From bc7c984206e60345a3e1191887a0429f4218d57e Mon Sep 17 00:00:00 2001 From: Noah Knegt Date: Mon, 27 Feb 2023 16:39:00 +0100 Subject: [PATCH] core: Swap to ansible roles for config Signed-off-by: Noah Knegt --- playbooks/base.yml | 14 +++++ playbooks/create-user.yml | 63 ---------------------- roles/base/files/ansible/ansible.pub | 1 + roles/base/files/ansible/ansible_sudoers | 1 + roles/base/files/noahk/noahk.pub | 1 + roles/base/files/noahk/noahk_sudoers | 1 + roles/base/files/ssh_banner.net | 2 + roles/base/handlers/main.yml | 18 +++++++ roles/base/tasks/main.yml | 24 +++++++++ roles/base/tasks/software/repositories.yml | 17 ++++++ roles/base/tasks/system/openssh.yml | 40 ++++++++++++++ roles/base/tasks/users/ansible.yml | 48 +++++++++++++++++ roles/base/tasks/users/noahk.yml | 48 +++++++++++++++++ roles/base/templates/sshd_config.j2 | 33 ++++++++++++ roles/base/vars/debian.yml | 13 +++++ roles/base/vars/main.yml | 12 +++++ roles/base/vars/ubuntu.yml | 13 +++++ 17 files changed, 286 insertions(+), 63 deletions(-) create mode 100644 playbooks/base.yml delete mode 100644 playbooks/create-user.yml create mode 100644 roles/base/files/ansible/ansible.pub create mode 100644 roles/base/files/ansible/ansible_sudoers create mode 100644 roles/base/files/noahk/noahk.pub create mode 100644 roles/base/files/noahk/noahk_sudoers create mode 100644 roles/base/files/ssh_banner.net create mode 100644 roles/base/handlers/main.yml create mode 100644 roles/base/tasks/main.yml create mode 100644 roles/base/tasks/software/repositories.yml create mode 100644 roles/base/tasks/system/openssh.yml create mode 100644 roles/base/tasks/users/ansible.yml create mode 100644 roles/base/tasks/users/noahk.yml create mode 100644 roles/base/templates/sshd_config.j2 create mode 100644 roles/base/vars/debian.yml create mode 100644 roles/base/vars/main.yml create mode 100644 roles/base/vars/ubuntu.yml diff --git a/playbooks/base.yml b/playbooks/base.yml new file mode 100644 index 0000000..12f96c7 --- /dev/null +++ b/playbooks/base.yml @@ -0,0 +1,14 @@ +#=================================================================================================== +# ? ABOUT +# @author : Noah Knegt +# @email : personal@noahknegt.com +# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations +# @createdOn : 27-02-2023 +# @description : This will apply the base configuration to the list of machines. +#=================================================================================================== + +--- +- hosts: all + remote_user: root + roles: + - base diff --git a/playbooks/create-user.yml b/playbooks/create-user.yml deleted file mode 100644 index 5ce5555..0000000 --- a/playbooks/create-user.yml +++ /dev/null @@ -1,63 +0,0 @@ -#=========================================================================== -# ? ABOUT -# @author : Noah Knegt -# @email : personal@noahknegt.com -# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations -# @createdOn : 09-02-2023 -# @description : This playbook will create a user on a remote hosts and -# adds an ssh key to the authorized_keys file. It will also -# disable password authentication and root login. -#=========================================================================== - -- hosts: ubuntu - vars: - provision_password: '$6$8eLzx6DNI/aamHAp$ZJK3kpbXDaMDUxuCFzRbbYL78aqdDnRRd1zbQPO2ED.pQQdcuAEnwBI2Vf3a36j7I5ED4STx6TLQnB8RiY3Vw/' - gather_facts: false - remote_user: root - - tasks: - - name: Add new provisioning user - user: - name: provision - password: "{{ provision_password }}" - shell: /bin/bash - - - name: Add provisioning user to sudoers - copy: - dest: /etc/sudoers.d/provision - content: "provision ALL=(ALL) NOPASSWD:ALL" - - - name: Deploy SSH key - authorized_key: - user: provision - key: "{{ lookup('file', '/home/noahk/.ssh/id_ed25519.pub') }}" - state: present - - - name: Disable password authentication - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^PasswordAuthentication' - line: 'PasswordAuthentication no' - state: present - backup: yes - validate: 'sshd -t -f %s' - notify: - - restart ssh - - - name: Disable root login - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^PermitRootLogin' - line: 'PermitRootLogin no' - state: present - backup: yes - validate: 'sshd -t -f %s' - notify: - - restart ssh - - handlers: - - name: restart ssh - service: - name: sshd - state: restarted - diff --git a/roles/base/files/ansible/ansible.pub b/roles/base/files/ansible/ansible.pub new file mode 100644 index 0000000..706df8c --- /dev/null +++ b/roles/base/files/ansible/ansible.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP2IpJL9ZvIjLPRAn70ElcSWDTIm3f2930U9TK/aPmX0 personal@noahknegt.com diff --git a/roles/base/files/ansible/ansible_sudoers b/roles/base/files/ansible/ansible_sudoers new file mode 100644 index 0000000..e8c5b14 --- /dev/null +++ b/roles/base/files/ansible/ansible_sudoers @@ -0,0 +1 @@ +ansible ALL=(ALL) NOPASSWD:ALL diff --git a/roles/base/files/noahk/noahk.pub b/roles/base/files/noahk/noahk.pub new file mode 100644 index 0000000..706df8c --- /dev/null +++ b/roles/base/files/noahk/noahk.