Homelab/Ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

test #1

Closed
mbuz wants to merge 5 commits from test into main
pull from: test
merge into: Homelab:main
Conversation 0 Commits 5 Files Changed 4 +92
4 changed files with 92 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
secrets.yml

1
apt_upgrade.sh Executable file
View File

@@ -0,0 +1 @@
cd /home/mbuz/git/homelab/Ansible/ && ansible-playbook -i inventory/hosts.ini playbooks/apt_upgrade.yml -l ubuntu --extra-vars "@vars.yml" --extra-vars "@secrets.yml"

2
inventory/hosts.ini
View File

@@ -21,6 +21,8 @@ gitea ansible_host=10.0.0.108
zabbix-proxy ansible_host=10.0.0.110 zabbix-proxy ansible_host=10.0.0.110
pi-hole ansible_host=10.0.0.104 pi-hole ansible_host=10.0.0.104
ansible ansible_host=10.0.0.111 ansible ansible_host=10.0.0.111
automate ansible_host=10.0.0.112
#localhost ansible_connection=local # for testing playbooks on the control node #localhost ansible_connection=local # for testing playbooks on the control node

88
playbooks/lxc_setup_ubuntu_git.yml Normal file
View File

@@ -0,0 +1,88 @@
---
- name: Secure and Configure a New LXC Container
hosts: 'lxc' # Hosts or group defined in your inventory
remote_user: root
tasks:
- name: 1.0. Create group 'homelab'
ansible.builtin.group:
name: homelab
state: present
- name: 1.1. Create user '{{ target_user }}' and add to groups
ansible.builtin.user:
name: '{{ target_user }}'
shell: /bin/bash
groups: sudo,homelab # Add to sudo and homelab
append: yes # Ensure user is added to groups without removing existing ones
state: present
- name: 1.2. Allow '{{ target_user }}' to use sudo without a password
ansible.builtin.copy:
dest: /etc/sudoers.d/90-{{ target_user }}-nopasswd
content: '{{ target_user }} ALL=(ALL) NOPASSWD: ALL'
mode: '0440'
validate: /usr/sbin/visudo -cf %s
- name: 2. Set up authorized_keys for '{{ target_user }}'
ansible.posix.authorized_key:
user: '{{ target_user }}'
key: "{{ item }}"
state: present
path: /home/{{ target_user }}/.ssh/authorized_keys
loop: "{{ my_public_keys }}"
# ansible.posix.authorized_key will create an .ssh directory with the correct permissions.
- name: 3. Lock password for '{{ target_user }}'
ansible.builtin.user:
name: '{{ target_user }}'
password_lock: yes
- name: 4.0. Install required software
ansible.builtin.apt:
name:
- software-properties-common
- git
state: present
update_cache: yes
- name: 4.1. Disallow root login over SSH
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#?PermitRootLogin'
line: 'PermitRootLogin no'
validate: /usr/sbin/sshd -t -f %s
notify: restart sshd
- name: 4.2. Disallow password authentication
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#?PasswordAuthentication'
line: 'PasswordAuthentication no'
validate: /usr/sbin/sshd -t -f %s
notify: restart sshd
- name: 5.0. Create /opt/docker directory
ansible.builtin.file:
path: /opt/docker
state: directory
owner: '{{ target_user }}'
group: homelab
mode: '0775'
- name: 5.1. Clone Docker repository into /opt/docker
ansible.builtin.git:
repo: 'http://10.0.0.108:3000/Homelab/Docker.git'
dest: /opt/docker
clone: yes
update: yes
become: true
become_user: '{{ target_user }}'
handlers:
# This block will only run if at least one task sends a notification.
# This prevents unnecessary service restarts.
- name: 6. Restart sshd server
listen: "restart sshd"
ansible.builtin.service:
name: sshd
state: restarted