From 5a5cdc94cc6b2f78d09f9fdaa62ed488aa5604df Mon Sep 17 00:00:00 2001 From: Simeon Keske Date: Sun, 15 Mar 2020 22:40:58 +0100 Subject: [PATCH] initial commit --- defaults/main.yml | 4 +++ files/molly-guard | 11 +++++++ meta/main.yml | 5 +++ tasks/main.yml | 16 +++++++++ tasks/molly-guard.yml | 10 ++++++ tasks/packages.yml | 26 +++++++++++++++ tasks/sudo.yml | 9 +++++ tasks/user.yml | 77 +++++++++++++++++++++++++++++++++++++++++++ 8 files changed, 158 insertions(+) create mode 100644 defaults/main.yml create mode 100644 files/molly-guard create mode 100644 meta/main.yml create mode 100644 tasks/main.yml create mode 100644 tasks/molly-guard.yml create mode 100644 tasks/packages.yml create mode 100644 tasks/sudo.yml create mode 100644 tasks/user.yml diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..d118863 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,4 @@ +--- +users: +- { name: 'user', state: 'present', public_key: '' } +- { name: 'nouser', state: 'absent', public_key: '' } diff --git a/files/molly-guard b/files/molly-guard new file mode 100644 index 0000000..d6ba48c --- /dev/null +++ b/files/molly-guard @@ -0,0 +1,11 @@ +# molly-guard settings +# +# ALWAYS_QUERY_HOSTNAME +# when set, causes the 30-query-hostname script to always ask for the +# hostname, even if no SSH session was detected. +ALWAYS_QUERY_HOSTNAME=true + +# USE_FQDN +# when set, causes the 30-query-hostname script to ask for the fully-qualified +# hostname, rather than the short name +#USE_FQDN=true diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..878eeaa --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,5 @@ +--- +dependencies: +# - role: ssh_server +# tags: ['ssh', 'sshd'] + - role: jnv.unattended-upgrades diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..d247fc8 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,16 @@ +--- + - import_tasks: packages.yml + - include: sudo.yml + - include: molly-guard.yml + + - include: user.yml user={{ users }} + tags: user + + - name: adding message of the day + template: + dest: /etc/motd + src: "{{ motd_path }}" + owner: root + group: root + mode: 0644 + when: motd_path and motd_path != '' diff --git a/tasks/molly-guard.yml b/tasks/molly-guard.yml new file mode 100644 index 0000000..e83345d --- /dev/null +++ b/tasks/molly-guard.yml @@ -0,0 +1,10 @@ +--- +- name: install molly-guard + apt: + name: molly-guard + state: present + +- name: configure molly-guard + copy: dest=/etc/molly-guard/rc + src=molly-guard + owner=root group=root mode=0644 diff --git a/tasks/packages.yml b/tasks/packages.yml new file mode 100644 index 0000000..e5aa733 --- /dev/null +++ b/tasks/packages.yml @@ -0,0 +1,26 @@ +--- +- name: Update and upgrade apt packages + apt: + upgrade: 'yes' + update_cache: 'yes' + cache_valid_time: 86400 # One day + +- name: install a default set of packages + package: + name: + - vim + - nano + - htop + - git + - tmux + - screen + - byobu + - ncdu + - moreutils + - apt-transport-https + - smartmontools + - zip + - unzip + - zsh + state: present + tags: packages diff --git a/tasks/sudo.yml b/tasks/sudo.yml new file mode 100644 index 0000000..a8f4c7f --- /dev/null +++ b/tasks/sudo.yml @@ -0,0 +1,9 @@ +--- + - name: ensure sudo is installed + apt: name=sudo state=present + + - name: allow sudo for users in the sudo group + lineinfile: "dest=/etc/sudoers state=present regexp='^%sudo' line='%sudo ALL=(ALL:ALL) NOPASSWD: ALL'" + + - name: allow sudo to keep SSH_AUTH_SOCK env + lineinfile: "dest=/etc/sudoers state=present regexp='^Defaults.*env_keep.*SSH_AUTH_SOCK' line='Defaults env_keep += \"SSH_AUTH_SOCK\"'" diff --git a/tasks/user.yml b/tasks/user.yml new file mode 100644 index 0000000..3a483a8 --- /dev/null +++ b/tasks/user.yml @@ -0,0 +1,77 @@ +--- +# remove user when remove variable is defined +- name: remove user + user: state=absent remove=yes + name={{ item.name }} + when: item.state == 'absent' + with_items: + - "{{ users }}" + +- name: get bash's path + shell: command -v bash + register: bash_path + changed_when: false + +- name: create user + user: state=present + name="{{ item.name }}" + groups="sudo,adm" append=yes + shell={{ item.shell | default(bash_path.stdout) }} + with_items: + - "{{ users }}" + when: item.state != 'absent' + +- name: add user's authorized_keys + authorized_key: user="{{ item.name }}" manage_dir=true key="{{ item.public_key }}" + state=present exclusive=yes + with_items: + - "{{ users }}" + when: item.state != 'absent' and item.public_key is defined and item.public_key != '' + +- name: add user to root's authorized_keys + authorized_key: user="root" manage_dir=true key="{{ item.public_key }}" + state=present + with_items: + - "{{ users }}" + when: item.state != 'absent' and item.public_key is defined and item.public_key != '' + +- name: remove user from root's authorized_keys + authorized_key: user="root" manage_dir=true key="{{ item.public_key }}" + state=absent + with_items: + - "{{ users }}" + when: item.state == 'absent' and item.public_key is defined and item.public_key != '' + +- name: create pve admin-group + shell: + cmd: 'pveum groupadd admin -comment "System Administrators"' + when: "'proxmox' in group_names" + ignore_errors: True + +- name: give pve admin-group privileges + shell: + cmd: 'pveum aclmod / -group admin -role Administrator' + when: "'proxmox' in group_names" + +- name: create pve user + shell: + cmd: 'pveum useradd {{ item.name }}@pam' + with_items: + - "{{ users }}" + when: item.state != 'absent' and 'proxmox' in group_names + ignore_errors: True + +- name: disable pve user + shell: + cmd: 'pveum usermod {{ item.name }}@pam -enable 0' + with_items: + - "{{ users }}" + when: item.state == 'absent' and 'proxmox' in group_names + ignore_errors: True + +- name: add user to pve admin group + shell: + cmd: 'pveum usermod {{ item.name }}@pam -group admin' + with_items: + - "{{ users }}" + when: item.state != 'absent' and 'proxmox' in group_names