From bc7c984206e60345a3e1191887a0429f4218d57e Mon Sep 17 00:00:00 2001 From: Noah Knegt Date: Mon, 27 Feb 2023 16:39:00 +0100 Subject: [PATCH 01/10] core: Swap to ansible roles for config Signed-off-by: Noah Knegt --- playbooks/base.yml | 14 +++++ playbooks/create-user.yml | 63 ---------------------- roles/base/files/ansible/ansible.pub | 1 + roles/base/files/ansible/ansible_sudoers | 1 + roles/base/files/noahk/noahk.pub | 1 + roles/base/files/noahk/noahk_sudoers | 1 + roles/base/files/ssh_banner.net | 2 + roles/base/handlers/main.yml | 18 +++++++ roles/base/tasks/main.yml | 24 +++++++++ roles/base/tasks/software/repositories.yml | 17 ++++++ roles/base/tasks/system/openssh.yml | 40 ++++++++++++++ roles/base/tasks/users/ansible.yml | 48 +++++++++++++++++ roles/base/tasks/users/noahk.yml | 48 +++++++++++++++++ roles/base/templates/sshd_config.j2 | 33 ++++++++++++ roles/base/vars/debian.yml | 13 +++++ roles/base/vars/main.yml | 12 +++++ roles/base/vars/ubuntu.yml | 13 +++++ 17 files changed, 286 insertions(+), 63 deletions(-) create mode 100644 playbooks/base.yml delete mode 100644 playbooks/create-user.yml create mode 100644 roles/base/files/ansible/ansible.pub create mode 100644 roles/base/files/ansible/ansible_sudoers create mode 100644 roles/base/files/noahk/noahk.pub create mode 100644 roles/base/files/noahk/noahk_sudoers create mode 100644 roles/base/files/ssh_banner.net create mode 100644 roles/base/handlers/main.yml create mode 100644 roles/base/tasks/main.yml create mode 100644 roles/base/tasks/software/repositories.yml create mode 100644 roles/base/tasks/system/openssh.yml create mode 100644 roles/base/tasks/users/ansible.yml create mode 100644 roles/base/tasks/users/noahk.yml create mode 100644 roles/base/templates/sshd_config.j2 create mode 100644 roles/base/vars/debian.yml create mode 100644 roles/base/vars/main.yml create mode 100644 roles/base/vars/ubuntu.yml diff --git a/playbooks/base.yml b/playbooks/base.yml new file mode 100644 index 0000000..12f96c7 --- /dev/null +++ b/playbooks/base.yml @@ -0,0 +1,14 @@ +#=================================================================================================== +# ? ABOUT +# @author : Noah Knegt +# @email : personal@noahknegt.com +# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations +# @createdOn : 27-02-2023 +# @description : This will apply the base configuration to the list of machines. +#=================================================================================================== + +--- +- hosts: all + remote_user: root + roles: + - base diff --git a/playbooks/create-user.yml b/playbooks/create-user.yml deleted file mode 100644 index 5ce5555..0000000 --- a/playbooks/create-user.yml +++ /dev/null @@ -1,63 +0,0 @@ -#=========================================================================== -# ? ABOUT -# @author : Noah Knegt -# @email : personal@noahknegt.com -# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations -# @createdOn : 09-02-2023 -# @description : This playbook will create a user on a remote hosts and -# adds an ssh key to the authorized_keys file. It will also -# disable password authentication and root login. -#=========================================================================== - -- hosts: ubuntu - vars: - provision_password: '$6$8eLzx6DNI/aamHAp$ZJK3kpbXDaMDUxuCFzRbbYL78aqdDnRRd1zbQPO2ED.pQQdcuAEnwBI2Vf3a36j7I5ED4STx6TLQnB8RiY3Vw/' - gather_facts: false - remote_user: root - - tasks: - - name: Add new provisioning user - user: - name: provision - password: "{{ provision_password }}" - shell: /bin/bash - - - name: Add provisioning user to sudoers - copy: - dest: /etc/sudoers.d/provision - content: "provision ALL=(ALL) NOPASSWD:ALL" - - - name: Deploy SSH key - authorized_key: - user: provision - key: "{{ lookup('file', '/home/noahk/.ssh/id_ed25519.pub') }}" - state: present - - - name: Disable password