSH config updating
|
||||
- name: Update SSH configuration to disallow root login and disable password authentication.
|
||||
lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: "{{ item.regexp }}"
|
||||
line: "{{ item.line }}"
|
||||
state: present
|
||||
validate: 'sshd -t -f %s'
|
||||
with_items:
|
||||
- regexp: "^PermitRootLogin"
|
||||
line: "PermitRootLogin no"
|
||||
- regexp: "^PasswordAuthentication"
|
||||
line: "PasswordAuthentication no"
|
||||
- regexp: "^PubkeyAuthentication"
|
||||
line: "PubkeyAuthentication yes"
|
||||
- name: Restart SSH service.
|
||||
service:
|
||||
name: sshd
|
||||
state: restarted
|
||||
|
||||
# Delete our network ansible key from the root user.
|
||||
- name: Delete our network ansible key (and other keys) from the root user.
|
||||
file:
|
||||
path: /root/.ssh/authorized_keys
|
||||
state: absent
|
||||
- name: Gather all system groups
|
||||
ansible.builtin.getent:
|
||||
database: group
|
||||
split: ':'
|
||||
# Add doas package
|
||||
- name: Install doas (for Alpine systems).
|
||||
ansible.builtin.package:
|
||||
name:
|
||||
- doas
|
||||
state: present
|
||||
# User account (ansible) configuration
|
||||
- name: Add deployment user.
|
||||
user:
|
||||
name: ansible
|
||||
state: present
|
||||
- name: Add deployment user to wheel group.
|
||||
user:
|
||||
name: ansible
|
||||
groups: wheel
|
||||
append: yes
|
||||
when: "'wheel' in ansible_facts.getent_group"
|
||||
# Ansible user SSH pub key
|
||||
# This is a really stupid way to do it, but alas.
|
||||
# This uses an environment variable named ansiblesvc_key in Semaphore which has the ssh-rsa pubkey.
|
||||
- name: Create ssh directory for deployment user.
|
||||
file:
|
||||
path: /home/ansible/.ssh
|
||||
state: directory
|
||||
owner: ansible
|
||||
group: ansible
|
||||
- name: Add deployment user's SSH key.
|
||||
copy:
|
||||
content: "{{ ansiblesvc_key }}"
|
||||
dest: /home/ansible/.ssh/authorized_keys
|
||||
owner: ansible
|
||||
group: ansible
|
||||
# Add required packages because Debian is lame
|
||||
- name: Install standard packages if not already installed.
|
||||
# Looking at you LXCs. >.>
|
||||
ansible.builtin.package:
|
||||
name:
|
||||
- curl
|
||||
- net-tools
|
||||
- wget
|
||||
- util-linux
|
||||
- python3
|
||||
- iftop
|
||||
state: present
|
||||
# Give ansible doas rights with no password required.
|
||||
- name: Add doas rights with no password for deployment user (Alpine only)
|
||||
lineinfile:
|
||||
dest: /etc/doas.conf
|
||||
regexp: '^ansible'
|
||||
line: 'permit keepenv nopass :ansible'
|
||||
state: present
|
||||
validate: 'doas -C %s'
|
||||
# User account (nhadmin) configuration, for sysadmin use
|
||||
- name: Create user nhadmin.
|
||||
user:
|
||||
name: nhadmin
|
||||
state: present
|
||||
password: "{{ nhadmin_password | password_hash('sha512') }}"
|
||||
shell: /bin/bash
|
||||
- name: Add nhadmin to wheel group.
|
||||
user:
|
||||
name: nhadmin
|
||||
groups: wheel
|
||||
append: yes
|
||||
when: "'wheel' in ansible_facts.getent_group"
|
||||
# Sysadmin user SSH pub key
|
||||
# This is a really stupid way to do it, but alas.
|
||||
# This uses an environment variable named nhadmin_key in Semaphore which has the ssh-rsa pubkey.
|
||||
- name: Create ssh directory for nhadmin.
|
||||
file:
|
||||
path: /home/nhadmin/.ssh
|
||||
state: directory
|
||||
owner: nhadmin
|
||||
group: nhadmin
|
||||
- name: Add nhadmin user's SSH key.
|
||||
copy:
|
||||
content: "{{ nhadmin_key }}"
|
||||
dest: /home/nhadmin/.ssh/authorized_keys
|
||||
owner: nhadmin
|
||||
group: nhadmin
|
||||
# SSH config updating
|
||||
- name: Update SSH configuration to disallow root login and disable password authentication.
|
||||
lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: "{{ item.regexp }}"
|
||||
line: "{{ item.line }}"
|
||||
state: present
|
||||
validate: 'sshd -t -f %s'
|
||||
with_items:
|
||||
- regexp: "^PermitRootLogin"
|
||||
line: "PermitRootLogin no"
|
||||
- regexp: "^PasswordAuthentication"
|
||||
line: "PasswordAuthentication no"
|
||||
- regexp: "^PubkeyAuthentication"
|
||||
line: "PubkeyAuthentication yes"
|
||||
- name: Restart SSH service.
|
||||
service:
|
||||
name: sshd
|
||||
state: restarted
|
||||
# Delete our network ansible key from the root user.
|
||||
- name: Delete our network ansible key (and other keys) from the root user.
|
||||
file:
|
||||
path: /root/.ssh/authorized_keys
|
||||
state: absent
|
||||
Reference in New Issue
Block a user