ansible/linux/compliance.yaml

---
## Checks/deploys a Linux system to be managed with Ansible.

- hosts: all
  gather_facts: yes
  tasks:
    - name: "Set become method to doas (Alpine)"
      set_fact:
        ansible_become_method: doas
      when: "ansible_distribution == 'Alpine'"
    
    - name: "Set become to true if we are not root"
      set_fact:
        ansible_become: true
      when: "ansible_user_id != 'root'"

    # User account (ansible) configuration
    - name: Add deployment user.
      user:
        name: ansible
        state: present

    # Ansible user SSH pub key
    # This is a really stupid way to do it, but alas.
    # This uses an environment variable named ansiblesvc_key in Semaphore which has the ssh-rsa pubkey.
    - name: Create ssh directory for deployment user.
      file:
        path: /home/ansible/.ssh
        state: directory
        owner: ansible
        group: ansible
    - name: Add deployment user's SSH key.
      copy:
        content: "{{ ansiblesvc_key }}"
        dest: /home/ansible/.ssh/authorized_keys
        owner: ansible
        group: ansible

    # User account (nhadmin) configuration, for sysadmin use
    - name: Create user nhadmin.
      user:
        name: nhadmin
        state: present
        password: "{{ nhadmin_password | password_hash('sha512') }}"
        shell: /bin/bash

    # Sysadmin user SSH pub key
    # This is a really stupid way to do it, but alas.
    # This uses an environment variable named nhadmin_key in Semaphore which has the ssh-rsa pubkey.
    - name: Create ssh directory for nhadmin.
      file:
        path: /home/nhadmin/.ssh
        state: directory
        owner: nhadmin
        group: nhadmin
    - name: Add nhadmin user's SSH key.
      copy:
        content: "{{ nhadmin_key }}"
        dest: /home/nhadmin/.ssh/authorized_keys
        owner: nhadmin
        group: nhadmin
        
    # SSH config updating
    - name: Update SSH configuration to disallow root login and disable password authentication.
      lineinfile:
        dest: /etc/ssh/sshd_config
        regexp: "{{ item.regexp }}"
        line: "{{ item.line }}"
        state: present
        validate: 'sshd -t -f %s'
      with_items:
        - regexp: "^PermitRootLogin"
          line: "PermitRootLogin no"
        - regexp: "^PasswordAuthentication"
          line: "PasswordAuthentication no"
        - regexp: "^PubkeyAuthentication"
          line: "PubkeyAuthentication yes"
    - name: Restart SSH service.
      service:
        name: sshd
        state: restarted

    # Delete our network ansible key from the root user.
    - name: Delete our network ansible key (and other keys) from the root user.
      file:
        path: /root/.ssh/authorized_keys
        state: absent
    
    - name: "Include OS specific tasks"
      ansible.builtin.include_tasks: "compliance_{{ ansible_distribution }}.yaml"