diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e984de7 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +secrets.yml \ No newline at end of file diff --git a/apt_upgrade.sh b/apt_upgrade.sh new file mode 100755 index 0000000..00e88a1 --- /dev/null +++ b/apt_upgrade.sh @@ -0,0 +1 @@ +cd /home/mbuz/git/homelab/Ansible/ && ansible-playbook -i inventory/hosts.ini playbooks/apt_upgrade.yml -l ubuntu --extra-vars "@vars.yml" --extra-vars "@secrets.yml" diff --git a/inventory/hosts.ini b/inventory/hosts.ini index 6ce9d2a..5ca321e 100644 --- a/inventory/hosts.ini +++ b/inventory/hosts.ini @@ -21,6 +21,8 @@ gitea ansible_host=10.0.0.108 zabbix-proxy ansible_host=10.0.0.110 pi-hole ansible_host=10.0.0.104 ansible ansible_host=10.0.0.111 +automate ansible_host=10.0.0.112 + #localhost ansible_connection=local # for testing playbooks on the control node diff --git a/playbooks/lxc_setup_ubuntu_git.yml b/playbooks/lxc_setup_ubuntu_git.yml new file mode 100644 index 0000000..503335c --- /dev/null +++ b/playbooks/lxc_setup_ubuntu_git.yml @@ -0,0 +1,88 @@ +--- +- name: Secure and Configure a New LXC Container + hosts: 'lxc' # Hosts or group defined in your inventory + remote_user: root + tasks: + - name: 1.0. Create group 'homelab' + ansible.builtin.group: + name: homelab + state: present + + - name: 1.1. Create user '{{ target_user }}' and add to groups + ansible.builtin.user: + name: '{{ target_user }}' + shell: /bin/bash + groups: sudo,homelab # Add to sudo and homelab + append: yes # Ensure user is added to groups without removing existing ones + state: present + + - name: 1.2. Allow '{{ target_user }}' to use sudo without a password + ansible.builtin.copy: + dest: /etc/sudoers.d/90-{{ target_user }}-nopasswd + content: '{{ target_user }} ALL=(ALL) NOPASSWD: ALL' + mode: '0440' + validate: /usr/sbin/visudo -cf %s + + - name: 2. Set up authorized_keys for '{{ target_user }}' + ansible.posix.authorized_key: + user: '{{ target_user }}' + key: "{{ item }}" + state: present + path: /home/{{ target_user }}/.ssh/authorized_keys + loop: "{{ my_public_keys }}" + # ansible.posix.authorized_key will create an .ssh directory with the correct permissions. + + - name: 3. Lock password for '{{ target_user }}' + ansible.builtin.user: + name: '{{ target_user }}' + password_lock: yes + + - name: 4.0. Install required software + ansible.builtin.apt: + name: + - software-properties-common + - git + state: present + update_cache: yes + + - name: 4.1. Disallow root login over SSH + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^#?PermitRootLogin' + line: 'PermitRootLogin no' + validate: /usr/sbin/sshd -t -f %s + notify: restart sshd + + - name: 4.2. Disallow password authentication + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^#?PasswordAuthentication' + line: 'PasswordAuthentication no' + validate: /usr/sbin/sshd -t -f %s + notify: restart sshd + + - name: 5.0. Create /opt/docker directory + ansible.builtin.file: + path: /opt/docker + state: directory + owner: '{{ target_user }}' + group: homelab + mode: '0775' + + - name: 5.1. Clone Docker repository into /opt/docker + ansible.builtin.git: + repo: 'http://10.0.0.108:3000/Homelab/Docker.git' + dest: /opt/docker + clone: yes + update: yes + become: true + become_user: '{{ target_user }}' + + handlers: + # This block will only run if at least one task sends a notification. + # This prevents unnecessary service restarts. + - name: 6. Restart sshd server + listen: "restart sshd" + ansible.builtin.service: + name: sshd + state: restarted \ No newline at end of file