technolog/ansible
1
0
Fork 0
Code Issues Pull Requests Activity
ansible/linux/compliance.yaml
iRaven f27077bcf8 Update APT checker
2025-04-10 01:36:05 -05:00

134 lines
4.2 KiB
YAML
Raw Blame History

---
## Checks/deploys a Linux system to be managed with Ansible.
- hosts: all
gather_facts: yes
become: yes
tasks:
# Check for package managers
- name: Check for APT installation
stat:
path: /etc/apt
register: aptfolder
# APT Cacher-NG Configuration
- name: Add APT-Cacher-NG Configuration
copy:
content: "{{ aptcacher_config }}"
dest: /etc/apt/apt.conf.d/proxy
when: aptfolder.stat.exists
# Update apt package lists after adding our proxy
- name: Update apt repo package lists from cacher
apt: update_cache=yes force_apt_get=yes cache_valid_time=3600
when: aptfolder.stat.exists
# User account (ansible) configuration
- name: Add deployment user.
user:
name: ansible
state: present
# add to sudo
groups: sudo
append: yes
# Ansible user SSH pub key
# This is a really stupid way to do it, but alas.
# This uses an environment variable named ansiblesvc_key in Semaphore which has the ssh-rsa pubkey.
- name: Create ssh directory for deployment user.
file:
path: /home/ansible/.ssh
state: directory
- name: Add deployment user's SSH key.
copy:
content: "{{ ansiblesvc_key }}"
dest: /home/ansible/.ssh/authorized_keys
# shell:
# cmd: echo "{{ ansiblesvc_key }}" > /home/ansible/.ssh/authorized_keys
# creates: /home/ansible/.ssh/authorized_keys
# Add required packages because Debian is lame
- name: Install standard packages if not already installed.
# Looking at you LXCs. >.>
ansible.builtin.package:
name:
- sudo
- curl
- net-tools
- wget
state: present
# Give ansible sudo rights with no password required.
- name: Add sudo rights with no password for deployment user.
lineinfile:
dest: /etc/sudoers
regexp: '^ansible'
line: 'ansible ALL=(ALL) NOPASSWD: ALL'
state: present
validate: 'visudo -cf %s'
# # Configure firewalld (if installed) to be disabled (especially if an internal server.) Firewall rules are managed by UniFi.
# - name: Stop and disable firewalld.
# service:
# name: firewalld
# state: stopped
# enabled: false
# when: "'firewalld' in services"
# User account (nhadmin) configuration, for sysadmin use
- name: Create user nhadmin.
user:
name: nhadmin
state: present
password: "{{ nhadmin_password | password_hash('sha512') }}"
shell: /bin/bash
# add to sudo, systemd-journal
groups: sudo,systemd-journal
append: yes
# Sysadmin user SSH pub key
# This is a really stupid way to do it, but alas.
# This uses an environment variable named nhadmin_key in Semaphore which has the ssh-rsa pubkey.
- name: Create ssh directory for nhadmin.
file:
path: /home/nhadmin/.ssh
state: directory
- name: Add nhadmin user's SSH key.
copy:
content: "{{ nhadmin_key }}"
dest: /home/nhadmin/.ssh/authorized_keys
# shell:
# cmd: echo "{{ nhadmin_key }}" > /home/nhadmin/.ssh/authorized_keys
# creates: /home/nhadmin/.ssh/authorized_keys
# SSH config updating
- name: Update SSH configuration to disallow root login and disable password authentication.
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
validate: 'sshd -t -f %s'
with_items:
- regexp: "^PermitRootLogin"
line: "PermitRootLogin no"
- regexp: "^PasswordAuthentication"
line: "PasswordAuthentication no"
- regexp: "^PubkeyAuthentication"
line: "PubkeyAuthentication yes"
- name: Restart SSH service.
service:
name: ssh
state: restarted
# Delete our network ansible key from the root user.
- name: Delete our network ansible key (and other keys) from the root user.
file:
path: /root/.ssh/authorized_keys
state: absent
# Upgrade all apt packages for good measure.
- name: Upgrade all apt packages
apt: upgrade=dist force_apt_get=yes
when: aptfolder.stat.exists
Reference in New Issue View Git Blame Copy Permalink