From d8dbfbd3284e52931e6002d6e0d3839cfd30f52a Mon Sep 17 00:00:00 2001
From: Maksym Buz <buz.maxim@gmail.com>
Date: Tue, 26 Aug 2025 18:02:55 +0200
Subject: [PATCH] FEATURE: Added new yml for testing. It should clon the repo
 after LXC will be prepared

---
 playbooks/lxc_setup_ubuntu_git.yml | 88 ++++++++++++++++++++++++++++++
 1 file changed, 88 insertions(+)
 create mode 100644 playbooks/lxc_setup_ubuntu_git.yml

diff --git a/playbooks/lxc_setup_ubuntu_git.yml b/playbooks/lxc_setup_ubuntu_git.yml
new file mode 100644
index 0000000..503335c
--- /dev/null
+++ b/playbooks/lxc_setup_ubuntu_git.yml
@@ -0,0 +1,88 @@
+---
+- name: Secure and Configure a New LXC Container
+  hosts: 'lxc' # Hosts or group defined in your inventory
+  remote_user: root
+  tasks:
+    - name: 1.0. Create group 'homelab'
+      ansible.builtin.group:
+        name: homelab
+        state: present
+
+    - name: 1.1. Create user '{{ target_user }}' and add to groups
+      ansible.builtin.user:
+        name: '{{ target_user }}'
+        shell: /bin/bash
+        groups: sudo,homelab # Add to sudo and homelab
+        append: yes # Ensure user is added to groups without removing existing ones
+        state: present
+
+    - name: 1.2. Allow '{{ target_user }}' to use sudo without a password
+      ansible.builtin.copy:
+        dest: /etc/sudoers.d/90-{{ target_user }}-nopasswd
+        content: '{{ target_user }} ALL=(ALL) NOPASSWD: ALL'
+        mode: '0440'
+        validate: /usr/sbin/visudo -cf %s
+
+    - name: 2. Set up authorized_keys for '{{ target_user }}'
+      ansible.posix.authorized_key:
+        user: '{{ target_user }}'
+        key: "{{ item }}"
+        state: present
+        path: /home/{{ target_user }}/.ssh/authorized_keys
+      loop: "{{ my_public_keys }}"
+      # ansible.posix.authorized_key will create an .ssh directory with the correct permissions.
+
+    - name: 3. Lock password for '{{ target_user }}'
+      ansible.builtin.user:
+        name: '{{ target_user }}'
+        password_lock: yes
+
+    - name: 4.0. Install required software
+      ansible.builtin.apt:
+        name:
+          - software-properties-common
+          - git
+        state: present
+        update_cache: yes
+
+    - name: 4.1. Disallow root login over SSH
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^#?PermitRootLogin'
+        line: 'PermitRootLogin no'
+        validate: /usr/sbin/sshd -t -f %s
+      notify: restart sshd
+
+    - name: 4.2. Disallow password authentication
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^#?PasswordAuthentication'
+        line: 'PasswordAuthentication no'
+        validate: /usr/sbin/sshd -t -f %s
+      notify: restart sshd
+
+    - name: 5.0. Create /opt/docker directory
+      ansible.builtin.file:
+        path: /opt/docker
+        state: directory
+        owner: '{{ target_user }}'
+        group: homelab
+        mode: '0775'
+
+    - name: 5.1. Clone Docker repository into /opt/docker
+      ansible.builtin.git:
+        repo: 'http://10.0.0.108:3000/Homelab/Docker.git'
+        dest: /opt/docker
+        clone: yes
+        update: yes
+      become: true
+      become_user: '{{ target_user }}'
+
+  handlers:
+    # This block will only run if at least one task sends a notification.
+    # This prevents unnecessary service restarts.
+    - name: 6. Restart sshd server
+      listen: "restart sshd"
+      ansible.builtin.service:
+        name: sshd
+        state: restarted
\ No newline at end of file