Added bootstrap role with the tasks, defaults and handlers necessary for the playbooks
This commit is contained in:
Alex Tavarez
19
roles/bootstrap/tasks/auth@ssh.yml
Normal file
19
roles/bootstrap/tasks/auth@ssh.yml
Normal file
@@ -0,0 +1,19 @@
|
||||
---
|
||||
- name: Add authorized keys for SSH access to accounts
|
||||
ansible.posix.authorized_keys:
|
||||
user: "{{ item[0] }}"
|
||||
key: "{{ item[1] }}"
|
||||
state: present
|
||||
validate_certs: no
|
||||
loop: "{{ pubkeys }}"
|
||||
register: pubkeys_assigned
|
||||
tags: ['default', 'assign_pubkeys']
|
||||
- name: Disable SSH password authentication
|
||||
copy:
|
||||
src: sshd/nopass.conf
|
||||
dest: /etc/ssh/sshd_config.d/nopass.conf
|
||||
owner: "{{ root_acct }}"
|
||||
group: "{{ root_acct }}"
|
||||
force: yes
|
||||
register: ssh_passauth_disabled
|
||||
tags: ['default', 'disable_ssh_passauth']
|
||||
8
roles/bootstrap/tasks/core_installations.yml
Normal file
8
roles/bootstrap/tasks/core_installations.yml
Normal file
@@ -0,0 +1,8 @@
|
||||
---
|
||||
- name: Install natively available core system packages
|
||||
package:
|
||||
name: "{{ item.package }}"
|
||||
state: present
|
||||
loop: "{{ combine(server_pkgs, virtualization_pkgs, pkgmanager_pkgs, cli_pkgs, coding_pkgs, media_pkgs) }}"
|
||||
register: native_done
|
||||
tags: ['default', 'core']
|
||||
44
roles/bootstrap/tasks/core_installations@Debian.yml
Normal file
44
roles/bootstrap/tasks/core_installations@Debian.yml
Normal file
@@ -0,0 +1,44 @@
|
||||
---
|
||||
- name: Register new repositories
|
||||
block:
|
||||
- name: Grab keys for foreign package repositories
|
||||
get_url:
|
||||
url: "{{ item.key }}"
|
||||
dest: "{{ item.key_dest }}"
|
||||
group: root
|
||||
owner: root
|
||||
force: true
|
||||
when: item.key is defined and item.key_orig_is_url
|
||||
- name: Add (i.e., render native) the foreign package repositories
|
||||
get_url:
|
||||
url: "{{ item.repo }}"
|
||||
dest: "{{ item.repo_dest }}"
|
||||
group: root
|
||||
owner: root
|
||||
force: true
|
||||
when: item.repo is defined and item.repo_orig_is_url
|
||||
- name: Grab keys for foreign package repositories
|
||||
copy:
|
||||
src: "{{ item.key }}"
|
||||
dest: "{{ item.key_dest }}"
|
||||
group: root
|
||||
owner: root
|
||||
force: true
|
||||
when: item.key is defined and not item.key_orig_is_url
|
||||
- name: Add (i.e., render native) the foreign package repositories
|
||||
copy:
|
||||
src: "{{ item.repo }}"
|
||||
dest: "{{ item.repo_dest }}"
|
||||
group: root
|
||||
owner: root
|
||||
force: true
|
||||
when: item.repo is defined and not item.repo_orig_is_url
|
||||
loop: "{{ combine(server_pkgs_ext, cli_pkgs_ext) }}"
|
||||
register: repos_added
|
||||
notify: update
|
||||
- name: Install newly available packages
|
||||
package:
|
||||
name: "{{ item.package }}{{ item.version }}"
|
||||
state: latest
|
||||
loop: "{{ combine(server_pkgs_ext, cli_pkgs_ext) }}"
|
||||
register: foreign_pkgs_done
|
||||
8
roles/bootstrap/tasks/core_installations@podman.yml
Normal file
8
roles/bootstrap/tasks/core_installations@podman.yml
Normal file
@@ -0,0 +1,8 @@
|
||||
---
|
||||
- name: Pull necessary images for containers
|
||||
containers.podman.podman_image:
|
||||
name: "{{ item.uri }}"
|
||||
tag: "{{ item.tag }}"
|
||||
pull: yes
|
||||
state: present
|
||||
loop: "{{ cimages.core_cimages }}"
|
||||
34
roles/bootstrap/tasks/denyroot.yml
Normal file
34
roles/bootstrap/tasks/denyroot.yml
Normal file
@@ -0,0 +1,34 @@
|
||||
---
|
||||
- name: Disable shell session root login
|
||||
user:
|
||||
name: "{{ item.username }}"
|
||||
shell: /sbin/nologin
|
||||
loop: "{{ roots }}"
|
||||
register: root_deshelled
|
||||
when: nonlogin_method == 'deshell'
|
||||
tags: ['default', 'root_deshelling']
|
||||
- name: Lock the root account
|
||||
user:
|
||||
name: "{{ item.username }}"
|
||||
password_lock: yes
|
||||
loop: "{{ roots }}"
|
||||
register: root_locked
|
||||
when: nonlogin_method == 'lock' or nonlogin_method == 'all'
|
||||
tags: ['default', 'root_locking']
|
||||