authentication - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^PasswordAuthentication' - line: 'PasswordAuthentication no' - state: present - backup: yes - validate: 'sshd -t -f %s' - notify: - - restart ssh - - - name: Disable root login - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^PermitRootLogin' - line: 'PermitRootLogin no' - state: present - backup: yes - validate: 'sshd -t -f %s' - notify: - - restart ssh - - handlers: - - name: restart ssh - service: - name: sshd - state: restarted - diff --git a/roles/base/files/ansible/ansible.pub b/roles/base/files/ansible/ansible.pub new file mode 100644 index 0000000..706df8c --- /dev/null +++ b/roles/base/files/ansible/ansible.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP2IpJL9ZvIjLPRAn70ElcSWDTIm3f2930U9TK/aPmX0 personal@noahknegt.com diff --git a/roles/base/files/ansible/ansible_sudoers b/roles/base/files/ansible/ansible_sudoers new file mode 100644 index 0000000..e8c5b14 --- /dev/null +++ b/roles/base/files/ansible/ansible_sudoers @@ -0,0 +1 @@ +ansible ALL=(ALL) NOPASSWD:ALL diff --git a/roles/base/files/noahk/noahk.pub b/roles/base/files/noahk/noahk.pub new file mode 100644 index 0000000..706df8c --- /dev/null +++ b/roles/base/files/noahk/noahk.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP2IpJL9ZvIjLPRAn70ElcSWDTIm3f2930U9TK/aPmX0 personal@noahknegt.com diff --git a/roles/base/files/noahk/noahk_sudoers b/roles/base/files/noahk/noahk_sudoers new file mode 100644 index 0000000..b2d10ef --- /dev/null +++ b/roles/base/files/noahk/noahk_sudoers @@ -0,0 +1 @@ +noahk ALL=(ALL) ALL:ALL diff --git a/roles/base/files/ssh_banner.net b/roles/base/files/ssh_banner.net new file mode 100644 index 0000000..9997813 --- /dev/null +++ b/roles/base/files/ssh_banner.net @@ -0,0 +1,2 @@ +Use of this system is private. If you are not authorized, disconnect immediately. +Failure to comply will result in your destruction. diff --git a/roles/base/handlers/main.yml b/roles/base/handlers/main.yml new file mode 100644 index 0000000..9305ca0 --- /dev/null +++ b/roles/base/handlers/main.yml @@ -0,0 +1,18 @@ +#=================================================================================================== +# ? ABOUT +# @author : Noah Knegt +# @email : personal@noahknegt.com +# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations +# @createdOn : 27-02-2023 +# @description : This file contains all the handlers for the base role. +#=================================================================================================== + +--- +- name: apt_update + apt: + update_cache: yes + +- name: restart_sshd + service: + name: "{{ openssh_service }}" + state: restarted diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml new file mode 100644 index 0000000..47c9733 --- /dev/null +++ b/roles/base/tasks/main.yml @@ -0,0 +1,24 @@ +#=================================================================================================== +# ? ABOUT +# @author : Noah Knegt +# @email : personal@noahknegt.com +# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations +# @createdOn : 27-02-2023 +# @description : This file contains the tasks for the base role, this role will be applied to +# all machines. +#=================================================================================================== + +--- +- include_vars: "{{ ansible_distribution }}.yml" + +- block: + # Setup the ansible user + - include_tasks: users/ansible.yml + - include_tasks: users/noahk.yml + + # Setup the sshd + - include_tasks: system/openssh.yml + + # Setup the repositories for Debian based systems + - include_tasks: software/repositories.yml + diff --git a/roles/base/tasks/software/repositories.yml b/roles/base/tasks/software/repositories.yml new file mode 100644 index 0000000..e859818 --- /dev/null +++ b/roles/base/tasks/software/repositories.yml @@ -0,0 +1,17 @@ +#=================================================================================================== +# ? ABOUT +# @author : Noah Knegt +# @email : personal@noahknegt.com +# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations +# @createdOn : 27-02-2023 +# @description : This will contain all the default software for the machines. +#=================================================================================================== + +--- +- name: Install aptitude and software-properties-common + package: + name: + - aptitude + - software-properties-common + state: latest + when: ansible_distribution in ["Debian", "Pop!_OS", "Ubuntu"] diff --git a/roles/base/tasks/system/openssh.yml b/roles/base/tasks/system/openssh.yml new file mode 100644 index 0000000..b3beb47 --- /dev/null +++ b/roles/base/tasks/system/openssh.yml @@ -0,0 +1,40 @@ +#=================================================================================================== +# ? ABOUT +# @author : Noah Knegt +# @email : personal@noahknegt.com +# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations +# @createdOn : 27-02-2023 +# @description : This will setup the ssh server on the machine. +#=================================================================================================== + +--- +- name: Install or update openssh + apt: + name: "{{ openssh_package }}" + state: latest + notify: + - restart_sshd + +- name: enable ssh daemon + service: + name: "{{ openssh_service }}" + state: started + enabled: yes + +- name: configure sshd + template: + src: sshd_config.j2 + dest: /etc/ssh/sshd_config + owner: root + group: root + mode: 0644 + notify: + - restart_sshd + +- name: copy sshd banner + copy: + src: ssh_banner.net + dest: /etc/issue.net + owner: root + group: root + mode: 0644 diff --git a/roles/base/tasks/users/ansible.yml b/roles/base/tasks/users/ansible.yml new file mode 100644 index 0000000..559d29c --- /dev/null +++ b/roles/base/tasks/users/ansible.yml @@ -0,0 +1,48 @@ +#=================================================================================================== +# ? ABOUT +# @author : Noah Knegt +# @email : personal@noahknegt.com +# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations +# @createdOn : 27-02-2023 +# @description : It contains the tasks to properly configure the ansible user. +#=================================================================================================== + +--- +- name: Add ansible group + group: + name: ansible + state: present + +- name: Add new ansible user + user: + name: ansible + group: ansible + groups: ansible,{{ sudo_group }} + password: "{{ ansible_password }}" + state: present + shell: /bin/bash + +- name: Add ansible user to sudoers + copy: + src: files/ansible_sudoers + dest: /etc/sudoers.d/ansible + owner: root + group: root + mode: 0440 + +- name: Create .ssh directory + file: + path: /home/ansible/.ssh + state: directory + owner: ansible + group: ansible + mode: 0700 + with_items: + - { dir: /home/ansible/.ssh } + +- name: Copy ssh public key + authorized_key: + user: ansible + key: "{{ item }}" + with_file: + - ansible/ansible.pub diff --git a/roles/base/tasks/users/noahk.yml b/roles/base/tasks/users/noahk.yml new file mode 100644 index 0000000..92f9155 --- /dev/null +++ b/roles/base/tasks/users/noahk.yml @@ -0,0 +1,48 @@ +#=================================================================================================== +# ? ABOUT +# @author : Noah Knegt +# @email : personal@noahknegt.com +# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations +# @createdOn : 27-02-2023 +# @description : This will setup the normal user on the machine. +#=================================================================================================== + +--- +- name: Create the group + group: + name: noahk + state: present + +- name: Create the user + user: + name: noahk + group: noahk + groups: noahk,{{ sudo_group }} + password: "{{ noahk_password }}" + state: present + shell: /bin/bash + +- name: Add user to sudoers + copy: + src: files/noahk_sudoers + dest: /etc/sudoers.d/noahk + owner: root + group: root + mode: 0440 + +- name: Create .ssh directory + file: + path: /home/noahk/.ssh + state: directory + owner: noahk + group: noahk + mode: 0700 + with_items: + - { dir: /home/noahk/.ssh } + +- name: Copy ssh public key + authorized_key: + user: noahk + key: "{{ item }}" + with_file: + - noahk/noahk.pub diff --git a/roles/base/templates/sshd_config.j2 b/roles/base/templates/sshd_config.j2 new file mode 100644 index 0000000..e39dbf0 --- /dev/null +++ b/roles/base/templates/sshd_config.j2 @@ -0,0 +1,33 @@ +Banner /etc/issue.net +PrintMOTD no + +Port {{ ssh_port | default(22) }} +Protocol 2 + +# Authentication: +AllowUsers {{ ssh_users | default("noahk") }} +ChallengeResponseAuthentication no +HostbasedAuthentication no +LoginGraceTime 120 +PasswordAuthentication {{ passwd_auth | default("no") }} +PermitEmptyPasswords no +PermitRootLogin no +PubkeyAuthentication yes +StrictModes yes +UsePAM yes + +# Security +HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key +HostKey /etc/ssh/ssh_host_rsa_key +IgnoreRhosts yes + +# Misc. options +AcceptEnv LANG LC_* +TCPKeepAlive yes +Subsystem sftp {{ sftp_path }} + +# Logging +SyslogFacility AUTH +LogLevel INFO diff --git a/roles/base/vars/debian.yml b/roles/base/vars/debian.yml new file mode 100644 index 0000000..79720e7 --- /dev/null +++ b/roles/base/vars/debian.yml @@ -0,0 +1,13 @@ +#=================================================================================================== +# ? ABOUT +# @author : Noah Knegt +# @email : personal@noahknegt.com +# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations +# @createdOn : 27-02-2023 +# @description : This file contains all the variables for the base role, for the debian OS. +#=================================================================================================== + +--- +sudo_group: sudo +openssh_service: ssh +openssh_package: openssh-server diff --git a/roles/base/vars/main.yml b/roles/base/vars/main.yml new file mode 100644 index 0000000..507eb03 --- /dev/null +++ b/roles/base/vars/main.yml @@ -0,0 +1,12 @@ +#=================================================================================================== +# ? ABOUT +# @author : Noah Knegt +# @email : personal@noahknegt.com +# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations +# @createdOn : 27-02-2023 +# @description : This file contains the variables for the base role tasks. +#=================================================================================================== + +--- +ansible_password: '$6$8eLzx6DNI/aamHAp$ZJK3kpbXDaMDUxuCFzRbbYL78aqdDnRRd1zbQPO2ED.pQQdcuAEnwBI2Vf3a36j7I5ED4STx6TLQnB8RiY3Vw/' +noahk_password: '$6$8eLzx6DNI/aamHAp$ZJK3kpbXDaMDUxuCFzRbbYL78aqdDnRRd1zbQPO2ED.pQQdcuAEnwBI2Vf3a36j7I5ED4STx6TLQnB8RiY3Vw/' diff --git a/roles/base/vars/ubuntu.yml b/roles/base/vars/ubuntu.yml new file mode 100644 index 0000000..44719b3 --- /dev/null +++ b/roles/base/vars/ubuntu.yml @@ -0,0 +1,13 @@ +#=================================================================================================== +# ? ABOUT +# @author : Noah Knegt +# @email : personal@noahknegt.com +# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations +# @createdOn : 27-02-2023 +# @description : This file contains all the variables for the base role, for the ubuntu OS. +#=================================================================================================== + +--- +sudo_group: sudo +openssh_service: ssh +openssh_package: openssh-server -- 2.49.1 From 6c148e91e93ca50046a08317a56126c712f69624 Mon Sep 17 00:00:00 2001 From: Noah Knegt Date: Mon, 27 Feb 2023 16:44:36 +0100 Subject: [PATCH 02/10] core: Remove unneeded files Signed-off-by: Noah Knegt --- playbooks/apt.yml | 8 -------- playbooks/base.yml | 2 +- 2 files changed, 1 insertion(+), 9 deletions(-) delete mode 100644 playbooks/apt.yml diff --git a/playbooks/apt.yml b/playbooks/apt.yml deleted file mode 100644 index bebdc0a..0000000 --- a/playbooks/apt.yml +++ /dev/null @@ -1,8 +0,0 @@ -- hosts: ubuntu - remote_user: provision - become: true - tasks: - - name: upgrade system - apt: - update_cache: yes - upgrade: yes diff --git a/playbooks/base.yml b/playbooks/base.yml index 12f96c7..abe22e6 100644 --- a/playbooks/base.yml +++ b/playbooks/base.yml @@ -9,6 +9,6 @@ --- - hosts: all - remote_user: root + become: true roles: - base -- 2.49.1 From f7e3e3028f22bdb776f5a52b8def5d1995dad499 Mon Sep 17 00:00:00 2001 From: Noah Knegt Date: Mon, 27 Feb 2023 16:45:25 +0100 Subject: [PATCH 03/10] meta: Swap to relative path Signed-off-by: Noah Knegt --- ansible.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible.cfg b/ansible.cfg index 4bbc620..fa6cc7e 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,2 +1,2 @@ [defaults] -inventory = ~/Documents/projects/ansible-automations/inventory/servers.ini +inventory = inventory/servers.ini -- 2.49.1 From 85a806bf491417ca1916b109041bfb9ce27d0d98 Mon Sep 17 00:00:00 2001 From: Noah Knegt Date: Mon, 27 Feb 2023 16:55:31 +0100 Subject: [PATCH 04/10] base: Add cleanup tasks Signed-off-by: Noah Knegt --- playbooks/base.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/playbooks/base.yml b/playbooks/base.yml index abe22e6..0c57e87 100644 --- a/playbooks/base.yml +++ b/playbooks/base.yml @@ -12,3 +12,19 @@ become: true roles: - base + +# Clean up the system +- hosts: all + become: true + tasks: + - name: cleanup package cache (debian and ubuntu) + apt: + autoclean: yes + changed_when: false + when: ansible_os_family == "Debian" + + - name: autoremove packages (debian and ubuntu) + apt: + autoremove: yes + purge: yes + when: ansible_os_family == "Debian" -- 2.49.1 From 3395acc90f9c59cd417f19c1f4b86dd620695428 Mon Sep 17 00:00:00 2001 From: Noah Knegt Date: Mon, 27 Feb 2023 16:58:13 +0100 Subject: [PATCH 05/10] base: Add arch based vars Signed-off-by: Noah Knegt --- roles/base/vars/arch.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 roles/base/vars/arch.yml diff --git a/roles/base/vars/arch.yml b/roles/base/vars/arch.yml new file mode 100644 index 0000000..65a65a4 --- /dev/null +++ b/roles/base/vars/arch.yml @@ -0,0 +1,13 @@ +#=================================================================================================== +# ? ABOUT +# @author : Noah Knegt +# @email : personal@noahknegt.com +# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations +# @createdOn : 27-02-2023 +# @description : This file contains the variables for arch based distros. +#=================================================================================================== + +--- +sudo_group: wheel +openssh_service: sshd +openssh_package: openssh -- 2.49.1 From 9089ffbc9ab05adeed8c53d7f1e28744ee4289e9 Mon Sep 17 00:00:00 2001 From: Noah Knegt Date: Mon, 27 Feb 2023 16:59:53 +0100 Subject: [PATCH 06/10] base: Move base playbook Signed-off-by: Noah Knegt --- playbooks/base.yml => base.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename playbooks/base.yml => base.yml (96%) diff --git a/playbooks/base.yml b/base.yml similarity index 96% rename from playbooks/base.yml rename to base.yml index 0c57e87..8bebd28 100644 --- a/playbooks/base.yml +++ b/base.yml @@ -8,13 +8,13 @@ #=================================================================================================== --- -- hosts: all +- hosts: localhost become: true roles: - base # Clean up the system -- hosts: all +- hosts: localhost become: true tasks: - name: cleanup package cache (debian and ubuntu) -- 2.49.1 From 80c52199ef7de4adc72bad0914ad050abdb70e6f Mon Sep 17 00:00:00 2001 From: Noah Knegt Date: