diff --git a/inventory/hosts.ini b/inventory/hosts.ini index 5ca321e..c502940 100644 --- a/inventory/hosts.ini +++ b/inventory/hosts.ini @@ -19,13 +19,11 @@ truenas ansible_host=10.0.0.200 [lxc] gitea ansible_host=10.0.0.108 zabbix-proxy ansible_host=10.0.0.110 -pi-hole ansible_host=10.0.0.104 + ansible ansible_host=10.0.0.111 automate ansible_host=10.0.0.112 - #localhost ansible_connection=local # for testing playbooks on the control node - [pbs] proxmox-backup ansible_host=10.0.0.201 @@ -33,4 +31,7 @@ proxmox-backup ansible_host=10.0.0.201 [ubuntu:children] docker ubuntu_servers -lxc \ No newline at end of file +lxc + +[new] +pi-hole ansible_host=10.0.0.104 ansible_user=root \ No newline at end of file diff --git a/playbooks/lxc_setup_ubuntu.yml b/playbooks/lxc_setup_ubuntu.yml index 5725cfa..20168d4 100644 --- a/playbooks/lxc_setup_ubuntu.yml +++ b/playbooks/lxc_setup_ubuntu.yml @@ -1,43 +1,41 @@ --- -- name: Secure and Configure a New LXC Container - hosts: 'lxc' # Hosts or group defined in your inventory - remote_user: root +- name: 1. Secure and Configure a New LXC Container + hosts: 'new' # Target hosts in the [new] group + remote_user: root # Connect as root, as defined in the inventory for this group + gather_facts: no + vars: + target_user: mbuz + my_public_keys: + - "{{ lookup('file', '/home/mbuz/.ssh/id_ed25519.pub') }}" tasks: - - name: 1. Create user '{{ target_user }}' + - name: Create user '{{ target_user }}' ansible.builtin.user: name: '{{ target_user }}' shell: /bin/bash - groups: sudo # Add to sudo (for Debian/Ubuntu) + groups: sudo state: present - - name: 1.1. Allow '{{ target_user }}' to use sudo without a password + - name: Allow '{{ target_user }}' to use sudo without a password ansible.builtin.copy: dest: /etc/sudoers.d/90-{{ target_user }}-nopasswd content: '{{ target_user }} ALL=(ALL) NOPASSWD: ALL' mode: '0440' validate: /usr/sbin/visudo -cf %s - - name: 2. Set up authorized_keys for '{{ target_user }}' + - name: Set up authorized_keys for '{{ target_user }}' ansible.posix.authorized_key: user: '{{ target_user }}' key: "{{ item }}" state: present path: /home/{{ target_user }}/.ssh/authorized_keys loop: "{{ my_public_keys }}" - # ansible.posix.authorized_key will create an .ssh directory with the correct permissions. - - name: 3. Lock password for '{{ target_user }}' + - name: Lock password for '{{ target_user }}' ansible.builtin.user: name: '{{ target_user }}' password_lock: yes - - name: 4.0. Install software-properties-common - ansible.builtin.apt: - name: software-properties-common - state: present - update_cache: yes - - - name: 4.1. Disallow root login over SSH + - name: Disallow root login over SSH ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^#?PermitRootLogin' @@ -45,7 +43,7 @@ validate: /usr/sbin/sshd -t -f %s notify: restart sshd - - name: 4.2. Disallow password authentication + - name: Disallow password authentication ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^#?PasswordAuthentication' @@ -54,10 +52,30 @@ notify: restart sshd handlers: - # This block will only run if at least one task sends a notification. - # This prevents unnecessary service restarts. - - name: 5. Restart sshd server + - name: Restart sshd server listen: "restart sshd" ansible.builtin.service: name: sshd state: restarted + +# --- Move host from NEW to LXC group --- +- name: 2. Graduate Host from [new] to [lxc] in Inventory + hosts: localhost + connection: local + gather_facts: no + tasks: + - name: Remove host from the [new] group + ansible.builtin.lineinfile: + path: /opt/ansible/inventory/hosts.ini + regexp: "^{{ item }}\\s" # Match the start of the line with the hostname + state: absent + loop: "{{ groups['new'] }}" # Loop over all hosts in the 'new' group + + - name: Add host to the [lxc] group + ansible.builtin.blockinfile: + path: /opt/ansible/inventory/hosts.ini + block: | + {{ item }} ansible_host={{ hostvars[item]['ansible_host'] }} + insertafter: "[lxc]" + marker: "# {mark} ANSIBLE MANAGED BLOCK FOR LXC" + loop: "{{ groups['new'] }}" # Loop over all hosts in the 'new' group \ No newline at end of file