ADD: gitignore

.gitignore

@@ -0,0 +1 @@
+secrets.yml

apt_upgrade.sh

@@ -0,0 +1 @@
+cd /home/mbuz/git/homelab/Ansible/ && ansible-playbook -i inventory/hosts.ini playbooks/apt_upgrade.yml -l ubuntu --extra-vars "@vars.yml" --extra-vars "@secrets.yml"

inventory/hosts.ini

@@ -21,6 +21,8 @@ gitea ansible_host=10.0.0.108
 zabbix-proxy ansible_host=10.0.0.110 
 pi-hole ansible_host=10.0.0.104
 ansible ansible_host=10.0.0.111
+automate ansible_host=10.0.0.112
+
 #localhost ansible_connection=local # for testing playbooks on the control node
 
 

playbooks/lxc_setup_ubuntu_git.yml

@@ -0,0 +1,88 @@
+---
+- name: Secure and Configure a New LXC Container
+  hosts: 'lxc' # Hosts or group defined in your inventory
+  remote_user: root
+  tasks:
+    - name: 1.0. Create group 'homelab'
+      ansible.builtin.group:
+        name: homelab
+        state: present
+
+    - name: 1.1. Create user '{{ target_user }}' and add to groups
+      ansible.builtin.user:
+        name: '{{ target_user }}'
+        shell: /bin/bash
+        groups: sudo,homelab # Add to sudo and homelab
+        append: yes # Ensure user is added to groups without removing existing ones
+        state: present
+
+    - name: 1.2. Allow '{{ target_user }}' to use sudo without a password
+      ansible.builtin.copy:
+        dest: /etc/sudoers.d/90-{{ target_user }}-nopasswd
+        content: '{{ target_user }} ALL=(ALL) NOPASSWD: ALL'
+        mode: '0440'
+        validate: /usr/sbin/visudo -cf %s
+
+    - name: 2. Set up authorized_keys for '{{ target_user }}'
+      ansible.posix.authorized_key:
+        user: '{{ target_user }}'
+        key: "{{ item }}"
+        state: present
+        path: /home/{{ target_user }}/.ssh/authorized_keys
+      loop: "{{ my_public_keys }}"
+      # ansible.posix.authorized_key will create an .ssh directory with the correct permissions.
+
+    - name: 3. Lock password for '{{ target_user }}'
+      ansible.builtin.user:
+        name: '{{ target_user }}'
+        password_lock: yes
+
+    - name: 4.0. Install required software
+      ansible.builtin.apt:
+        name:
+          - software-properties-common
+          - git
+        state: present
+        update_cache: yes
+
+    - name: 4.1. Disallow root login over SSH
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^#?PermitRootLogin'
+        line: 'PermitRootLogin no'
+        validate: /usr/sbin/sshd -t -f %s
+      notify: restart sshd
+
+    - name: 4.2. Disallow password authentication
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^#?PasswordAuthentication'
+        line: 'PasswordAuthentication no'
+        validate: /usr/sbin/sshd -t -f %s
+      notify: restart sshd
+
+    - name: 5.0. Create /opt/docker directory
+      ansible.builtin.file:
+        path: /opt/docker
+        state: directory
+        owner: '{{ target_user }}'
+        group: homelab
+        mode: '0775'
+
+    - name: 5.1. Clone Docker repository into /opt/docker
+      ansible.builtin.git:
+        repo: 'http://10.0.0.108:3000/Homelab/Docker.git'
+        dest: /opt/docker
+        clone: yes
+        update: yes
+      become: true
+      become_user: '{{ target_user }}'
+
+  handlers:
+    # This block will only run if at least one task sends a notification.
+    # This prevents unnecessary service restarts.
+    - name: 6. Restart sshd server
+      listen: "restart sshd"
+      ansible.builtin.service:
+        name: sshd
+        state: restarted