diff --git a/ansible.cfg b/ansible.cfg index 4bbc620..fa6cc7e 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,2 +1,2 @@ [defaults] -inventory = ~/Documents/projects/ansible-automations/inventory/servers.ini +inventory = inventory/servers.ini diff --git a/base.yml b/base.yml new file mode 100644 index 0000000..512ebcf --- /dev/null +++ b/base.yml @@ -0,0 +1,32 @@ +#=================================================================================================== +# ? ABOUT +# @author : Noah Knegt +# @email : personal@noahknegt.com +# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations +# @createdOn : 27-02-2023 +# @description : This will apply the base configuration to the list of machines. +#=================================================================================================== + +--- +- hosts: ubuntu + remote_user: ansible + become: true + roles: + - base + +# Clean up the system +- hosts: ubuntu + remote_user: ansible + become: true + tasks: + - name: cleanup package cache (debian and ubuntu) + apt: + autoclean: yes + changed_when: false + when: ansible_os_family == "Debian" + + - name: autoremove packages (debian and ubuntu) + apt: + autoremove: yes + purge: yes + when: ansible_os_family == "Debian" diff --git a/playbooks/apt.yml b/playbooks/apt.yml deleted file mode 100644 index bebdc0a..0000000 --- a/playbooks/apt.yml +++ /dev/null @@ -1,8 +0,0 @@ -- hosts: ubuntu - remote_user: provision - become: true - tasks: - - name: upgrade system - apt: - update_cache: yes - upgrade: yes diff --git a/playbooks/create-user.yml b/playbooks/create-user.yml deleted file mode 100644 index 5ce5555..0000000 --- a/playbooks/create-user.yml +++ /dev/null @@ -1,63 +0,0 @@ -#=========================================================================== -# ? ABOUT -# @author : Noah Knegt -# @email : personal@noahknegt.com -# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations -# @createdOn : 09-02-2023 -# @description : This playbook will create a user on a remote hosts and -# adds an ssh key to the authorized_keys file. It will also -# disable password authentication and root login. -#=========================================================================== - -- hosts: ubuntu - vars: - provision_password: '$6$8eLzx6DNI/aamHAp$ZJK3kpbXDaMDUxuCFzRbbYL78aqdDnRRd1zbQPO2ED.pQQdcuAEnwBI2Vf3a36j7I5ED4STx6TLQnB8RiY3Vw/' - gather_facts: false - remote_user: root - - tasks: - - name: Add new provisioning user - user: - name: provision - password: "{{ provision_password }}" - shell: /bin/bash - - - name: Add provisioning user to sudoers - copy: - dest: /etc/sudoers.d/provision - content: "provision ALL=(ALL) NOPASSWD:ALL" - - - name: Deploy SSH key - authorized_key: - user: provision - key: "{{ lookup('file', '/home/noahk/.ssh/id_ed25519.pub') }}" - state: present - - - name: Disable password authentication - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^PasswordAuthentication' - line: 'PasswordAuthentication no' - state: present - backup: yes - validate: 'sshd -t -f %s' - notify: - - restart ssh - - - name: Disable root login - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^PermitRootLogin' - line: 'PermitRootLogin no' - state: present - backup: yes - validate: 'sshd -t -f %s' - notify: - - restart ssh - - handlers: - - name: restart ssh - service: - name: sshd - state: restarted - diff --git a/roles/base/files/ansible/ansible.pub b/roles/base/files/ansible/ansible.pub new file mode 100644 index 0000000..706df8c --- /dev/null +++ b/roles/base/files/ansible/ansible.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP2IpJL9ZvIjLPRAn70ElcSWDTIm3f2930U9TK/aPmX0 personal@noahknegt.com diff --git a/roles/base/files/ansible/ansible_sudoers b/roles/base/files/ansible/ansible_sudoers new file mode 100644 index 0000000..e8c5b14 --- /dev/null +++ b/roles/base/files/ansible/ansible_sudoers @@ -0,0 +1 @@ +ansible ALL=(ALL) NOPASSWD:ALL diff --git a/roles/base/files/noahk/noahk.pub b/roles/base/files/noahk/noahk.pub new file mode 100644 index 0000000..706df8c --- /dev/null +++ b/roles/base/files/noahk/noahk.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP2IpJL9ZvIjLPRAn70ElcSWDTIm3f2930U9TK/aPmX0 personal@noahknegt.com diff --git a/roles/base/files/noahk/noahk_sudoers b/roles/base/files/noahk/noahk_sudoers new file mode 100644 index 0000000..711552d --- /dev/null +++ b/roles/base/files/noahk/noahk_sudoers @@ -0,0 +1 @@ +noahk ALL=(ALL:ALL) ALL diff --git a/roles/base/files/ssh_banner.net b/roles/base/files/ssh_banner.net new file mode 100644 index 0000000..9997813 --- /dev/null +++ b/roles/base/files/ssh_banner.net @@ -0,0 +1,2 @@ +Use of this system is private. If you are not authorized, disconnect immediately. +Failure to comply will result in your destruction. diff --git a/roles/base/handlers/main.yml b/roles/base/handlers/main.yml new file mode 100644 index 0000000..9305ca0 --- /dev/null +++ b/roles/base/handlers/main.yml @@ -0,0 +1,18 @@ +#=================================================================================================== +# ? ABOUT +# @author : Noah Knegt +# @email : personal@noahknegt.com +# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations +# @createdOn : 27-02-2023 +# @description : This file contains all the handlers for the base role. +#=================================================================================================== + +--- +- name: apt_update + apt: + update_cache: yes + +- name: restart_sshd + service: + name: "{{ openssh_service }}" + state: restarted diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml new file mode 100644 index 0000000..47c9733 --- /dev/null +++ b/roles/base/tasks/main.yml @@ -0,0 +1,24 @@ +#=================================================================================================== +# ? ABOUT +# @author : Noah Knegt +# @email : personal@noahknegt.com +# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations +# @createdOn : 27-02-2023 +# @description : This file contains the tasks for the base role, this role will be applied to +# all machines. +#=================================================================================================== + +--- +- include_vars: "{{ ansible_distribution }}.yml" + +- block: + # Setup the ansible user + - include_tasks: users/ansible.yml + - include_tasks: users/noahk.yml + + # Setup the sshd + - include_tasks: system/openssh.yml + + # Setup the repositories for Debian based systems + - include_tasks: software/repositories.yml + diff --git a/roles/base/tasks/software/repositories.yml b/roles/base/tasks/software/repositories.yml new file mode 100644 index 0000000..e859818 --- /dev/null +++ b/roles/base/tasks/software/repositories.yml @@ -0,0 +1,17 @@ +#=================================================================================================== +# ? ABOUT +# @author : Noah Knegt +# @email : personal@noahknegt.com +# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations +# @createdOn : 27-02-2023 +# @description : This will contain all the default software for the machines. +#=================================================================================================== + +--- +- name: Install aptitude and software-properties-common + package: + name: + - aptitude + - software-properties-common + state: latest + when: ansible_distribution in ["Debian", "Pop!_OS", "Ubuntu"] diff --git a/roles/base/tasks/system/openssh.yml b/roles/base/tasks/system/openssh.yml new file mode 100644 index 0000000..14f95ed --- /dev/null +++ b/roles/base/tasks/system/openssh.yml @@ -0,0 +1,40 @@ +#=================================================================================================== +# ? ABOUT +# @author : Noah Knegt +# @email : personal@noahknegt.com +# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations +# @createdOn : 27-02-2023 +# @description : This will setup the ssh server on the machine. +#=================================================================================================== + +--- +- name: Install or update openssh + package: + name: "{{ openssh_package }}" + state: latest + notify: + - restart_sshd + +- name: enable ssh daemon + service: + name: "{{ openssh_service }}" + state: started + enabled: yes + +- name: configure sshd + template: + src: sshd_config.j2 + dest: /etc/ssh/sshd_config + owner: root + group: root + mode: 0644 + notify: + - restart_sshd + +- name: copy sshd banner + copy: + src: ssh_banner.net + dest: /etc/issue.net + owner: root + group: root + mode: 0644 diff --git a/roles/base/tasks/users/ansible.yml b/roles/base/tasks/users/ansible.yml new file mode 100644 index 0000000..3c0c457 --- /dev/null +++ b/roles/base/tasks/users/ansible.yml @@ -0,0 +1,48 @@ +#=================================================================================================== +# ? ABOUT +# @author : Noah Knegt +# @email : personal@noahknegt.com +# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations +# @createdOn : 27-02-2023 +# @description : It contains the tasks to properly configure the ansible user. +#=================================================================================================== + +--- +- name: Add ansible group + group: + name: ansible + state: present + +- name: Add new ansible user + user: + name: ansible + group: ansible + groups: ansible,{{ sudo_group }} + password: "{{ ansible_password }}" + state: present + shell: /bin/bash + +- name: Add ansible user to sudoers + copy: + src: ansible/ansible_sudoers + dest: /etc/sudoers.d/ansible + owner: root + group: root + mode: 0440 + +- name: Create .ssh directory + file: + path: /home/ansible/.ssh + state: directory + owner: ansible + group: ansible + mode: 0700 + with_items: + - { dir: /home/ansible/.ssh } + +- name: Copy ssh public key + authorized_key: + user: ansible + key: "{{ item }}" + with_file: + - ansible/ansible.pub diff --git a/roles/base/tasks/users/noahk.yml b/roles/base/tasks/users/noahk.yml new file mode 100644 index 0000000..530c366 --- /dev/null +++ b/roles/base/tasks/users/noahk.yml @@ -0,0 +1,48 @@ +#=================================================================================================== +# ? ABOUT +# @author : Noah Knegt +# @email : personal@noahknegt.com +# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations +# @createdOn : 27-02-2023 +# @description : This will setup the normal user on the machine. +#=================================================================================================== + +--- +- name: Create the group + group: + name: noahk + state: present + +- name: Create the user + user: + name: noahk + group: noahk + groups: noahk,{{ sudo_group }} + password: "{{ noahk_password }}" + state: present + shell: /bin/bash + +- name: Add user to sudoers + copy: + src: noahk/noahk_sudoers + dest: /etc/sudoers.d/noahk + owner: root + group: root + mode: 0440 + +- name: Create .ssh directory + file: + path: /home/noahk/.ssh + state: directory + owner: noahk + group: noahk + mode: 0700 + with_items: + - { dir: /home/noahk/.ssh } + +- name: Copy ssh public key + authorized_key: + user: noahk + key: "{{ item }}" + with_file: + - noahk/noahk.pub diff --git a/roles/base/templates/sshd_config.j2 b/roles/base/templates/sshd_config.j2 new file mode 100644 index 0000000..31d28d4 --- /dev/null +++ b/roles/base/templates/sshd_config.j2 @@ -0,0 +1,33 @@ +Banner /etc/issue.net +PrintMOTD no + +Port {{ ssh_port | default(22) }} +Protocol 2 + +# Authentication: +AllowUsers {{ ssh_users | default("noahk ansible") }} +ChallengeResponseAuthentication no +HostbasedAuthentication no +LoginGraceTime 120 +PasswordAuthentication {{ passwd_auth | default("no") }} +PermitEmptyPasswords no +PermitRootLogin no +PubkeyAuthentication yes +StrictModes yes +UsePAM yes + +# Security +HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key +HostKey /etc/ssh/ssh_host_rsa_key +IgnoreRhosts yes + +# Misc. options +AcceptEnv LANG LC_* +TCPKeepAlive yes +Subsystem sftp {{ sftp_path }} + +# Logging +SyslogFacility AUTH +LogLevel INFO diff --git a/roles/base/vars/Archlinux.yml b/roles/base/vars/Archlinux.yml new file mode 100644 index 0000000..7606ccc --- /dev/null +++ b/roles/base/vars/Archlinux.yml @@ -0,0 +1,14 @@ +#=================================================================================================== +# ? ABOUT +# @author : Noah Knegt +# @email : personal@noahknegt.com +# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations +# @createdOn : 27-02-2023 +# @description : This file contains the variables for arch based distros. +#=================================================================================================== + +--- +sudo_group: wheel +openssh_service: sshd +openssh_package: openssh +sftp_path: /usr/lib/ssh/sftp-server diff --git a/roles/base/vars/Debian.yml b/roles/base/vars/Debian.yml new file mode 100644 index 0000000..f864565 --- /dev/null +++ b/roles/base/vars/Debian.yml @@ -0,0 +1,14 @@ +#=================================================================================================== +# ? ABOUT +# @author : Noah Knegt +# @email : personal@noahknegt.com +# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations +# @createdOn : 27-02-2023 +# @description : This file contains all the variables for the base role, for the debian OS. +#=================================================================================================== + +--- +sudo_group: sudo +openssh_service: ssh +openssh_package: openssh-server +sftp_path: /usr/lib/openssh/sftp-server diff --git a/roles/base/vars/Ubuntu.yml b/roles/base/vars/Ubuntu.yml new file mode 100644 index 0000000..581a0e7 --- /dev/null +++ b/roles/base/vars/Ubuntu.yml @@ -0,0 +1,15 @@ +#=================================================================================================== +# ? ABOUT +# @author : Noah Knegt +# @email : personal@noahknegt.com +# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations +# @createdOn : 27-02-2023 +# @description : This file contains all the variables for the base role, for the debian OS. +#=================================================================================================== + +--- +sudo_group: sudo +openssh_service: ssh +openssh_package: openssh-server +sftp_path: /usr/lib/openssh/sftp-server +ssh_port: 4422 diff --git a/roles/base/vars/main.yml b/roles/base/vars/main.yml new file mode 100644 index 0000000..507eb03 --- /dev/null +++ b/roles/base/vars/main.yml @@ -0,0 +1,12 @@ +#=================================================================================================== +# ? ABOUT +# @author : Noah Knegt +# @email : personal@noahknegt.com +# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations +# @createdOn : 27-02-2023 +# @description : This file contains the variables for the base role tasks. +#=================================================================================================== + +--- +ansible_password: '$6$8eLzx6DNI/aamHAp$ZJK3kpbXDaMDUxuCFzRbbYL78aqdDnRRd1zbQPO2ED.pQQdcuAEnwBI2Vf3a36j7I5ED4STx6TLQnB8RiY3Vw/' +noahk_password: '$6$8eLzx6DNI/aamHAp$ZJK3kpbXDaMDUxuCFzRbbYL78aqdDnRRd1zbQPO2ED.pQQdcuAEnwBI2Vf3a36j7I5ED4STx6TLQnB8RiY3Vw/'