Trying to understand this ugh
This commit is contained in:
@@ -2,6 +2,16 @@
|
|||||||
## Checks/deploys a Linux system to be managed with Ansible.
|
## Checks/deploys a Linux system to be managed with Ansible.
|
||||||
|
|
||||||
- hosts: all
|
- hosts: all
|
||||||
|
gather_facts: yes
|
||||||
tasks:
|
tasks:
|
||||||
|
- name: "Set become method to doas (Alpine)"
|
||||||
|
vars:
|
||||||
|
ansible_become_method: doas
|
||||||
|
when: "ansible_distribution == 'Alpine'"
|
||||||
|
|
||||||
|
- name: "Set become to true"
|
||||||
|
vars:
|
||||||
|
ansible_become: true
|
||||||
|
|
||||||
- name: "Include OS specific tasks"
|
- name: "Include OS specific tasks"
|
||||||
ansible.builtin.include_tasks: "compliance_{{ ansible_distribution }}.yaml"
|
ansible.builtin.include_tasks: "compliance_{{ ansible_distribution }}.yaml"
|
||||||
@@ -1,53 +1,44 @@
|
|||||||
---
|
---
|
||||||
## Checks/deploys a Linux system to be managed with Ansible.
|
## Checks/deploys a Linux system to be managed with Ansible.
|
||||||
|
|
||||||
gather_facts: yes
|
- name: Gather all system groups
|
||||||
become: yes
|
|
||||||
become_method: doas
|
|
||||||
tasks:
|
|
||||||
# Gather system groups
|
|
||||||
- name: Gather all system groups
|
|
||||||
ansible.builtin.getent:
|
ansible.builtin.getent:
|
||||||
database: group
|
database: group
|
||||||
split: ':'
|
split: ':'
|
||||||
|
# Add doas package
|
||||||
# Add doas package
|
- name: Install doas (for Alpine systems).
|
||||||
- name: Install doas (for Alpine systems).
|
|
||||||
ansible.builtin.package:
|
ansible.builtin.package:
|
||||||
name:
|
name:
|
||||||
- doas
|
- doas
|
||||||
state: present
|
state: present
|
||||||
|
# User account (ansible) configuration
|
||||||
# User account (ansible) configuration
|
- name: Add deployment user.
|
||||||
- name: Add deployment user.
|
|
||||||
user:
|
user:
|
||||||
name: ansible
|
name: ansible
|
||||||
state: present
|
state: present
|
||||||
- name: Add deployment user to wheel group.
|
- name: Add deployment user to wheel group.
|
||||||
user:
|
user:
|
||||||
name: ansible
|
name: ansible
|
||||||
groups: wheel
|
groups: wheel
|
||||||
append: yes
|
append: yes
|
||||||
when: "'wheel' in ansible_facts.getent_group"
|
when: "'wheel' in ansible_facts.getent_group"
|
||||||
|
# Ansible user SSH pub key
|
||||||
# Ansible user SSH pub key
|
# This is a really stupid way to do it, but alas.
|
||||||
# This is a really stupid way to do it, but alas.
|
# This uses an environment variable named ansiblesvc_key in Semaphore which has the ssh-rsa pubkey.
|
||||||
# This uses an environment variable named ansiblesvc_key in Semaphore which has the ssh-rsa pubkey.
|
- name: Create ssh directory for deployment user.
|
||||||
- name: Create ssh directory for deployment user.
|
|
||||||
file:
|
file:
|
||||||
path: /home/ansible/.ssh
|
path: /home/ansible/.ssh
|
||||||
state: directory
|
state: directory
|
||||||
owner: ansible
|
owner: ansible
|
||||||
group: ansible
|
group: ansible
|
||||||
- name: Add deployment user's SSH key.
|
- name: Add deployment user's SSH key.
|
||||||
copy:
|
copy:
|
||||||
content: "{{ ansiblesvc_key }}"
|
content: "{{ ansiblesvc_key }}"
|
||||||
dest: /home/ansible/.ssh/authorized_keys
|
dest: /home/ansible/.ssh/authorized_keys
|
||||||
owner: ansible
|
owner: ansible
|
||||||
group: ansible
|
group: ansible
|
||||||
|
# Add required packages because Debian is lame
|
||||||
# Add required packages because Debian is lame
|
- name: Install standard packages if not already installed.
|
||||||
- name: Install standard packages if not already installed.
