freifunk/Ansible-Configuration Changeset - 02fdd520d765 · Chaos Computer Club Lëtzebuerg Projects

Changeset - 02fdd520d765

Parent rev.

Child rev.

[Not reviewed]

0 1 1

x - 21 months ago 2023-08-21 02:30:28
xbr@c3l.lu

feat: rewritten initial setup, untested

2 files changed with 65 insertions and 37 deletions:

initial_server_setup/initial_setup.yml

user_vars.yml

0 comments (0 inline, 0 general)

initial_server_setup/initial_setup.yml

➞

Show inline comments

 ---
 # Defining the remote server where the package will be deployed
 - name: Initial Server Setup
   hosts: test
   remote_user: root
   become: true
   become_method: ansible.builtin.sudo
   vars_files:
     - ../user_vars.yml
   vars:
     password: Welcome1234
     ipv4: var=hostvars[initial]['ansible_default_ipv4']['address']
     old_hostname: filter=ansible_hostname
   tasks:
     - name: Update + Upgrade packages
       become: true
       ansible.builtin.apt:
         upgrade: true
         update_cache: true
@@ @@ -41,7 +39,6 @@ @@
         line: "{{ ansible_default_ipv4.address }} {{ new_hostname }} {{ new_hostname }}.freifunk.lu"
         state: present
       tags: network,hostname,dns
     - name: Make sure an IPV6 entry in /etc/hosts exists
       ansible.builtin.lineinfile:
         path: /etc/hosts
@@ @@ -50,50 +47,66 @@ @@
         state: present
       tags: network,hostname,dns
     # Create Freifunk Users
     - name: Create a login user fantawams
       ansible.builtin.user:
         name: fantawams
         password: "{{ password | password_hash('sha512') }}"
         groups:
           - sudo
         append: true
         state: present
       tags: users
     - name: Create a login user orimpe
       ansible.builtin.user:
         name: orimpe
         password: "{{ password | password_hash('sha512') }}"
         groups:
           - sudo
         append: true
         state: present
       tags: users
     # SSH security improvements (EmptyPass, PassAuth, RootLogin)
     - name: Disable SSH Password Auth
       ansible.builtin.copy:
         dest: /etc/ssh/sshd_config.d/disable_password_auth.conf
         owner: root
         mode: u=rw, g=r, o=r
         content: |
           '# {{ ansible_managed }}'
           'PasswordAuthentication no'
       tags: network,ssh
     - name: Disable SSH Empty Password
       ansible.builtin.copy:
         dest: /etc/ssh/sshd_config.d/disable_empty_password.conf
         owner: root
         mode: u=rw, g=r, o=r
         content: |
           '# {{ ansible_managed }}'
           'PermitEmptyPasswords no'
       tags: network,ssh
     - name: Disable SSH Root Login
       ansible.builtin.copy:
         dest: /etc/ssh/sshd_config.d/disable_root_login.conf
         owner: root
         mode: u=rw, g=r, o=r
         content: |
           '# {{ ansible_managed }}'
           'PermitRootLogin no'
       tags: network,ssh
     - name: Reload SSHD
       ansible.builtin.service:
         name: "sshd"
         state: "reloaded"
       tags: network,ssh
     - name: Create a login user metalgamer
     # Create Freifunk Users
     - name: Create member users
       ansible.builtin.user:
-        name: metalgamer
+        name: "{{ item.username }}"
         password: "{{ password | password_hash('sha512') }}"
         update_password: "on_create"
         groups:
           - sudo
         append: true
         state: present
       loop: "{{ users_member }}"
       tags: users
     - name: Create a login user xbr
     - name: Create system users (no password)
       ansible.builtin.user:
         name: xbr
         password: "{{ password | password_hash('sha512') }}"
         name: "{{ item.username }}"
         groups:
           - sudo
         append: true
         state: present
       loop: "{{ users_system }}"
       tags: users
     - name: Create a login user fflux
       ansible.builtin.user:
         name: fflux
         password: "{{ password | password_hash('sha512') }}"
     - name: Add SSH key for users from vars
       ansible.posix.authorized_key:
         user: "{{ item.username }}"
         state: present
         key: "{{ lookup('file', {{ item.key_path }} ) }}"
       tags: users
       loop: "{{ users_member | union(users_system)}}"

user_vars.yml

➞

Show inline comments

@@ new file 100644 @@
 ---
 # These are fflux members which have access to the systems
 users_member:
   - username: "fantawams"
     key_path: "~/repos/Infrastructure-Intern/ssh_keys/fantawams.pub"
   - username: "orimpe"
     key_path: "~/repos/Infrastructure-Intern/ssh_keys/orimpe.pub"
   - username: "metalgamer"
     key_path: "~/repos/Infrastructure-Intern/ssh_keys/metalgamer.pub"
   - username: "xbr"
     key_path: "~/repos/Infrastructure-Intern/ssh_keys/x.pub"
 # These are system users, used for management/automation/etc.
 users_system:
   - username: "fflux"
     key_path: "~/repos/Infrastructure-Intern/ssh_keys/fflux.pub"
@@ \ No newline at end of file @@

0 comments (0 inline, 0 general)