diff --git a/linux/compliance.yaml b/linux/compliance.yaml new file mode 100644 index 0000000..2997e56 --- /dev/null +++ b/linux/compliance.yaml @@ -0,0 +1,67 @@ +--- +## Checks/deploys a Linux system to be managed with Ansible. + +- hosts: all + gather_facts: yes + become: yes + + tasks: + # User account (ansible) configuration + - name: Add deployment user. + user: + name: ansible + state: present + + # Ansible user SSH pub key + - name: Add deployment user's SSH key. + ansible.posix.authorized_key: + user: ansible + state: present + key: "{{ ansiblesvc_key }}" + + # Give ansible sudo rights with no password required. + - name: Add sudo rights with no password for deployment user. + lineinfile: + dest: /etc/sudoers + regexp: '^ansible' + line: 'johndoe ALL=(ALL) NOPASSWD: ALL' + state: present + validate: 'visudo -cf %s' + + # Configure firewalld (if installed) to be disabled (especially if an internal server.) Firewall rules are managed by UniFi. + - name: Stop and disable firewalld. + service: + name: firewalld + state: stopped + enabled: False + ignore_errors: True + + # User account (nhadmin) configuration, for sysadmin use + - name: Create user nhadmin. + user: + name: nhadmin + state: present + password: "{{ nhadmin_password | password_hash('sha512') }}" + # add to sudo + groups: sudo + append: yes + + # SSH config updating + - name: Update SSH configuration to be more secure. + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + state: present + validate: 'sshd -t -f %s' + with_items: + - regexp: "^PermitRootLogin" + line: "PermitRootLogin no" + notify: restart ssh + + # Delete our network ansible key from the root user. + - name: Delete our network ansible key from the root user. + ansible.builtin.file: + path: /root/.ssh/authorized_keys + state: absent + ignore_errors: yes \ No newline at end of file