---
## Checks/deploys a Linux system to be managed with Ansible.

- name: Gather all system groups
  ansible.builtin.getent:
    database: group
    split: ':'

# Add doas package
- name: Install doas (for Alpine systems).
  ansible.builtin.package:
    name:
      - doas
    state: present

# User account (ansible) configuration
- name: Add deployment user.
  user:
    name: ansible
    state: present
- name: Add deployment user to wheel group.
  user:
    name: ansible
    groups: wheel
    append: yes
  # when: "'wheel' in ansible_facts.getent_group"

# Ansible user SSH pub key
# This is a really stupid way to do it, but alas.
# This uses an environment variable named ansiblesvc_key in Semaphore which has the ssh-rsa pubkey.
- name: Create ssh directory for deployment user.
  file:
    path: /home/ansible/.ssh
    state: directory
    owner: ansible
    group: ansible
- name: Add deployment user's SSH key.
  copy:
    content: "{{ ansiblesvc_key }}"
    dest: /home/ansible/.ssh/authorized_keys
    owner: ansible
    group: ansible

- name: Install standard packages if not already installed.
  # Looking at you LXCs. >.>
  ansible.builtin.package:
    name:
      - curl
      - net-tools
      - wget
      - util-linux
      - python3
      - iftop
    state: present

# Give ansible doas rights with no password required.
- name: Add doas rights with no password for deployment user (Alpine only)
  lineinfile:
    dest: /etc/doas.conf
    regexp: '^ansible'
    line: 'permit keepenv nopass :ansible'
    state: present
    validate: 'doas -C %s'
# User account (nhadmin) configuration, for sysadmin use
- name: Create user nhadmin.
  user:
    name: nhadmin
    state: present
    password: "{{ nhadmin_password | password_hash('sha512') }}"
    shell: /bin/bash
- name: Add nhadmin to wheel group.
  user:
    name: nhadmin
    groups: wheel
    append: yes
  # when: "'wheel' in ansible_facts.getent_group"

# Sysadmin user SSH pub key
# This is a really stupid way to do it, but alas.
# This uses an environment variable named nhadmin_key in Semaphore which has the ssh-rsa pubkey.
- name: Create ssh directory for nhadmin.
  file:
    path: /home/nhadmin/.ssh
    state: directory
    owner: nhadmin
    group: nhadmin
- name: Add nhadmin user's SSH key.
  copy:
    content: "{{ nhadmin_key }}"
    dest: /home/nhadmin/.ssh/authorized_keys
    owner: nhadmin
    group: nhadmin
# SSH config updating
- name: Update SSH configuration to disallow root login and disable password authentication.
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: "{{ item.regexp }}"
    line: "{{ item.line }}"
    state: present
    validate: 'sshd -t -f %s'
  with_items:
    - regexp: "^PermitRootLogin"
      line: "PermitRootLogin no"
    - regexp: "^PasswordAuthentication"
      line: "PasswordAuthentication no"
    - regexp: "^PubkeyAuthentication"
      line: "PubkeyAuthentication yes"
- name: Restart SSH service.
  service:
    name: sshd
    state: restarted
# Delete our network ansible key from the root user.
- name: Delete our network ansible key (and other keys) from the root user.
  file:
    path: /root/.ssh/authorized_keys
    state: absent