From bf7a48ca9eb485e806244dbf643496a0bb329815 Mon Sep 17 00:00:00 2001 From: iRaven4522 Date: Sun, 30 Nov 2025 17:16:31 -0600 Subject: [PATCH] Separating out compliance script --- linux/compliance.yaml | 200 +---------------------------------- linux/compliance_Alpine.yaml | 156 +++++++++++++++++++++++++++ linux/compliance_Debian.yaml | 155 +++++++++++++++++++++++++++ 3 files changed, 313 insertions(+), 198 deletions(-) create mode 100644 linux/compliance_Alpine.yaml create mode 100644 linux/compliance_Debian.yaml diff --git a/linux/compliance.yaml b/linux/compliance.yaml index 1d7ea44..fb51c6f 100644 --- a/linux/compliance.yaml +++ b/linux/compliance.yaml @@ -3,203 +3,7 @@ - hosts: all gather_facts: yes - become: yes tasks: - - # Gather system groups - - name: Gather all system groups - ansible.builtin.getent: - database: group - split: ':' - - # Check for package managers - - name: Check for APT installation - stat: - path: /etc/apt - register: aptfolder - - # Add sudo package - - name: Install sudo if not already installed. - # Looking at you LXCs. >.> - ansible.builtin.package: - name: - - sudo - state: present - when: "ansible_distribution != 'Alpine'" - - # Add doas package - - name: Install doas (for Alpine systems). - ansible.builtin.package: - name: - - doas - state: present - when: "ansible_distribution == 'Alpine'" - - # APT Cacher-NG Configuration - - name: Add APT-Cacher-NG Configuration - copy: - content: "{{ aptcacher_config }}" - dest: /etc/apt/apt.conf.d/proxy - when: aptfolder.stat.exists - - - name: Remove redundant APT configuration - file: - path: /etc/apt/apt.conf - state: absent - when: aptfolder.stat.exists - - # Update apt package lists after adding our proxy - - name: Update apt repo package lists from cacher - apt: update_cache=yes force_apt_get=yes cache_valid_time=3600 - when: aptfolder.stat.exists - - # User account (ansible) configuration - - name: Add deployment user. - user: - name: ansible - state: present - - name: Add deployment user to wheel group. - user: - name: ansible - groups: wheel - append: yes - when: "'wheel' in ansible_facts.getent_group" - - # Ansible user SSH pub key - # This is a really stupid way to do it, but alas. - # This uses an environment variable named ansiblesvc_key in Semaphore which has the ssh-rsa pubkey. - - name: Create ssh directory for deployment user. - file: - path: /home/ansible/.ssh - state: directory - owner: ansible - group: ansible - - - name: Add deployment user's SSH key. - copy: - content: "{{ ansiblesvc_key }}" - dest: /home/ansible/.ssh/authorized_keys - owner: ansible - group: ansible - # shell: - # cmd: echo "{{ ansiblesvc_key }}" > /home/ansible/.ssh/authorized_keys - # creates: /home/ansible/.ssh/authorized_keys - - # Add required packages because Debian is lame - - name: Install standard packages if not already installed. - # Looking at you LXCs. >.> - ansible.builtin.package: - name: - - curl - - net-tools - - wget - state: present - - # Give ansible sudo rights with no password required. - - name: Add sudo rights with no password for deployment user. - lineinfile: - dest: /etc/sudoers - regexp: '^ansible' - line: 'ansible ALL=(ALL) NOPASSWD: ALL' - state: present - validate: 'visudo -cf %s' - when: "ansible_distribution != 'Alpine'" - - # Give ansible doas rights with no password required. - - name: Add doas rights with no password for deployment user (Alpine only) - lineinfile: - dest: /etc/doas.conf - regexp: '^ansible' - line: 'permit keepenv nopass :ansible' - state: present - validate: 'doas -C %s' - when: "ansible_distribution == 'Alpine'" - - # # Configure firewalld (if installed) to be disabled (especially if an internal server.) Firewall rules are managed by UniFi. - # - name: Stop and disable firewalld. - # service: - # name: firewalld - # state: stopped - # enabled: false - # when: "'firewalld' in services" - - # User account (nhadmin) configuration, for sysadmin use - - name: Create user nhadmin. - user: - name: nhadmin - state: present - password: "{{ nhadmin_password | password_hash('sha512') }}" - shell: /bin/bash - - - name: Add nhadmin to wheel group. - user: - name: nhadmin - groups: wheel - append: yes - when: "'wheel' in ansible_facts.getent_group" - - - name: Add nhadmin to sudo group. - user: - name: nhadmin - groups: sudo - append: yes - when: "'sudo' in ansible_facts.getent_group" - - - name: Add nhadmin to systemd-journal group. - user: - name: nhadmin - groups: systemd-journal - append: yes - when: "'systemd-journal' in ansible_facts.getent_group" - - - # Sysadmin user SSH pub key - # This is a really stupid way to do it, but alas. - # This uses an environment variable named nhadmin_key in Semaphore which has the ssh-rsa pubkey. - - name: Create ssh directory for nhadmin. - file: - path: /home/nhadmin/.ssh - state: directory - owner: nhadmin - group: nhadmin - - name: Add nhadmin user's SSH key. - copy: - content: "{{ nhadmin_key }}" - dest: /home/nhadmin/.ssh/authorized_keys - owner: nhadmin - group: nhadmin - # shell: - # cmd: echo "{{ nhadmin_key }}" > /home/nhadmin/.ssh/authorized_keys - # creates: /home/nhadmin/.ssh/authorized_keys - - # SSH config updating - - name: Update SSH configuration to disallow root login and disable password authentication. - lineinfile: - dest: /etc/ssh/sshd_config - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - state: present - validate: 'sshd -t -f %s' - with_items: - - regexp: "^PermitRootLogin" - line: "PermitRootLogin no" - - regexp: "^PasswordAuthentication" - line: "PasswordAuthentication no" - - regexp: "^PubkeyAuthentication" - line: "PubkeyAuthentication yes" - - name: Restart SSH service. - service: - name: sshd - state: restarted - - # Delete our network ansible key from the root user. - - name: Delete our network ansible key (and other keys) from the root user. - file: - path: /root/.ssh/authorized_keys - state: absent - - # Upgrade all apt packages for good measure. - - name: Upgrade all apt packages - apt: upgrade=dist force_apt_get=yes - when: aptfolder.stat.exists \ No newline at end of file + - name: "Include OS specific tasks" + ansible.builtin.include_tasks: "compliance_{{ os }}.yml" \ No newline at end of file diff --git a/linux/compliance_Alpine.yaml b/linux/compliance_Alpine.yaml new file mode 100644 index 0000000..a0a7ecc --- /dev/null +++ b/linux/compliance_Alpine.yaml @@ -0,0 +1,156 @@ +--- +## Checks/deploys a Linux system to be managed with Ansible. + +- hosts: all + gather_facts: yes + become: yes + become_method: doas + + tasks: + + # Gather system groups + - name: Gather all system groups + ansible.builtin.getent: + database: group + split: ':' + + # Add doas package + - name: Install doas (for Alpine systems). + ansible.builtin.package: + name: + - doas + state: present + + # User account (ansible) configuration + - name: Add deployment user. + user: + name: ansible + state: present + - name: Add deployment user to wheel group. + user: + name: ansible + groups: wheel + append: yes + when: "'wheel' in ansible_facts.getent_group" + + # Ansible user SSH pub key + # This is a really stupid way to do it, but alas. + # This uses an environment variable named ansiblesvc_key in Semaphore which has the ssh-rsa pubkey. + - name: Create ssh directory for deployment user. + file: + path: /home/ansible/.ssh + state: directory + owner: ansible + group: ansible + + - name: Add deployment user's SSH key. + copy: + content: "{{ ansiblesvc_key }}" + dest: /home/ansible/.ssh/authorized_keys + owner: ansible + group: ansible + # shell: + # cmd: echo "{{ ansiblesvc_key }}" > /home/ansible/.ssh/authorized_keys + # creates: /home/ansible/.ssh/authorized_keys + + # Add required packages because Debian is lame + - name: Install standard packages if not already installed. + # Looking at you LXCs. >.> + ansible.builtin.package: + name: + - curl + - net-tools + - wget + - util-linux + - python3 + - iftop + state: present + + # Give ansible doas rights with no password required. + - name: Add doas rights with no password for deployment user (Alpine only) + lineinfile: + dest: /etc/doas.conf + regexp: '^ansible' + line: 'permit keepenv nopass :ansible' + state: present + validate: 'doas -C %s' + + # User account (nhadmin) configuration, for sysadmin use + - name: Create user nhadmin. + user: + name: nhadmin + state: present + password: "{{ nhadmin_password | password_hash('sha512') }}" + shell: /bin/bash + + - name: Add nhadmin to wheel group. + user: + name: nhadmin + groups: wheel + append: yes + when: "'wheel' in ansible_facts.getent_group" + + - name: Add nhadmin to sudo group. + user: + name: nhadmin + groups: sudo + append: yes + when: "'sudo' in ansible_facts.getent_group" + + - name: Add nhadmin to systemd-journal group. + user: + name: nhadmin + groups: systemd-journal + append: yes + when: "'systemd-journal' in ansible_facts.getent_group" + + + # Sysadmin user SSH pub key + # This is a really stupid way to do it, but alas. + # This uses an environment variable named nhadmin_key in Semaphore which has the ssh-rsa pubkey. + - name: Create ssh directory for nhadmin. + file: + path: /home/nhadmin/.ssh + state: directory + owner: nhadmin + group: nhadmin + - name: Add nhadmin user's SSH key. + copy: + content: "{{ nhadmin_key }}" + dest: /home/nhadmin/.ssh/authorized_keys + owner: nhadmin + group: nhadmin + # shell: + # cmd: echo "{{ nhadmin_key }}" > /home/nhadmin/.ssh/authorized_keys + # creates: /home/nhadmin/.ssh/authorized_keys + + # SSH config updating + - name: Update SSH configuration to disallow root login and disable password authentication. + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + state: present + validate: 'sshd -t -f %s' + with_items: + - regexp: "^PermitRootLogin" + line: "PermitRootLogin no" + - regexp: "^PasswordAuthentication" + line: "PasswordAuthentication no" + - regexp: "^PubkeyAuthentication" + line: "PubkeyAuthentication yes" + - name: Restart SSH service. + service: + name: sshd + state: restarted + + # Delete our network ansible key from the root user. + - name: Delete our network ansible key (and other keys) from the root user. + file: + path: /root/.ssh/authorized_keys + state: absent + + # Upgrade all apt packages for good measure. + - name: Upgrade all apt packages + apt: upgrade=dist force_apt_get=yes + when: aptfolder.stat.exists \ No newline at end of file diff --git a/linux/compliance_Debian.yaml b/linux/compliance_Debian.yaml new file mode 100644 index 0000000..9219d8c --- /dev/null +++ b/linux/compliance_Debian.yaml @@ -0,0 +1,155 @@ +--- +## Checks/deploys a Linux system to be managed with Ansible. + +- hosts: all + gather_facts: yes + become: yes + + tasks: + + # Gather system groups + - name: Gather all system groups + ansible.builtin.getent: + database: group + split: ':' + + # Add sudo package + - name: Install sudo if not already installed. + # Looking at you LXCs. >.> + ansible.builtin.package: + name: + - sudo + state: present + + # APT Cacher-NG Configuration + - name: Add APT-Cacher-NG Configuration + copy: + content: "{{ aptcacher_config }}" + dest: /etc/apt/apt.conf.d/proxy + + - name: Remove redundant APT configuration + file: + path: /etc/apt/apt.conf + state: absent + + # Update apt package lists after adding our proxy + - name: Update apt repo package lists from cacher + apt: update_cache=yes force_apt_get=yes cache_valid_time=3600 + + # User account (ansible) configuration + - name: Add deployment user. + user: + name: ansible + state: present + + # Ansible user SSH pub key + # This is a really stupid way to do it, but alas. + # This uses an environment variable named ansiblesvc_key in Semaphore which has the ssh-rsa pubkey. + - name: Create ssh directory for deployment user. + file: + path: /home/ansible/.ssh + state: directory + owner: ansible + group: ansible + + - name: Add deployment user's SSH key. + copy: + content: "{{ ansiblesvc_key }}" + dest: /home/ansible/.ssh/authorized_keys + owner: ansible + group: ansible + # shell: + # cmd: echo "{{ ansiblesvc_key }}" > /home/ansible/.ssh/authorized_keys + # creates: /home/ansible/.ssh/authorized_keys + + # Add required packages because Debian is lame + - name: Install standard packages if not already installed. + # Looking at you LXCs. >.> + ansible.builtin.package: + name: + - curl + - net-tools + - wget + - iftop + state: present + + # Give ansible sudo rights with no password required. + - name: Add sudo rights with no password for deployment user. + lineinfile: + dest: /etc/sudoers + regexp: '^ansible' + line: 'ansible ALL=(ALL) NOPASSWD: ALL' + state: present + validate: 'visudo -cf %s' + + # User account (nhadmin) configuration, for sysadmin use + - name: Create user nhadmin. + user: + name: nhadmin + state: present + password: "{{ nhadmin_password | password_hash('sha512') }}" + shell: /bin/bash + + - name: Add nhadmin to sudo group. + user: + name: nhadmin + groups: sudo + append: yes + when: "'sudo' in ansible_facts.getent_group" + + - name: Add nhadmin to systemd-journal group. + user: + name: nhadmin + groups: systemd-journal + append: yes + when: "'systemd-journal' in ansible_facts.getent_group" + + + # Sysadmin user SSH pub key + # This is a really stupid way to do it, but alas. + # This uses an environment variable named nhadmin_key in Semaphore which has the ssh-rsa pubkey. + - name: Create ssh directory for nhadmin. + file: + path: /home/nhadmin/.ssh + state: directory + owner: nhadmin + group: nhadmin + - name: Add nhadmin user's SSH key. + copy: + content: "{{ nhadmin_key }}" + dest: /home/nhadmin/.ssh/authorized_keys + owner: nhadmin + group: nhadmin + # shell: + # cmd: echo "{{ nhadmin_key }}" > /home/nhadmin/.ssh/authorized_keys + # creates: /home/nhadmin/.ssh/authorized_keys + + # SSH config updating + - name: Update SSH configuration to disallow root login and disable password authentication. + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + state: present + validate: 'sshd -t -f %s' + with_items: + - regexp: "^PermitRootLogin" + line: "PermitRootLogin no" + - regexp: "^PasswordAuthentication" + line: "PasswordAuthentication no" + - regexp: "^PubkeyAuthentication" + line: "PubkeyAuthentication yes" + - name: Restart SSH service. + service: + name: sshd + state: restarted + + # Delete our network ansible key from the root user. + - name: Delete our network ansible key (and other keys) from the root user. + file: + path: /root/.ssh/authorized_keys + state: absent + + # Upgrade all apt packages for good measure. + - name: Upgrade all apt packages + apt: upgrade=dist force_apt_get=yes \ No newline at end of file