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP2IpJL9ZvIjLPRAn70ElcSWDTIm3f2930U9TK/aPmX0 personal@noahknegt.com diff --git a/roles/base/files/noahk/noahk_sudoers b/roles/base/files/noahk/noahk_sudoers new file mode 100644 index 0000000..b2d10ef --- /dev/null +++ b/roles/base/files/noahk/noahk_sudoers @@ -0,0 +1 @@ +noahk ALL=(ALL) ALL:ALL diff --git a/roles/base/files/ssh_banner.net b/roles/base/files/ssh_banner.net new file mode 100644 index 0000000..9997813 --- /dev/null +++ b/roles/base/files/ssh_banner.net @@ -0,0 +1,2 @@ +Use of this system is private. If you are not authorized, disconnect immediately. +Failure to comply will result in your destruction. diff --git a/roles/base/handlers/main.yml b/roles/base/handlers/main.yml new file mode 100644 index 0000000..9305ca0 --- /dev/null +++ b/roles/base/handlers/main.yml @@ -0,0 +1,18 @@ +#=================================================================================================== +# ? ABOUT +# @author : Noah Knegt +# @email : personal@noahknegt.com +# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations +# @createdOn : 27-02-2023 +# @description : This file contains all the handlers for the base role. +#=================================================================================================== + +--- +- name: apt_update + apt: + update_cache: yes + +- name: restart_sshd + service: + name: "{{ openssh_service }}" + state: restarted diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml new file mode 100644 index 0000000..47c9733 --- /dev/null +++ b/roles/base/tasks/main.yml @@ -0,0 +1,24 @@ +#=================================================================================================== +# ? ABOUT +# @author : Noah Knegt +# @email : personal@noahknegt.com +# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations +# @createdOn : 27-02-2023 +# @description : This file contains the tasks for the base role, this role will be applied to +# all machines. +#=================================================================================================== + +--- +- include_vars: "{{ ansible_distribution }}.yml" + +- block: + # Setup the ansible user + - include_tasks: users/ansible.yml + - include_tasks: users/noahk.yml + + # Setup the sshd + - include_tasks: system/openssh.yml + + # Setup the repositories for Debian based systems + - include_tasks: software/repositories.yml + diff --git a/roles/base/tasks/software/repositories.yml b/roles/base/tasks/software/repositories.yml new file mode 100644 index 0000000..e859818 --- /dev/null +++ b/roles/base/tasks/software/repositories.yml @@ -0,0 +1,17 @@ +#=================================================================================================== +# ? ABOUT +# @author : Noah Knegt +# @email : personal@noahknegt.com +# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations +# @createdOn : 27-02-2023 +# @description : This will contain all the default software for the machines. +#=================================================================================================== + +--- +- name: Install aptitude and software-properties-common + package: + name: + - aptitude + - software-properties-common + state: latest + when: ansible_distribution in ["Debian", "Pop!_OS", "Ubuntu"] diff --git a/roles/base/tasks/system/openssh.yml b/roles/base/tasks/system/openssh.yml new file mode 100644 index 0000000..b3beb47 --- /dev/null +++ b/roles/base/tasks/system/openssh.yml @@ -0,0 +1,40 @@ +#=================================================================================================== +# ? ABOUT +# @author : Noah Knegt +# @email : personal@noahknegt.com +# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations +# @createdOn : 27-02-2023 +# @description : This will setup the ssh server on the machine. +#=================================================================================================== + +--- +- name: Install or update openssh + apt: + name: "{{ openssh_package }}" + state: latest + notify: + - restart_sshd + +- name: enable ssh daemon + service: + name: "{{ openssh_service }}" + state: started + enabled: yes + +- name: configure sshd + template: + src: sshd_config.j2 + dest: /etc/ssh/sshd_config + owner: root + group: root + mode: 0644 + notify: + - restart_sshd + +- name: copy sshd banner + copy: + src: ssh_banner.net + dest: /etc/issue.net + owner: root + group: root + mode: 0644 diff --git a/roles/base/tasks/users/ansible.yml b/roles/base/tasks/users/ansible.yml new file mode 100644 index 0000000..559d29c --- /dev/null +++ b/roles/base/tasks/users/ansible.yml @@ -0,0 +1,48 @@ +#=================================================================================================== +# ? ABOUT +# @author : Noah Knegt +# @email : personal@noahknegt.com +# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations +# @createdOn : 27-02-2023 +# @description : It contains the tasks to properly configure the ansible user. +#=================================================================================================== + +--- +- name: Add ansible group + group: + name: