#===========================================================================
#  ?                                ABOUT
#  @author         :  Noah Knegt
#  @email          :  personal@noahknegt.com
#  @repo           :  https://git.noahknegt.com/noah.knegt/ansible-automations
#  @createdOn      :  09-02-2023
#  @description    :  This playbook will create a user on a remote hosts and
#                    adds an ssh key to the authorized_keys file. It will also
#                    disable password authentication and root login.
#===========================================================================

- hosts: ubuntu
  vars:
    provision_password: '$6$8eLzx6DNI/aamHAp$ZJK3kpbXDaMDUxuCFzRbbYL78aqdDnRRd1zbQPO2ED.pQQdcuAEnwBI2Vf3a36j7I5ED4STx6TLQnB8RiY3Vw/'
  gather_facts: false
  remote_user: root

  tasks:
    - name: Add new provisioning user
      user:
        name: provision
        password: "{{ provision_password }}"
        shell: /bin/bash

    - name: Add provisioning user to sudoers
      copy:
        dest: /etc/sudoers.d/provision
        content: "provision ALL=(ALL) NOPASSWD:ALL"

    - name: Deploy SSH key
      authorized_key:
        user: provision
        key: "{{ lookup('file', '/home/noahk/.ssh/id_ed25519.pub') }}"
        state: present

    - name: Disable password authentication
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^PasswordAuthentication'
        line: 'PasswordAuthentication no'
        state: present
        backup: yes
        validate: 'sshd -t -f %s'
      notify:
        - restart ssh

    - name: Disable root login
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^PermitRootLogin'
        line: 'PermitRootLogin no'
        state: present
        backup: yes
        validate: 'sshd -t -f %s'
      notify:
        - restart ssh

  handlers:
    - name: restart ssh
      service:
        name: sshd
        state: restarted