technolog/ansible
1
0
Fork 0
Code Issues Pull Requests Activity
ansible/linux/compliance.yaml

71 lines
2.1 KiB
YAML
Raw Blame History

---
## Checks/deploys a Linux system to be managed with Ansible.
- hosts: all
gather_facts: yes
become: yes
tasks:
# User account (ansible) configuration
- name: Add deployment user.
user:
name: ansible
state: present
# add to sudo
groups: sudo
append: yes
# Ansible user SSH pub key
# This is a really stupid way to do it, but alas.
# This uses an environment variable named ansiblesvc_key in Semaphore which has the ssh-rsa pubkey.
- name: Add deployment user's SSH key.
shell:
cmd: echo "{{ ansiblesvc_key }}" > /home/ansible/.ssh/authorized_keys
creates: /home/ansible/.ssh/authorized_keys
# Give ansible sudo rights with no password required.
- name: Add sudo rights with no password for deployment user.
lineinfile:
dest: /etc/sudoers
regexp: '^ansible'
line: 'ansible ALL=(ALL) NOPASSWD: ALL'
state: present
validate: 'visudo -cf %s'
# Configure firewalld (if installed) to be disabled (especially if an internal server.) Firewall rules are managed by UniFi.
- name: Stop and disable firewalld.
service:
name: firewalld
state: stopped
enabled: False
ignore_errors: True
# User account (nhadmin) configuration, for sysadmin use
- name: Create user nhadmin.
user:
name: nhadmin
state: present
password: "{{ nhadmin_password | password_hash('sha512') }}"
# add to sudo
groups: sudo
append: yes
# SSH config updating
- name: Update SSH configuration to disallow root login.
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
validate: 'sshd -t -f %s'
with_items:
- regexp: "^PermitRootLogin"
line: "PermitRootLogin no"
notify: restart ssh
# Delete our network ansible key from the root user.
- name: Delete our network ansible key (and other keys) from the root user.
ansible.builtin.file:
path: /root/.ssh/authorized_keys
state: absent
ignore_errors: yes
Reference in New Issue View Git Blame Copy Permalink