feat: Secure new LXC containers by configuring user access, SSH keys, and restricting SSH login.

2026-01-04 11:39:45 +01:00
parent 334213dc20
commit eecac82dcd
1 changed files with 76 additions and 7 deletions
--- a/playbooks/create_lxc.yml
+++ b/playbooks/create_lxc.yml
@@ -79,13 +79,82 @@
        # We need to ignore host key checking for the fresh container to avoid interactive prompt
        ansible_ssh_common_args: '-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'

-    - name: Add new host to local hosts.ini file (persistency)
+        ansible_ssh_pass: "{{ ansible_password }}"
+        # We need to ignore host key checking for the fresh container to avoid interactive prompt
+        ansible_ssh_common_args: '-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
+
+- name: Secure and Configure New Container
+  hosts: new
+  gather_facts: no
+  vars:
+    # We must explicitly use the password here because the 'new' group in inventory might not have it set
+    ansible_ssh_pass: "{{ hostvars[inventory_hostname]['ansible_ssh_pass'] | default(ansible_password) }}"
+    ansible_user: root
+  vars_files:
+    - "../vars.yml"
+  tasks:
+    - name: Wait for connection
+      wait_for_connection:
+        timeout: 60
+
+    - name: Create user '{{ target_user }}'
+      ansible.builtin.user:
+        name: '{{ target_user }}'
+        shell: /bin/bash
+        groups: sudo
+        state: present
+
+    - name: Allow '{{ target_user }}' to use sudo without a password
+      ansible.builtin.copy:
+        dest: /etc/sudoers.d/90-{{ target_user }}-nopasswd
+        content: '{{ target_user }} ALL=(ALL) NOPASSWD: ALL'
+        mode: '0440'
+        validate: /usr/sbin/visudo -cf %s
+
+    - name: Set up authorized_keys for '{{ target_user }}'
+      ansible.posix.authorized_key:
+        user: '{{ target_user }}'
+        key: "{{ item }}"
+        state: present
+        path: /home/{{ target_user }}/.ssh/authorized_keys
+      loop: "{{ my_public_keys }}"
+
+    - name: Lock password for '{{ target_user }}'
+      ansible.builtin.user:
+        name: '{{ target_user }}'
+        password_lock: yes
+
+    - name: Disallow root login over SSH
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^#?PermitRootLogin'
+        line: 'PermitRootLogin no'
+        validate: /usr/sbin/sshd -t -f %s
+      notify: restart sshd
+
+    - name: Disallow password authentication
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^#?PasswordAuthentication'
+        line: 'PasswordAuthentication no'
+        validate: /usr/sbin/sshd -t -f %s
+      notify: restart sshd
+
+  handlers:
+    - name: restart sshd
+      ansible.builtin.service:
+        name: sshd
+        state: restarted
+
+- name: Persist Host to Inventory
+  hosts: localhost
+  gather_facts: no
+  tasks:
+    - name: Add new host to local hosts.ini file
      ansible.builtin.blockinfile:
        path: "{{ playbook_dir }}/../inventory/hosts.ini"
        block: |
-          {{ container_name }} ansible_host={{ container_ip_cidr | split('/') | first }} ansible_user=root
-        insertafter: "^\\[new\\]"
-        marker: "# {mark} ANSIBLE MANAGED BLOCK FOR NEW HOST {{ container_name }}"
-
- name: Run Standard Setup on New Host
-  import_playbook: lxc_setup_ubuntu.yml
+          {{ hostvars[item]['inventory_hostname'] }} ansible_host={{ hostvars[item]['ansible_host'] }}
+        insertafter: "^\\[lxc\\]"
+        marker: "# {mark} ANSIBLE MANAGED BLOCK FOR HOST {{ hostvars[item]['inventory_hostname'] }}"
+      loop: "{{ groups['new'] }}"