ansible + state: present + +- name: Add new ansible user + user: + name: ansible + group: ansible + groups: ansible,{{ sudo_group }} + password: "{{ ansible_password }}" + state: present + shell: /bin/bash + +- name: Add ansible user to sudoers + copy: + src: files/ansible_sudoers + dest: /etc/sudoers.d/ansible + owner: root + group: root + mode: 0440 + +- name: Create .ssh directory + file: + path: /home/ansible/.ssh + state: directory + owner: ansible + group: ansible + mode: 0700 + with_items: + - { dir: /home/ansible/.ssh } + +- name: Copy ssh public key + authorized_key: + user: ansible + key: "{{ item }}" + with_file: + - ansible/ansible.pub diff --git a/roles/base/tasks/users/noahk.yml b/roles/base/tasks/users/noahk.yml new file mode 100644 index 0000000..92f9155 --- /dev/null +++ b/roles/base/tasks/users/noahk.yml @@ -0,0 +1,48 @@ +#=================================================================================================== +# ? ABOUT +# @author : Noah Knegt +# @email : personal@noahknegt.com +# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations +# @createdOn : 27-02-2023 +# @description : This will setup the normal user on the machine. +#=================================================================================================== + +--- +- name: Create the group + group: + name: noahk + state: present + +- name: Create the user + user: + name: noahk + group: noahk + groups: noahk,{{ sudo_group }} + password: "{{ noahk_password }}" + state: present + shell: /bin/bash + +- name: Add user to sudoers + copy: + src: files/noahk_sudoers + dest: /etc/sudoers.d/noahk + owner: root + group: root + mode: 0440 + +- name: Create .ssh directory + file: + path: /home/noahk/.ssh + state: directory + owner: noahk + group: noahk + mode: 0700 + with_items: + - { dir: /home/noahk/.ssh } + +- name: Copy ssh public key + authorized_key: + user: noahk + key: "{{ item }}" + with_file: + - noahk/noahk.pub diff --git a/roles/base/templates/sshd_config.j2 b/roles/base/templates/sshd_config.j2 new file mode 100644 index 0000000..e39dbf0 --- /dev/null +++ b/roles/base/templates/sshd_config.j2 @@ -0,0 +1,33 @@ +Banner /etc/issue.net +PrintMOTD no + +Port {{ ssh_port | default(22) }} +Protocol 2 + +# Authentication: +AllowUsers {{ ssh_users | default("noahk") }} +ChallengeResponseAuthentication no +HostbasedAuthentication no +LoginGraceTime 120 +PasswordAuthentication {{ passwd_auth | default("no") }} +PermitEmptyPasswords no +PermitRootLogin no +PubkeyAuthentication yes +StrictModes yes +UsePAM yes + +# Security +HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key +HostKey /etc/ssh/ssh_host_rsa_key +IgnoreRhosts yes + +# Misc. options +AcceptEnv LANG LC_* +TCPKeepAlive yes +Subsystem sftp {{ sftp_path }} + +# Logging +SyslogFacility AUTH +LogLevel INFO diff --git a/roles/base/vars/debian.yml b/roles/base/vars/debian.yml new file mode 100644 index 0000000..79720e7 --- /dev/null +++ b/roles/base/vars/debian.yml @@ -0,0 +1,13 @@ +#=================================================================================================== +# ? ABOUT +# @author : Noah Knegt +# @email : personal@noahknegt.com +# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations +# @createdOn : 27-02-2023 +# @description : This file contains all the variables for the base role, for the debian OS. +#=================================================================================================== + +--- +sudo_group: sudo +openssh_service: ssh +openssh_package: openssh-server diff --git a/roles/base/vars/main.yml b/roles/base/vars/main.yml new file mode 100644 index 0000000..507eb03 --- /dev/null +++ b/roles/base/vars/main.yml @@ -0,0 +1,12 @@ +#=================================================================================================== +# ? ABOUT +# @author : Noah Knegt +# @email : personal@noahknegt.com +# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations +# @createdOn : 27-02-2023 +# @description : This file contains the variables for the base role tasks. +#=================================================================================================== + +--- +ansible_password: '$6$8eLzx6DNI/aamHAp$ZJK3kpbXDaMDUxuCFzRbbYL78aqdDnRRd1zbQPO2ED.pQQdcuAEnwBI2Vf3a36j7I5ED4STx6TLQnB8RiY3Vw/' +noahk_password: '$6$8eLzx6DNI/aamHAp$ZJK3kpbXDaMDUxuCFzRbbYL78aqdDnRRd1zbQPO2ED.pQQdcuAEnwBI2Vf3a36j7I5ED4STx6TLQnB8RiY3Vw/' diff --git a/roles/base/vars/ubuntu.yml b/roles/base/vars/ubuntu.yml new file mode 100644 index 0000000..44719b3 --- /dev/null +++ b/roles/base/vars/ubuntu.yml @@ -0,0 +1,13 @@ +#=================================================================================================== +# ? ABOUT +# @author : Noah Knegt +# @email : personal@noahknegt.com +# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations +# @createdOn : 27-02-2023 +# @description : This file contains all the variables for the base role, for the ubuntu OS. +#=================================================================================================== + +--- +sudo_group: sudo +openssh_service: ssh +openssh_package: openssh-server