97 lines
3.1 KiB
YAML
97 lines
3.1 KiB
YAML
---
|
|
## Checks/deploys a Linux system to be managed with Ansible.
|
|
|
|
- hosts: all
|
|
gather_facts: yes
|
|
become: yes
|
|
|
|
tasks:
|
|
# User account (ansible) configuration
|
|
- name: Add deployment user.
|
|
user:
|
|
name: ansible
|
|
state: present
|
|
# add to sudo
|
|
groups: sudo
|
|
append: yes
|
|
|
|
# Ansible user SSH pub key
|
|
# This is a really stupid way to do it, but alas.
|
|
# This uses an environment variable named ansiblesvc_key in Semaphore which has the ssh-rsa pubkey.
|
|
- name: Add deployment user's SSH key.
|
|
file:
|
|
path: /home/ansible/.ssh
|
|
state: directory
|
|
shell:
|
|
cmd: echo "{{ ansiblesvc_key }}" > /home/ansible/.ssh/authorized_keys
|
|
creates: /home/ansible/.ssh/authorized_keys
|
|
|
|
# Give ansible sudo rights with no password required.
|
|
- name: Install sudo if not already installed.
|
|
# Looking at you LXCs. >.>
|
|
ansible.builtin.package:
|
|
name: sudo
|
|
state: present
|
|
|
|
- name: Add sudo rights with no password for deployment user.
|
|
lineinfile:
|
|
dest: /etc/sudoers
|
|
regexp: '^ansible'
|
|
line: 'ansible ALL=(ALL) NOPASSWD: ALL'
|
|
state: present
|
|
validate: 'visudo -cf %s'
|
|
|
|
# # Configure firewalld (if installed) to be disabled (especially if an internal server.) Firewall rules are managed by UniFi.
|
|
# - name: Stop and disable firewalld.
|
|
# service:
|
|
# name: firewalld
|
|
# state: stopped
|
|
# enabled: false
|
|
# when: "'firewalld' in services"
|
|
|
|
# User account (nhadmin) configuration, for sysadmin use
|
|
- name: Create user nhadmin.
|
|
user:
|
|
name: nhadmin
|
|
state: present
|
|
password: "{{ nhadmin_password | password_hash('sha512') }}"
|
|
shell: /bin/bash
|
|
# add to sudo
|
|
groups: sudo
|
|
append: yes
|
|
# Sysadmin user SSH pub key
|
|
# This is a really stupid way to do it, but alas.
|
|
# This uses an environment variable named nhadmin_key in Semaphore which has the ssh-rsa pubkey.
|
|
- name: Add nhadmin user's SSH key.
|
|
file:
|
|
path: /home/nhadmin/.ssh
|
|
state: directory
|
|
shell:
|
|
cmd: echo "{{ nhadmin_key }}" > /home/nhadmin/.ssh/authorized_keys
|
|
creates: /home/nhadmin/.ssh/authorized_keys
|
|
|
|
# SSH config updating
|
|
- name: Update SSH configuration to disallow root login and disable password authentication.
|
|
lineinfile:
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: "{{ item.regexp }}"
|
|
line: "{{ item.line }}"
|
|
state: present
|
|
validate: 'sshd -t -f %s'
|
|
with_items:
|
|
- regexp: "^PermitRootLogin"
|
|
line: "PermitRootLogin no"
|
|
- regexp: "^PasswordAuthentication"
|
|
line: "PasswordAuthentication no"
|
|
- regexp: "^PubkeyAuthentication"
|
|
line: "PubkeyAuthentication yes"
|
|
- name: Restart SSH service.
|
|
service:
|
|
name: ssh
|
|
state: restarted
|
|
|
|
# Delete our network ansible key from the root user.
|
|
- name: Delete our network ansible key (and other keys) from the root user.
|
|
file:
|
|
path: /root/.ssh/authorized_keys
|
|
state: absent |