- name: Disable root account password
|
||||
user:
|
||||
name: "{{ item.username }}"
|
||||
password: "*"
|
||||
loop: "{{ roots }}"
|
||||
register: root_closed
|
||||
when: nonlogin_method == 'close'
|
||||
tags: ['default', 'root_closing']
|
||||
- name: Disable root account password and shell login
|
||||
user:
|
||||
name: "{{ item.username }}"
|
||||
password: "*"
|
||||
shell: /sbin/nologin
|
||||
loop: "{{ roots }}"
|
||||
register: root_delogged
|
||||
when: nonlogin_method == 'delog' or nonlogin_method == 'all'
|
||||
tags: ['default', 'root_locking']
|
||||
10
roles/bootstrap/tasks/denyroot@ssh.yml
Normal file
10
roles/bootstrap/tasks/denyroot@ssh.yml
Normal file
@@ -0,0 +1,10 @@
|
||||
---
|
||||
- name: Disable remote login for root
|
||||
copy:
|
||||
src: sshd/denyroot.conf
|
||||
dest: /etc/ssh/sshd_config.d/denyroot.conf
|
||||
owner: "{{ root_acct }}"
|
||||
group: "{{ root_acct }}"
|
||||
force: yes
|
||||
register: sshroot_disabled
|
||||
tags: ['default', 'deny_sshroot']
|
||||
8
roles/bootstrap/tasks/extra_installations.yml
Normal file
8
roles/bootstrap/tasks/extra_installations.yml
Normal file
@@ -0,0 +1,8 @@
|
||||
---
|
||||
- name: Install natively available core system packages
|
||||
package:
|
||||
name: "{{ item.package }}"
|
||||
state: present
|
||||
loop: "{{ combine(*extra_packages) }}"
|
||||
register: extra_done
|
||||
tags: ['default', 'extra']
|
||||
8
roles/bootstrap/tasks/extra_installations@podman.yml
Normal file
8
roles/bootstrap/tasks/extra_installations@podman.yml
Normal file
@@ -0,0 +1,8 @@
|
||||
---
|
||||
- name: Pull recommended images for containers
|
||||
containers.podman.podman_image:
|
||||
name: "{{ item.uri }}"
|
||||
tag: "{{ item.tag }}"
|
||||
pull: yes
|
||||
state: present
|
||||
loop: "{{ extra_cimages }}"
|
||||
9
roles/bootstrap/tasks/groups.yml
Normal file
9
roles/bootstrap/tasks/groups.yml
Normal file
@@ -0,0 +1,9 @@
|
||||
---
|
||||
- name: Create system groups
|
||||
group:
|
||||
name: "{{ item.group_name }}"
|
||||
system: yes
|
||||
state: present
|
||||
loop: "{{ sysgroups }}"
|
||||
register: groups_created
|
||||
tags: ['default']
|
||||
3
roles/bootstrap/tasks/main.yml
Normal file
3
roles/bootstrap/tasks/main.yml
Normal file
@@ -0,0 +1,3 @@
|
||||
#SPDX-License-Identifier: MIT-0
|
||||
---
|
||||
# tasks file for common
|
||||
7
roles/bootstrap/tasks/upgrade@Debian.yml
Normal file
7
roles/bootstrap/tasks/upgrade@Debian.yml
Normal file
@@ -0,0 +1,7 @@
|
||||
---
|
||||
- name: Update repositories cache
|
||||
apt:
|
||||
update_cache: yes
|
||||
upgrade: "{{ upgrade_type }}"
|
||||
register: system_upgraded
|
||||
tags: ['upgrade_pkgs']
|
||||
45
roles/bootstrap/tasks/users@Debian.yml
Normal file
45
roles/bootstrap/tasks/users@Debian.yml
Normal file
@@ -0,0 +1,45 @@
|
||||
---
|
||||
- name: Create administrative user
|
||||
user:
|
||||
name: "{{ item.username }}"
|
||||
system: no
|
||||
create_home: yes
|
||||
append: yes
|
||||
groups:
|
||||
- sudo
|
||||
shell: /bin/bash
|
||||
password: "{{ item.password }}"
|
||||
password_expire_max: 186
|
||||
password_expire_min: 93
|
||||
password_expire_warn: 15
|
||||
state: present
|
||||
loop: "{{ admins }}"
|
||||
register: admins_created
|
||||
when: admins is not none
|
||||
tags: ['default', 'add_admins']
|
||||
- name: Create guest user
|
||||
user:
|
||||
name: "{{ item.username }}"
|
||||
system: no
|
||||
create_home: yes
|
||||
shell: /bin/bash
|
||||
state: present
|
||||
loop: "{{ guests }}"
|
||||
register: guests_created
|
||||
when: guests is not none
|
||||
tags: ['add_guests']
|
||||
- name: Create standard users
|
||||
user:
|
||||
name: "{{ item.username }}"
|
||||
system: no
|
||||
create_home: yes
|
||||
shell: "/bin/bash"
|
||||
password: "{{ item.password }}"
|
||||
password_expire_max: 93
|
||||
password_expire_min: 30
|
||||
password_expire_warn: 7
|
||||
state: present
|
||||
loop: "{{ users }}"
|
||||
register: users_created
|
||||
when: users is not none
|
||||
tags: ['default', 'add_users']
|
||||
Reference in New Issue
Block a user