test #1
88
playbooks/lxc_setup_ubuntu_git.yml
Normal file
88
playbooks/lxc_setup_ubuntu_git.yml
Normal file
@@ -0,0 +1,88 @@
|
|||||||
|
---
|
||||||
|
- name: Secure and Configure a New LXC Container
|
||||||
|
hosts: 'lxc' # Hosts or group defined in your inventory
|
||||||
|
remote_user: root
|
||||||
|
tasks:
|
||||||
|
- name: 1.0. Create group 'homelab'
|
||||||
|
ansible.builtin.group:
|
||||||
|
name: homelab
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: 1.1. Create user '{{ target_user }}' and add to groups
|
||||||
|
ansible.builtin.user:
|
||||||
|
name: '{{ target_user }}'
|
||||||
|
shell: /bin/bash
|
||||||
|
groups: sudo,homelab # Add to sudo and homelab
|
||||||
|
append: yes # Ensure user is added to groups without removing existing ones
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: 1.2. Allow '{{ target_user }}' to use sudo without a password
|
||||||
|
ansible.builtin.copy:
|
||||||
|
dest: /etc/sudoers.d/90-{{ target_user }}-nopasswd
|
||||||
|
content: '{{ target_user }} ALL=(ALL) NOPASSWD: ALL'
|
||||||
|
mode: '0440'
|
||||||
|
validate: /usr/sbin/visudo -cf %s
|
||||||
|
|
||||||
|
- name: 2. Set up authorized_keys for '{{ target_user }}'
|
||||||
|
ansible.posix.authorized_key:
|
||||||
|
user: '{{ target_user }}'
|
||||||
|
key: "{{ item }}"
|
||||||
|
state: present
|
||||||
|
path: /home/{{ target_user }}/.ssh/authorized_keys
|
||||||
|
loop: "{{ my_public_keys }}"
|
||||||
|
# ansible.posix.authorized_key will create an .ssh directory with the correct permissions.
|
||||||
|
|
||||||
|
- name: 3. Lock password for '{{ target_user }}'
|
||||||
|
ansible.builtin.user:
|
||||||
|
name: '{{ target_user }}'
|
||||||
|
password_lock: yes
|
||||||
|
|
||||||
|
- name: 4.0. Install required software
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name:
|
||||||
|
- software-properties-common
|
||||||
|
- git
|
||||||
|
state: present
|
||||||
|
update_cache: yes
|
||||||
|
|
||||||
|
- name: 4.1. Disallow root login over SSH
|
||||||
|
ansible.builtin.lineinfile:
|
||||||
|
path: /etc/ssh/sshd_config
|
||||||
|
regexp: '^#?PermitRootLogin'
|
||||||
|
line: 'PermitRootLogin no'
|
||||||
|
validate: /usr/sbin/sshd -t -f %s
|
||||||
|
notify: restart sshd
|
||||||
|
|
||||||
|
- name: 4.2. Disallow password authentication
|
||||||
|
ansible.builtin.lineinfile:
|
||||||
|
path: /etc/ssh/sshd_config
|
||||||
|
regexp: '^#?PasswordAuthentication'
|
||||||
|
line: 'PasswordAuthentication no'
|
||||||
|
validate: /usr/sbin/sshd -t -f %s
|
||||||
|
notify: restart sshd
|
||||||
|
|
||||||
|
- name: 5.0. Create /opt/docker directory
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: /opt/docker
|
||||||
|
state: directory
|
||||||
|
owner: '{{ target_user }}'
|
||||||
|
group: homelab
|
||||||
|
mode: '0775'
|
||||||
|
|
||||||
|
- name: 5.1. Clone Docker repository into /opt/docker
|
||||||
|
ansible.builtin.git:
|
||||||
|
repo: 'http://10.0.0.108:3000/Homelab/Docker.git'
|
||||||
|
dest: /opt/docker
|
||||||
|
clone: yes
|
||||||
|
update: yes
|
||||||
|
become: true
|
||||||
|
become_user: '{{ target_user }}'
|
||||||
|
|
||||||
|
handlers:
|
||||||
|
# This block will only run if at least one task sends a notification.
|
||||||
|
# This prevents unnecessary service restarts.
|
||||||
|
- name: 6. Restart sshd server
|
||||||
|
listen: "restart sshd"
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: sshd
|
||||||
|
state: restarted
|
||||||
Reference in New Issue
Block a user