58 lines
1.3 KiB
YAML
58 lines
1.3 KiB
YAML
---
|
|
|
|
- name: Create wheel group
|
|
ansible.builtin.group:
|
|
name: wheel
|
|
state: present
|
|
system: yes
|
|
|
|
- name: Create local administrator
|
|
ansible.builtin.user:
|
|
state: present
|
|
name: localadmin
|
|
uid: 1000
|
|
groups:
|
|
- wheel
|
|
create_home: yes
|
|
# Salt the password with the inventory name, this should be static between runs
|
|
password: '{{ admin_password|password_hash("sha512", "thisisabadsalt") }}'
|
|
|
|
- name: Load Arch tasks
|
|
import_tasks: arch.yml
|
|
when: ansible_os_family | lower == "archlinux"
|
|
|
|
- name: Load Debian tasks
|
|
import_tasks: debian.yml
|
|
when: ansible_os_family | lower == "debian"
|
|
|
|
- name: Allow SSH
|
|
# Default for SSH is to allow from LAN, WLAN, and VPN
|
|
loop: "{{ ssh_allowlist|default(['10.242.0.0/23', '10.242.3.0/24']) }}"
|
|
community.general.ufw:
|
|
rule: allow
|
|
name: SSH
|
|
from: "{{ item }}"
|
|
|
|
- name: Start UFW
|
|
community.general.ufw:
|
|
state: enabled
|
|
|
|
- name: Allow wheel to use sudo
|
|
ansible.builtin.copy:
|
|
src: admin.conf
|
|
dest: /etc/sudoers.d/00-administrators
|
|
validate: /usr/sbin/visudo -cf %s
|
|
mode: "0440"
|
|
owner: root
|
|
group: root
|
|
|
|
- name: Configure SSH server
|
|
ansible.builtin.template:
|
|
src: sshd_config.j2
|
|
dest: /etc/ssh/sshd_config
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
notify: Restart SSH
|
|
|