--- ## Checks/deploys a Linux system to be managed with Ansible. - hosts: all gather_facts: yes become: yes tasks: # User account (ansible) configuration - name: Add deployment user. user: name: ansible state: present # Ansible user SSH pub key - name: Add deployment user's SSH key. ansible.posix.authorized_key: user: ansible state: present key: "{{ ansiblesvc_key }}" # Give ansible sudo rights with no password required. - name: Add sudo rights with no password for deployment user. lineinfile: dest: /etc/sudoers regexp: '^ansible' line: 'ansible ALL=(ALL) NOPASSWD: ALL' state: present validate: 'visudo -cf %s' # Configure firewalld (if installed) to be disabled (especially if an internal server.) Firewall rules are managed by UniFi. - name: Stop and disable firewalld. service: name: firewalld state: stopped enabled: False ignore_errors: True # User account (nhadmin) configuration, for sysadmin use - name: Create user nhadmin. user: name: nhadmin state: present password: "{{ nhadmin_password | password_hash('sha512') }}" # add to sudo groups: sudo append: yes # SSH config updating - name: Update SSH configuration to be more secure. lineinfile: dest: /etc/ssh/sshd_config regexp: "{{ item.regexp }}" line: "{{ item.line }}" state: present validate: 'sshd -t -f %s' with_items: - regexp: "^PermitRootLogin" line: "PermitRootLogin no" notify: restart ssh # Delete our network ansible key from the root user. - name: Delete our network ansible key from the root user. ansible.builtin.file: path: /root/.ssh/authorized_keys state: absent ignore_errors: yes # New 04/28/24: Do not use the DHCP Client ID as our MAC Address. - name: Configure dhclient to use the MAC address of the system instead of Client ID. blockinfile: state: present insertafter: EOF dest: /etc/dhclient/dhclient.conf marker: "# Changed by ansible playbook: Use MAC address instead of DHCP Client ID" content: