TEST: Auto-editing inventory
This commit is contained in:
@@ -19,13 +19,11 @@ truenas ansible_host=10.0.0.200
|
|||||||
[lxc]
|
[lxc]
|
||||||
gitea ansible_host=10.0.0.108
|
gitea ansible_host=10.0.0.108
|
||||||
zabbix-proxy ansible_host=10.0.0.110
|
zabbix-proxy ansible_host=10.0.0.110
|
||||||
pi-hole ansible_host=10.0.0.104
|
|
||||||
ansible ansible_host=10.0.0.111
|
ansible ansible_host=10.0.0.111
|
||||||
automate ansible_host=10.0.0.112
|
automate ansible_host=10.0.0.112
|
||||||
|
|
||||||
#localhost ansible_connection=local # for testing playbooks on the control node
|
#localhost ansible_connection=local # for testing playbooks on the control node
|
||||||
|
|
||||||
|
|
||||||
[pbs]
|
[pbs]
|
||||||
proxmox-backup ansible_host=10.0.0.201
|
proxmox-backup ansible_host=10.0.0.201
|
||||||
|
|
||||||
@@ -33,4 +31,7 @@ proxmox-backup ansible_host=10.0.0.201
|
|||||||
[ubuntu:children]
|
[ubuntu:children]
|
||||||
docker
|
docker
|
||||||
ubuntu_servers
|
ubuntu_servers
|
||||||
lxc
|
lxc
|
||||||
|
|
||||||
|
[new]
|
||||||
|
pi-hole ansible_host=10.0.0.104 ansible_user=root
|
||||||
@@ -1,43 +1,41 @@
|
|||||||
---
|
---
|
||||||
- name: Secure and Configure a New LXC Container
|
- name: 1. Secure and Configure a New LXC Container
|
||||||
hosts: 'lxc' # Hosts or group defined in your inventory
|
hosts: 'new' # Target hosts in the [new] group
|
||||||
remote_user: root
|
remote_user: root # Connect as root, as defined in the inventory for this group
|
||||||
|
gather_facts: no
|
||||||
|
vars:
|
||||||
|
target_user: mbuz
|
||||||
|
my_public_keys:
|
||||||
|
- "{{ lookup('file', '/home/mbuz/.ssh/id_ed25519.pub') }}"
|
||||||
tasks:
|
tasks:
|
||||||
- name: 1. Create user '{{ target_user }}'
|
- name: Create user '{{ target_user }}'
|
||||||
ansible.builtin.user:
|
ansible.builtin.user:
|
||||||
name: '{{ target_user }}'
|
name: '{{ target_user }}'
|
||||||
shell: /bin/bash
|
shell: /bin/bash
|
||||||
groups: sudo # Add to sudo (for Debian/Ubuntu)
|
groups: sudo
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: 1.1. Allow '{{ target_user }}' to use sudo without a password
|
- name: Allow '{{ target_user }}' to use sudo without a password
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
dest: /etc/sudoers.d/90-{{ target_user }}-nopasswd
|
dest: /etc/sudoers.d/90-{{ target_user }}-nopasswd
|
||||||
content: '{{ target_user }} ALL=(ALL) NOPASSWD: ALL'
|
content: '{{ target_user }} ALL=(ALL) NOPASSWD: ALL'
|
||||||
mode: '0440'
|
mode: '0440'
|
||||||
validate: /usr/sbin/visudo -cf %s
|
validate: /usr/sbin/visudo -cf %s
|
||||||
|
|
||||||
- name: 2. Set up authorized_keys for '{{ target_user }}'
|
- name: Set up authorized_keys for '{{ target_user }}'
|
||||||
ansible.posix.authorized_key:
|
ansible.posix.authorized_key:
|
||||||
user: '{{ target_user }}'
|
user: '{{ target_user }}'
|
||||||
key: "{{ item }}"
|
key: "{{ item }}"
|
||||||
state: present
|
state: present
|
||||||
path: /home/{{ target_user }}/.ssh/authorized_keys
|
path: /home/{{ target_user }}/.ssh/authorized_keys
|
||||||
loop: "{{ my_public_keys }}"
|
loop: "{{ my_public_keys }}"
|
||||||
# ansible.posix.authorized_key will create an .ssh directory with the correct permissions.
|
|
||||||
|
|
||||||
- name: 3. Lock password for '{{ target_user }}'
|
- name: Lock password for '{{ target_user }}'
|
||||||
ansible.builtin.user:
|
ansible.builtin.user:
|
||||||
name: '{{ target_user }}'
|
name: '{{ target_user }}'
|
||||||
password_lock: yes
|
password_lock: yes
|
||||||
|
|
||||||
- name: 4.0. Install software-properties-common
|
- name: Disallow root login over SSH
|
||||||
ansible.builtin.apt:
|
|
||||||
name: software-properties-common
|
|
||||||
state: present
|
|
||||||
update_cache: yes
|
|
||||||
|
|
||||||
- name: 4.1. Disallow root login over SSH
|
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/ssh/sshd_config
|
path: /etc/ssh/sshd_config
|
||||||
regexp: '^#?PermitRootLogin'
|
regexp: '^#?PermitRootLogin'
|
||||||
@@ -45,7 +43,7 @@
|
|||||||
validate: /usr/sbin/sshd -t -f %s
|
validate: /usr/sbin/sshd -t -f %s
|
||||||
notify: restart sshd
|
notify: restart sshd
|
||||||
|
|
||||||
- name: 4.2. Disallow password authentication
|
- name: Disallow password authentication
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/ssh/sshd_config
|
path: /etc/ssh/sshd_config
|
||||||
regexp: '^#?PasswordAuthentication'
|
regexp: '^#?PasswordAuthentication'
|
||||||
@@ -54,10 +52,30 @@
|
|||||||
notify: restart sshd
|
notify: restart sshd
|
||||||
|
|
||||||
handlers:
|
handlers:
|
||||||
# This block will only run if at least one task sends a notification.
|
- name: Restart sshd server
|
||||||
# This prevents unnecessary service restarts.
|
|
||||||
- name: 5. Restart sshd server
|
|
||||||
listen: "restart sshd"
|
listen: "restart sshd"
|
||||||
ansible.builtin.service:
|
ansible.builtin.service:
|
||||||
name: sshd
|
name: sshd
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
|
# --- Move host from NEW to LXC group ---
|
||||||
|
- name: 2. Graduate Host from [new] to [lxc] in Inventory
|
||||||
|
hosts: localhost
|
||||||
|
connection: local
|
||||||
|
gather_facts: no
|
||||||
|
tasks:
|
||||||
|
- name: Remove host from the [new] group
|
||||||
|
ansible.builtin.lineinfile:
|
||||||
|
path: /opt/ansible/inventory/hosts.ini
|
||||||
|
regexp: "^{{ item }}\\s" # Match the start of the line with the hostname
|
||||||
|
state: absent
|
||||||
|
loop: "{{ groups['new'] }}" # Loop over all hosts in the 'new' group
|
||||||
|
|
||||||
|
- name: Add host to the [lxc] group
|
||||||
|
ansible.builtin.blockinfile:
|
||||||
|
path: /opt/ansible/inventory/hosts.ini
|
||||||
|
block: |
|
||||||
|
{{ item }} ansible_host={{ hostvars[item]['ansible_host'] }}
|
||||||
|
insertafter: "[lxc]"
|
||||||
|
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR LXC"
|
||||||
|
loop: "{{ groups['new'] }}" # Loop over all hosts in the 'new' group
|
||||||
Reference in New Issue
Block a user