Mon, 27 Feb 2023 17:12:08 +0100 Subject: [PATCH 07/10] core: Fix ansible errors Signed-off-by: Noah Knegt --- roles/base/tasks/system/openssh.yml | 2 +- roles/base/tasks/users/ansible.yml | 2 +- roles/base/tasks/users/noahk.yml | 2 +- roles/base/templates/sshd_config.j2 | 1 - roles/base/vars/{arch.yml => Archlinux.yml} | 0 roles/base/vars/{debian.yml => Debian.yml} | 0 roles/base/vars/ubuntu.yml | 13 ------------- 7 files changed, 3 insertions(+), 17 deletions(-) rename roles/base/vars/{arch.yml => Archlinux.yml} (100%) rename roles/base/vars/{debian.yml => Debian.yml} (100%) delete mode 100644 roles/base/vars/ubuntu.yml diff --git a/roles/base/tasks/system/openssh.yml b/roles/base/tasks/system/openssh.yml index b3beb47..14f95ed 100644 --- a/roles/base/tasks/system/openssh.yml +++ b/roles/base/tasks/system/openssh.yml @@ -9,7 +9,7 @@ --- - name: Install or update openssh - apt: + package: name: "{{ openssh_package }}" state: latest notify: diff --git a/roles/base/tasks/users/ansible.yml b/roles/base/tasks/users/ansible.yml index 559d29c..3c0c457 100644 --- a/roles/base/tasks/users/ansible.yml +++ b/roles/base/tasks/users/ansible.yml @@ -24,7 +24,7 @@ - name: Add ansible user to sudoers copy: - src: files/ansible_sudoers + src: ansible/ansible_sudoers dest: /etc/sudoers.d/ansible owner: root group: root diff --git a/roles/base/tasks/users/noahk.yml b/roles/base/tasks/users/noahk.yml index 92f9155..530c366 100644 --- a/roles/base/tasks/users/noahk.yml +++ b/roles/base/tasks/users/noahk.yml @@ -24,7 +24,7 @@ - name: Add user to sudoers copy: - src: files/noahk_sudoers + src: noahk/noahk_sudoers dest: /etc/sudoers.d/noahk owner: root group: root diff --git a/roles/base/templates/sshd_config.j2 b/roles/base/templates/sshd_config.j2 index e39dbf0..3e270bf 100644 --- a/roles/base/templates/sshd_config.j2 +++ b/roles/base/templates/sshd_config.j2 @@ -26,7 +26,6 @@ IgnoreRhosts yes # Misc. options AcceptEnv LANG LC_* TCPKeepAlive yes -Subsystem sftp {{ sftp_path }} # Logging SyslogFacility AUTH diff --git a/roles/base/vars/arch.yml b/roles/base/vars/Archlinux.yml similarity index 100% rename from roles/base/vars/arch.yml rename to roles/base/vars/Archlinux.yml diff --git a/roles/base/vars/debian.yml b/roles/base/vars/Debian.yml similarity index 100% rename from roles/base/vars/debian.yml rename to roles/base/vars/Debian.yml diff --git a/roles/base/vars/ubuntu.yml b/roles/base/vars/ubuntu.yml deleted file mode 100644 index 44719b3..0000000 --- a/roles/base/vars/ubuntu.yml +++ /dev/null @@ -1,13 +0,0 @@ -#=================================================================================================== -# ? ABOUT -# @author : Noah Knegt -# @email : personal@noahknegt.com -# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations -# @createdOn : 27-02-2023 -# @description : This file contains all the variables for the base role, for the ubuntu OS. -#=================================================================================================== - ---- -sudo_group: sudo -openssh_service: ssh -openssh_package: openssh-server -- 2.49.1 From 230dde1a9b94e1829ac98f0b3ec3f961eb9bff3b Mon Sep 17 00:00:00 2001 From: Noah Knegt Date: Mon, 27 Feb 2023 17:28:46 +0100 Subject: [PATCH 08/10] core: Fix ubuntu config Signed-off-by: Noah Knegt --- base.yml | 6 ++++-- roles/base/files/noahk/noahk_sudoers | 2 +- roles/base/vars/Ubuntu.yml | 14 ++++++++++++++ 3 files changed, 19 insertions(+), 3 deletions(-) create mode 100644 roles/base/vars/Ubuntu.yml diff --git a/base.yml b/base.yml index 8bebd28..52bc867 100644 --- a/base.yml +++ b/base.yml @@ -8,13 +8,15 @@ #=================================================================================================== --- -- hosts: localhost +- hosts: ubuntu + remote_user: provision become: true roles: - base # Clean up the system -- hosts: localhost +- hosts: ubuntu + remote_user: provision