mbuz/homelab
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
This repository has been archived on 2025-08-25. You can view files and clone it, but cannot push or open issues or pull requests.
Files
b12b1fa9248e0dbe1e83fb6ab761ac756f74dc59
homelab/Ansible/playbooks/lxc_setup_ubuntu.yml

64 lines
2.1 KiB
YAML
Raw Blame History

---
- name: Secure and Configure a New LXC Container
hosts: 'lxc' # Hosts or group defined in your inventory
remote_user: root
tasks:
- name: 1. Create user '{{ target_user }}'
ansible.builtin.user:
name: '{{ target_user }}'
shell: /bin/bash
groups: sudo # Add to sudo (for Debian/Ubuntu)
state: present
- name: 1.1. Allow '{{ target_user }}' to use sudo without a password
ansible.builtin.copy:
dest: /etc/sudoers.d/90-{{ target_user }}-nopasswd
content: '{{ target_user }} ALL=(ALL) NOPASSWD: ALL'
mode: '0440'
validate: /usr/sbin/visudo -cf %s
- name: 2. Set up authorized_keys for '{{ target_user }}'
ansible.posix.authorized_key:
user: '{{ target_user }}'
key: "{{ item }}"
state: present
path: /home/{{ target_user }}/.ssh/authorized_keys
loop: "{{ my_public_keys }}"
# ansible.posix.authorized_key will create an .ssh directory with the correct permissions.
- name: 3. Lock password for '{{ target_user }}'
ansible.builtin.user:
name: '{{ target_user }}'
password_lock: yes
- name: 4.0. Install software-properties-common
ansible.builtin.apt:
name: software-properties-common
state: present
update_cache: yes
- name: 4.1. Disallow root login over SSH
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#?PermitRootLogin'
line: 'PermitRootLogin no'
validate: /usr/sbin/sshd -t -f %s
notify: restart sshd
- name: 4.2. Disallow password authentication
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#?PasswordAuthentication'
line: 'PasswordAuthentication no'
validate: /usr/sbin/sshd -t -f %s
notify: restart sshd
handlers:
# This block will only run if at least one task sends a notification.
# This prevents unnecessary service restarts.
- name: 5. Restart sshd server
listen: "restart sshd"
ansible.builtin.service:
name: sshd
state: restarted
Reference in New Issue View Git Blame Copy Permalink