From 5a5cdc94cc6b2f78d09f9fdaa62ed488aa5604df Mon Sep 17 00:00:00 2001
From: Simeon Keske <ca-git@noemis.me>
Date: Sun, 15 Mar 2020 22:40:58 +0100
Subject: [PATCH] initial commit
---
defaults/main.yml | 4 +++
files/molly-guard | 11 +++++++
meta/main.yml | 5 +++
tasks/main.yml | 16 +++++++++
tasks/molly-guard.yml | 10 ++++++
tasks/packages.yml | 26 +++++++++++++++
tasks/sudo.yml | 9 +++++
tasks/user.yml | 77 +++++++++++++++++++++++++++++++++++++++++++
8 files changed, 158 insertions(+)
create mode 100644 defaults/main.yml
create mode 100644 files/molly-guard
create mode 100644 meta/main.yml
create mode 100644 tasks/main.yml
create mode 100644 tasks/molly-guard.yml
create mode 100644 tasks/packages.yml
create mode 100644 tasks/sudo.yml
create mode 100644 tasks/user.yml
diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..d118863
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,4 @@
+---
+users:
+- { name: 'user', state: 'present', public_key: '' }
+- { name: 'nouser', state: 'absent', public_key: '' }
diff --git a/files/molly-guard b/files/molly-guard
new file mode 100644
index 0000000..d6ba48c
--- /dev/null
+++ b/files/molly-guard
@@ -0,0 +1,11 @@
+# molly-guard settings
+#
+# ALWAYS_QUERY_HOSTNAME
+# when set, causes the 30-query-hostname script to always ask for the
+# hostname, even if no SSH session was detected.
+ALWAYS_QUERY_HOSTNAME=true
+
+# USE_FQDN
+# when set, causes the 30-query-hostname script to ask for the fully-qualified
+# hostname, rather than the short name
+#USE_FQDN=true
diff --git a/meta/main.yml b/meta/main.yml
new file mode 100644
index 0000000..878eeaa
--- /dev/null
+++ b/meta/main.yml
@@ -0,0 +1,5 @@
+---
+dependencies:
+# - role: ssh_server
+# tags: ['ssh', 'sshd']
+ - role: jnv.unattended-upgrades
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..d247fc8
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,16 @@
+---
+ - import_tasks: packages.yml
+ - include: sudo.yml
+ - include: molly-guard.yml
+
+ - include: user.yml user={{ users }}
+ tags: user
+
+ - name: adding message of the day
+ template:
+ dest: /etc/motd
+ src: "{{ motd_path }}"
+ owner: root
+ group: root
+ mode: 0644
+ when: motd_path and motd_path != ''
diff --git a/tasks/molly-guard.yml b/tasks/molly-guard.yml
new file mode 100644
index 0000000..e83345d
--- /dev/null
+++ b/tasks/molly-guard.yml
@@ -0,0 +1,10 @@
+---
+- name: install molly-guard
+ apt:
+ name: molly-guard
+ state: present
+
+- name: configure molly-guard
+ copy: dest=/etc/molly-guard/rc
+ src=molly-guard
+ owner=root group=root mode=0644
diff --git a/tasks/packages.yml b/tasks/packages.yml
new file mode 100644
index 0000000..e5aa733
--- /dev/null
+++ b/tasks/packages.yml
@@ -0,0 +1,26 @@
+---
+- name: Update and upgrade apt packages
+ apt:
+ upgrade: 'yes'
+ update_cache: 'yes'
+ cache_valid_time: 86400 # One day
+
+- name: install a default set of packages
+ package:
+ name:
+ - vim
+ - nano
+ - htop
+ - git
+ - tmux
+ - screen
+ - byobu
+ - ncdu
+ - moreutils
+ - apt-transport-https
+ - smartmontools
+ - zip
+ - unzip
+ - zsh
+ state: present
+ tags: packages
diff --git a/tasks/sudo.yml b/tasks/sudo.yml
new file mode 100644
index 0000000..a8f4c7f
--- /dev/null
+++ b/tasks/sudo.yml
@@ -0,0 +1,9 @@
+---
+ - name: ensure sudo is installed
+ apt: name=sudo state=present
+
+ - name: allow sudo for users in the sudo group
+ lineinfile: "dest=/etc/sudoers state=present regexp='^%sudo' line='%sudo ALL=(ALL:ALL) NOPASSWD: ALL'"
+
+ - name: allow sudo to keep SSH_AUTH_SOCK env
+ lineinfile: "dest=/etc/sudoers state=present regexp='^Defaults.*env_keep.*SSH_AUTH_SOCK' line='Defaults env_keep += \"SSH_AUTH_SOCK\"'"
diff --git a/tasks/user.yml b/tasks/user.yml
new file mode 100644
index 0000000..3a483a8
--- /dev/null
+++ b/tasks/user.yml
@@ -0,0 +1,77 @@
+---
+# remove user when remove variable is defined
+- name: remove user
+ user: state=absent remove=yes
+ name={{ item.name }}
+ when: item.state == 'absent'
+ with_items:
+ - "{{ users }}"
+
+- name: get bash's path
+ shell: command -v bash
+ register: bash_path
+ changed_when: false
+
+- name: create user
+ user: state=present
+ name="{{ item.name }}"
+ groups="sudo,adm" append=yes
+ shell={{ item.shell | default(bash_path.stdout) }}
+ with_items:
+ - "{{ users }}"
+ when: item.state != 'absent'
+
+- name: add user's authorized_keys
+ authorized_key: user="{{ item.name }}" manage_dir=true key="{{ item.public_key }}"
+ state=present exclusive=yes
+ with_items:
+ - "{{ users }}"
+ when: item.state != 'absent' and item.public_key is defined and item.public_key != ''
+
+- name: add user to root's authorized_keys
+ authorized_key: user="root" manage_dir=true key="{{ item.public_key }}"
+ state=present
+ with_items:
+ - "{{ users }}"
+ when: item.state != 'absent' and item.public_key is defined and item.public_key != ''
+
+- name: remove user from root's authorized_keys
+ authorized_key: user="root" manage_dir=true key="{{ item.public_key }}"
+ state=absent
+ with_items:
+ - "{{ users }}"
+ when: item.state == 'absent' and item.public_key is defined and item.public_key != ''
+
+- name: create pve admin-group
+ shell:
+ cmd: 'pveum groupadd admin -comment "System Administrators"'
+ when: "'proxmox' in group_names"
+ ignore_errors: True
+
+- name: give pve admin-group privileges
+ shell:
+ cmd: 'pveum aclmod / -group admin -role Administrator'
+ when: "'proxmox' in group_names"
+
+- name: create pve user
+ shell:
+ cmd: 'pveum useradd {{ item.name }}@pam'
+ with_items:
+ - "{{ users }}"
+ when: item.state != 'absent' and 'proxmox' in group_names
+ ignore_errors: True
+
+- name: disable pve user
+ shell:
+ cmd: 'pveum usermod {{ item.name }}@pam -enable 0'
+ with_items:
+ - "{{ users }}"
+ when: item.state == 'absent' and 'proxmox' in group_names
+ ignore_errors: True
+
+- name: add user to pve admin group
+ shell:
+ cmd: 'pveum usermod {{ item.name }}@pam -group admin'
+ with_items:
+ - "{{ users }}"
+ when: item.state != 'absent' and 'proxmox' in group_names