From 9d10bb93c8dcd693f3e5dac30a7dc32f3b0346cc Mon Sep 17 00:00:00 2001
From: iRaven4522 <horse@iraven.net>
Date: Thu, 25 Apr 2024 02:08:36 -0500
Subject: [PATCH] Created compliance script

---
 linux/compliance.yaml | 67 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 67 insertions(+)
 create mode 100644 linux/compliance.yaml

diff --git a/linux/compliance.yaml b/linux/compliance.yaml
new file mode 100644
index 0000000..2997e56
--- /dev/null
+++ b/linux/compliance.yaml
@@ -0,0 +1,67 @@
+---
+## Checks/deploys a Linux system to be managed with Ansible.
+
+- hosts: all
+  gather_facts: yes
+  become: yes
+
+  tasks:
+    # User account (ansible) configuration
+    - name: Add deployment user.
+      user:
+        name: ansible
+        state: present
+
+    # Ansible user SSH pub key
+    - name: Add deployment user's SSH key.
+      ansible.posix.authorized_key:
+        user: ansible
+        state: present
+        key: "{{ ansiblesvc_key }}"
+
+    # Give ansible sudo rights with no password required.
+    - name: Add sudo rights with no password for deployment user.
+      lineinfile:
+        dest: /etc/sudoers
+        regexp: '^ansible'
+        line: 'johndoe ALL=(ALL) NOPASSWD: ALL'
+        state: present
+        validate: 'visudo -cf %s'
+
+    # Configure firewalld (if installed) to be disabled (especially if an internal server.) Firewall rules are managed by UniFi.
+    - name: Stop and disable firewalld.
+      service:
+       name: firewalld
+       state: stopped
+       enabled: False
+       ignore_errors: True
+    
+    # User account (nhadmin) configuration, for sysadmin use
+    - name: Create user nhadmin.
+      user:
+        name: nhadmin
+        state: present
+        password: "{{ nhadmin_password | password_hash('sha512') }}"
+        # add to sudo
+        groups: sudo
+        append: yes
+
+    # SSH config updating
+    - name: Update SSH configuration to be more secure.
+      lineinfile:
+        dest: /etc/ssh/sshd_config
+        regexp: "{{ item.regexp }}"
+        line: "{{ item.line }}"
+        state: present
+        validate: 'sshd -t -f %s'
+      with_items:
+        - regexp: "^PermitRootLogin"
+          line: "PermitRootLogin no"
+      notify: restart ssh
+
+    # Delete our network ansible key from the root user.
+    - name: Delete our network ansible key from the root user.
+      ansible.builtin.file:
+        path: /root/.ssh/authorized_keys
+        state: absent
+        ignore_errors: yes
\ No newline at end of file