ansible/linux/compliance.yaml

---
## Checks/deploys a Linux system to be managed with Ansible.

- hosts: all
  gather_facts: yes
  become: yes

  tasks:
    # User account (ansible) configuration
    - name: Add deployment user.
      user:
        name: ansible
        state: present

    # Ansible user SSH pub key
    - name: Add deployment user's SSH key.
      ansible.posix.authorized_key:
        user: ansible
        state: present
        key: "{{ ansiblesvc_key }}"

    # Give ansible sudo rights with no password required.
    - name: Add sudo rights with no password for deployment user.
      lineinfile:
        dest: /etc/sudoers
        regexp: '^ansible'
        line: 'ansible ALL=(ALL) NOPASSWD: ALL'
        state: present
        validate: 'visudo -cf %s'

    # Configure firewalld (if installed) to be disabled (especially if an internal server.) Firewall rules are managed by UniFi.
    - name: Stop and disable firewalld.
      service:
       name: firewalld
       state: stopped
       enabled: False
       ignore_errors: True

    # User account (nhadmin) configuration, for sysadmin use
    - name: Create user nhadmin.
      user:
        name: nhadmin
        state: present
        password: "{{ nhadmin_password | password_hash('sha512') }}"
        # add to sudo
        groups: sudo
        append: yes

    # SSH config updating
    - name: Update SSH configuration to be more secure.
      lineinfile:
        dest: /etc/ssh/sshd_config
        regexp: "{{ item.regexp }}"
        line: "{{ item.line }}"
        state: present
        validate: 'sshd -t -f %s'
      with_items:
        - regexp: "^PermitRootLogin"
          line: "PermitRootLogin no"
      notify: restart ssh

    # Delete our network ansible key from the root user.
    - name: Delete our network ansible key from the root user.
      ansible.builtin.file:
        path: /root/.ssh/authorized_keys
        state: absent
        ignore_errors: yes
    
    # New 04/28/24: Do not use the DHCP Client ID as our MAC Address.
    - name: Configure dhclient to use the MAC address of the system instead of Client ID.
      blockinfile:
        state: present
        insertafter: EOF
        dest: /etc/dhclient/dhclient.conf
        marker: "# Changed by ansible playbook: Use MAC address instead of DHCP Client ID"
        content: