diff --git a/Makefile b/Makefile index bc41cf0b97c1b5cd6a147bf26d85d191d0f41d34..f9580786924cf59084b9755293fdf5b469d243cb 100644 --- a/Makefile +++ b/Makefile @@ -6,7 +6,8 @@ clean: find . -type f -name "*.orig" -delete open_all: - ${EDITOR} .gitignore become_user_cfg.yml host_info.yml inventory Makefile README.md shutdown.yml whoami.yml + ${EDITOR} .gitignore inventory Makefile README.md + ${EDITOR} tasks/*.yml inventory_generation: cp inventory.sample inventory && ${EDITOR} inventory diff --git a/README.md b/README.md index 10e040ad2f3bc200b7cefcca5f318b4d6961ac3a..60c11bc4b7e45f38739abfb2d67be1079cef5e07 100644 --- a/README.md +++ b/README.md @@ -13,12 +13,12 @@ Suitable for server and workstation. ✨ Features ----------- -| playbook | purpose | -| :--------------------------------------: | :--------------------------------------------------------------: | -| [`become_user_cfg.yml`](become_user_cfg.yml) | Set `sudo` without password for `become_user` access | -| [`host_info.yml`](host_info.yml) | Return message with distribution full name & version | -| [`shutdown.yml`](shutdown.yml) | Shutdown target in 10 min | -| [`whoami.yml`](whoami.yml) | Return message with `ansible_user` & `become_user` (`sudo` method) | +| playbook | purpose | +| :--------------------------------------: | :--------------------------------------------------------------: | +| [`become_user_cfg.yml`](tasks/become_user_cfg.yml) | Set `sudo` without password for `become_user` access | +| [`host_info.yml`](tasks/host_info.yml) | Return message with distribution full name & version | +| [`shutdown.yml`](tasks/shutdown.yml) | Shutdown target in 10 min | +| [`whoami.yml`](tasks/whoami.yml) | Return message with `ansible_user` & `become_user` (`sudo` method) | 🚀 Quickstart diff --git a/become_user_cfg.yml b/tasks/become_user_cfg.yml similarity index 90% rename from become_user_cfg.yml rename to tasks/become_user_cfg.yml index 943e4824a6c7ee5e613b25e35fb56b3e1a3d4fbd..ea041dc185774cbb6b28aa27d77fdf0230fe1f75 100644 --- a/become_user_cfg.yml +++ b/tasks/become_user_cfg.yml @@ -1,21 +1,23 @@ --- - hosts: "{{ host_list }}" - become: yes become_method: sudo remote_user: "{{ my_user }}" tasks: - name: SUDO | Group sudo presence + become: yes ansible.builtin.group: name: sudo state: present - name: SUDO | Group wheel absence + become: yes ansible.builtin.group: name: wheel state: absent - name: SUDO | User presence (with groups) + become: yes ansible.builtin.user: name: "{{ my_user }}" state: present @@ -23,21 +25,26 @@ append: true - name: SUDO | Reset ansible connection to apply group update + become: yes meta: reset_connection - name: "SSH | Local public key is present for {{ my_user }}" + become: yes ansible.builtin.authorized_key: comment: "Managed by Ansible from GitLab @free_zed" key: https://gitlab.com/free_zed.keys state: present user: "{{ my_user }}" + - name: SSH | Disallow SSH password authentication for root + become: yes copy: src: sshd_config dest: /etc/ssh/sshd_config - name: "SSH | Local public key is present for root" + become: yes ansible.builtin.authorized_key: comment: "Managed by Ansible from GitLab @free_zed" key: https://gitlab.com/free_zed.keys @@ -45,6 +52,7 @@ user: root - name: SSH | Remove no password directive + become: yes ansible.builtin.lineinfile: path: /etc/sudoers state: absent diff --git a/tasks/files/sshd_config b/tasks/files/sshd_config new file mode 100644 index 0000000000000000000000000000000000000000..5bacb890548c0bc4f46399d4426f7332b17f7b7c --- /dev/null +++ b/tasks/files/sshd_config @@ -0,0 +1,18 @@ +# ############################################# # +# /etc/ssh/sshd_config # +# # +# This file is managed by Ansible # +# Manual edition will be overridden # +# # +# https://lab.frogg.it/fcode/ansible/debian # +# # +# ############################################# # + +Include /etc/ssh/sshd_config.d/*.conf +PermitRootLogin prohibit-password +ChallengeResponseAuthentication no +UsePAM yes +X11Forwarding yes +PrintMotd no +AcceptEnv LANG LC_* +Subsystem sftp /usr/lib/openssh/sftp-server diff --git a/host_info.yml b/tasks/host_info.yml similarity index 100% rename from host_info.yml rename to tasks/host_info.yml diff --git a/shutdown.yml b/tasks/shutdown.yml similarity index 100% rename from shutdown.yml rename to tasks/shutdown.yml diff --git a/whoami.yml b/tasks/whoami.yml similarity index 100% rename from whoami.yml rename to tasks/whoami.yml