--- - name: Secure and Configure a New LXC Container hosts: 'lxc' # Hosts or group defined in your inventory remote_user: root tasks: - name: 1. Create user '{{ target_user }}' ansible.builtin.user: name: '{{ target_user }}' shell: /bin/bash groups: sudo # Add to sudo (for Debian/Ubuntu) state: present - name: 1.1. Allow '{{ target_user }}' to use sudo without a password ansible.builtin.copy: dest: /etc/sudoers.d/90-{{ target_user }}-nopasswd content: '{{ target_user }} ALL=(ALL) NOPASSWD: ALL' mode: '0440' validate: /usr/sbin/visudo -cf %s - name: 2. Set up authorized_keys for '{{ target_user }}' ansible.posix.authorized_key: user: '{{ target_user }}' key: "{{ item }}" state: present path: /home/{{ target_user }}/.ssh/authorized_keys loop: "{{ my_public_keys }}" # ansible.posix.authorized_key will create an .ssh directory with the correct permissions. - name: 3. Lock password for '{{ target_user }}' ansible.builtin.user: name: '{{ target_user }}' password_lock: yes - name: 4.0. Install software-properties-common ansible.builtin.apt: name: software-properties-common state: present update_cache: yes - name: 4.1. Disallow root login over SSH ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^#?PermitRootLogin' line: 'PermitRootLogin no' validate: /usr/sbin/sshd -t -f %s notify: restart sshd - name: 4.2. Disallow password authentication ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^#?PasswordAuthentication' line: 'PasswordAuthentication no' validate: /usr/sbin/sshd -t -f %s notify: restart sshd handlers: # This block will only run if at least one task sends a notification. # This prevents unnecessary service restarts. - name: 5. Restart sshd server listen: "restart sshd" ansible.builtin.service: name: sshd state: restarted