become: true tasks: - name: cleanup package cache (debian and ubuntu) diff --git a/roles/base/files/noahk/noahk_sudoers b/roles/base/files/noahk/noahk_sudoers index b2d10ef..711552d 100644 --- a/roles/base/files/noahk/noahk_sudoers +++ b/roles/base/files/noahk/noahk_sudoers @@ -1 +1 @@ -noahk ALL=(ALL) ALL:ALL +noahk ALL=(ALL:ALL) ALL diff --git a/roles/base/vars/Ubuntu.yml b/roles/base/vars/Ubuntu.yml new file mode 100644 index 0000000..792ace3 --- /dev/null +++ b/roles/base/vars/Ubuntu.yml @@ -0,0 +1,14 @@ +#=================================================================================================== +# ? ABOUT +# @author : Noah Knegt +# @email : personal@noahknegt.com +# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations +# @createdOn : 27-02-2023 +# @description : This file contains all the variables for the base role, for the debian OS. +#=================================================================================================== + +--- +sudo_group: sudo +openssh_service: ssh +openssh_package: openssh-server +ssh_port: 4422 -- 2.49.1 From 35f1f7154a0f78f92a7d5d72d1955fbbf2a000bf Mon Sep 17 00:00:00 2001 From: Noah Knegt Date: Mon, 27 Feb 2023 17:41:17 +0100 Subject: [PATCH 09/10] ssh: Add ansible user to the allowed list Signed-off-by: Noah Knegt --- roles/base/templates/sshd_config.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/base/templates/sshd_config.j2 b/roles/base/templates/sshd_config.j2 index 3e270bf..a5185a5 100644 --- a/roles/base/templates/sshd_config.j2 +++ b/roles/base/templates/sshd_config.j2 @@ -5,7 +5,7 @@ Port {{ ssh_port | default(22) }} Protocol 2 # Authentication: -AllowUsers {{ ssh_users | default("noahk") }} +AllowUsers {{ ssh_users | default("noahk ansible") }} ChallengeResponseAuthentication no HostbasedAuthentication no LoginGraceTime 120 -- 2.49.1 From c5d32b0788651271baf1566ebc2170ca336bb0dc Mon Sep 17 00:00:00 2001 From: Noah Knegt Date: Mon, 27 Feb 2023 17:43:29 +0100 Subject: [PATCH 10/10] ssh: Set the correct sftp paths Signed-off-by: Noah Knegt --- base.yml | 4 ++-- roles/base/templates/sshd_config.j2 | 1 + roles/base/vars/Archlinux.yml | 1 + roles/base/vars/Debian.yml | 1 + roles/base/vars/Ubuntu.yml | 1 + 5 files changed, 6 insertions(+), 2 deletions(-) diff --git a/base.yml b/base.yml index 52bc867..512ebcf 100644 --- a/base.yml +++ b/base.yml @@ -9,14 +9,14 @@ --- - hosts: ubuntu - remote_user: provision + remote_user: ansible become: true roles: - base # Clean up the system - hosts: ubuntu - remote_user: provision + remote_user: ansible become: true tasks: - name: cleanup package cache (debian and ubuntu) diff --git a/roles/base/templates/sshd_config.j2 b/roles/base/templates/sshd_config.j2 index a5185a5..31d28d4 100644 --- a/roles/base/templates/sshd_config.j2 +++ b/roles/base/templates/sshd_config.j2 @@ -26,6 +26,7 @@ IgnoreRhosts yes # Misc. options AcceptEnv LANG LC_* TCPKeepAlive yes +Subsystem sftp {{ sftp_path }} # Logging SyslogFacility AUTH diff --git a/roles/base/vars/Archlinux.yml b/roles/base/vars/Archlinux.yml index 65a65a4..7606ccc 100644 --- a/roles/base/vars/Archlinux.yml +++ b/roles/base/vars/Archlinux.yml @@ -11,3 +11,4 @@ sudo_group: wheel openssh_service: sshd openssh_package: openssh +sftp_path: /usr/lib/ssh/sftp-server diff --git a/roles/base/vars/Debian.yml b/roles/base/vars/Debian.yml index 79720e7..f864565 100644 --- a/roles/base/vars/Debian.yml +++ b/roles/base/vars/Debian.yml @@ -11,3 +11,4 @@ sudo_group: sudo openssh_service: ssh openssh_package: openssh-server +sftp_path: /usr/lib/openssh/sftp-server diff --git a/roles/base/vars/Ubuntu.yml b/roles/base/vars/Ubuntu.yml index 792ace3..581a0e7 100644 --- a/roles/base/vars/Ubuntu.yml +++ b/roles/base/vars/Ubuntu.yml @@ -11,4 +11,5 @@ sudo_group: sudo openssh_service: ssh openssh_package: openssh-server +sftp_path: /usr/lib/openssh/sftp-server ssh_port: 4422 -- 2.49.1