|
|
||||||
# Looking at you LXCs. >.>
|
# Looking at you LXCs. >.>
|
||||||
ansible.builtin.package:
|
ansible.builtin.package:
|
||||||
name:
|
name:
|
||||||
@@ -58,49 +49,44 @@ tasks:
|
|||||||
- python3
|
- python3
|
||||||
- iftop
|
- iftop
|
||||||
state: present
|
state: present
|
||||||
|
# Give ansible doas rights with no password required.
|
||||||
# Give ansible doas rights with no password required.
|
- name: Add doas rights with no password for deployment user (Alpine only)
|
||||||
- name: Add doas rights with no password for deployment user (Alpine only)
|
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: /etc/doas.conf
|
dest: /etc/doas.conf
|
||||||
regexp: '^ansible'
|
regexp: '^ansible'
|
||||||
line: 'permit keepenv nopass :ansible'
|
line: 'permit keepenv nopass :ansible'
|
||||||
state: present
|
state: present
|
||||||
validate: 'doas -C %s'
|
validate: 'doas -C %s'
|
||||||
|
# User account (nhadmin) configuration, for sysadmin use
|
||||||
# User account (nhadmin) configuration, for sysadmin use
|
- name: Create user nhadmin.
|
||||||
- name: Create user nhadmin.
|
|
||||||
user:
|
user:
|
||||||
name: nhadmin
|
name: nhadmin
|
||||||
state: present
|
state: present
|
||||||
password: "{{ nhadmin_password | password_hash('sha512') }}"
|
password: "{{ nhadmin_password | password_hash('sha512') }}"
|
||||||
shell: /bin/bash
|
shell: /bin/bash
|
||||||
|
- name: Add nhadmin to wheel group.
|
||||||
- name: Add nhadmin to wheel group.
|
|
||||||
user:
|
user:
|
||||||
name: nhadmin
|
name: nhadmin
|
||||||
groups: wheel
|
groups: wheel
|
||||||
append: yes
|
append: yes
|
||||||
when: "'wheel' in ansible_facts.getent_group"
|
when: "'wheel' in ansible_facts.getent_group"
|
||||||
|
# Sysadmin user SSH pub key
|
||||||
# Sysadmin user SSH pub key
|
# This is a really stupid way to do it, but alas.
|
||||||
# This is a really stupid way to do it, but alas.
|
# This uses an environment variable named nhadmin_key in Semaphore which has the ssh-rsa pubkey.
|
||||||
# This uses an environment variable named nhadmin_key in Semaphore which has the ssh-rsa pubkey.
|
- name: Create ssh directory for nhadmin.
|
||||||
- name: Create ssh directory for nhadmin.
|
|
||||||
file:
|
file:
|
||||||
path: /home/nhadmin/.ssh
|
path: /home/nhadmin/.ssh
|
||||||
state: directory
|
state: directory
|
||||||
owner: nhadmin
|
owner: nhadmin
|
||||||
group: nhadmin
|
group: nhadmin
|
||||||
- name: Add nhadmin user's SSH key.
|
- name: Add nhadmin user's SSH key.
|
||||||
copy:
|
copy:
|
||||||
content: "{{ nhadmin_key }}"
|
content: "{{ nhadmin_key }}"
|
||||||
dest: /home/nhadmin/.ssh/authorized_keys
|
dest: /home/nhadmin/.ssh/authorized_keys
|
||||||
owner: nhadmin
|
owner: nhadmin
|
||||||
group: nhadmin
|
group: nhadmin
|
||||||
|
# SSH config updating
|
||||||
# SSH config updating
|
- name: Update SSH configuration to disallow root login and disable password authentication.
|
||||||
- name: Update SSH configuration to disallow root login and disable password authentication.
|
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: /etc/ssh/sshd_config
|
dest: /etc/ssh/sshd_config
|
||||||
regexp: "{{ item.regexp }}"
|
regexp: "{{ item.regexp }}"
|
||||||
@@ -114,13 +100,12 @@ tasks:
|
|||||||
line: "PasswordAuthentication no"
|
line: "PasswordAuthentication no"
|
||||||
- regexp: "^PubkeyAuthentication"
|
- regexp: "^PubkeyAuthentication"
|
||||||
line: "PubkeyAuthentication yes"
|
line: "PubkeyAuthentication yes"
|
||||||
- name: Restart SSH service.
|
- name: Restart SSH service.
|
||||||
service:
|
service:
|
||||||
name: sshd
|
name: sshd
|
||||||
state: restarted
|
state: restarted
|
||||||
|
# Delete our network ansible key from the root user.
|
||||||
# Delete our network ansible key from the root user.
|
- name: Delete our network ansible key (and other keys) from the root user.
|
||||||
- name: Delete our network ansible key (and other keys) from the root user.
|
|
||||||
file:
|
file:
|
||||||
path: /root/.ssh/authorized_keys
|
path: /root/.ssh/authorized_keys
|
||||||
state: absent
|
state: absent
|
||||||
Reference in New Issue
Block a user