--- ## Checks/deploys a Linux system to be managed with Ansible. - hosts: all gather_facts: yes become: yes become_method: doas tasks: # Gather system groups - name: Gather all system groups ansible.builtin.getent: database: group split: ':' # Add doas package - name: Install doas (for Alpine systems). ansible.builtin.package: name: - doas state: present # User account (ansible) configuration - name: Add deployment user. user: name: ansible state: present - name: Add deployment user to wheel group. user: name: ansible groups: wheel append: yes when: "'wheel' in ansible_facts.getent_group" # Ansible user SSH pub key # This is a really stupid way to do it, but alas. # This uses an environment variable named ansiblesvc_key in Semaphore which has the ssh-rsa pubkey. - name: Create ssh directory for deployment user. file: path: /home/ansible/.ssh state: directory owner: ansible group: ansible - name: Add deployment user's SSH key. copy: content: "{{ ansiblesvc_key }}" dest: /home/ansible/.ssh/authorized_keys owner: ansible group: ansible # shell: # cmd: echo "{{ ansiblesvc_key }}" > /home/ansible/.ssh/authorized_keys # creates: /home/ansible/.ssh/authorized_keys # Add required packages because Debian is lame - name: Install standard packages if not already installed. # Looking at you LXCs. >.> ansible.builtin.package: name: - curl - net-tools - wget - util-linux - python3 - iftop state: present # Give ansible doas rights with no password required. - name: Add doas rights with no password for deployment user (Alpine only) lineinfile: dest: /etc/doas.conf regexp: '^ansible' line: 'permit keepenv nopass :ansible' state: present validate: 'doas -C %s' # User account (nhadmin) configuration, for sysadmin use - name: Create user nhadmin. user: name: nhadmin state: present password: "{{ nhadmin_password | password_hash('sha512') }}" shell: /bin/bash - name: Add nhadmin to wheel group. user: name: nhadmin groups: wheel append: yes when: "'wheel' in ansible_facts.getent_group" - name: Add nhadmin to sudo group. user: name: nhadmin groups: sudo append: yes when: "'sudo' in ansible_facts.getent_group" - name: Add nhadmin to systemd-journal group. user: name: nhadmin groups: systemd-journal append: yes when: "'systemd-journal' in ansible_facts.getent_group" # Sysadmin user SSH pub key # This is a really stupid way to do it, but alas. # This uses an environment variable named nhadmin_key in Semaphore which has the ssh-rsa pubkey. - name: Create ssh directory for nhadmin. file: path: /home/nhadmin/.ssh state: directory owner: nhadmin group: nhadmin - name: Add nhadmin user's SSH key. copy: content: "{{ nhadmin_key }}" dest: /home/nhadmin/.ssh/authorized_keys owner: nhadmin group: nhadmin # shell: # cmd: echo "{{ nhadmin_key }}" > /home/nhadmin/.ssh/authorized_keys # creates: /home/nhadmin/.ssh/authorized_keys # SSH config updating - name: Update SSH configuration to disallow root login and disable password authentication. lineinfile: dest: /etc/ssh/sshd_config regexp: "{{ item.regexp }}" line: "{{ item.line }}" state: present validate: 'sshd -t -f %s' with_items: - regexp: "^PermitRootLogin" line: "PermitRootLogin no" - regexp: "^PasswordAuthentication" line: "PasswordAuthentication no" - regexp: "^PubkeyAuthentication" line: "PubkeyAuthentication yes" - name: Restart SSH service. service: name: sshd state: restarted # Delete our network ansible key from the root user. - name: Delete our network ansible key (and other keys) from the root user. file: path: /root/.ssh/authorized_keys state: absent # Upgrade all apt packages for good measure. - name: Upgrade all apt packages apt: upgrade=dist force_apt_get=yes when: aptfolder.stat.exists