Add initial_setup.yml

2026-02-20 18:17:06 +00:00
parent 3238ad0a5e
commit fdc61bd22e
1 changed files with 111 additions and 0 deletions
--- a/initial_setup.yml
+++ b/initial_setup.yml
@@ -0,0 +1,111 @@
+---
+- name: Baseline user setup
+  hosts: all
+  become: true
+
+  vars:
+    users:
+      - name: automation
+        shell: /bin/bash
+        groups: []
+        sudo_nopasswd: true
+        ssh_keys:
+          - "ssh-ed25519 AAAAC3..."
+
+      - name: hellsos
+        shell: /bin/bash
+        groups: []
+        sudo_nopasswd: true
+        ssh_keys:
+          - "ssh-ed25519 AAAAC3..."
+
+      - name: jim
+        shell: /bin/bash
+        groups: []
+        sudo_nopasswd: true
+        ssh_keys:
+          - "ssh-ed25519 AAAAC3..."
+
+  tasks:
+
+    - name: Pick sudo group per distro
+      set_fact:
+        sudo_group: >-
+          {{ 'wheel'
+             if ansible_facts.os_family in
+             ['RedHat','Rocky','AlmaLinux','Fedora','OracleLinux','Suse']
+             else 'sudo' }}
+
+    - name: Ensure user exists
+      ansible.builtin.user:
+        name: "{{ item.name }}"
+        shell: "{{ item.shell }}"
+        groups: "{{ sudo_group }}"
+        append: true
+        create_home: true
+      loop: "{{ users }}"
+
+    - name: Enforce authorized SSH keys
+      ansible.builtin.authorized_key:
+        user: "{{ item.name }}"
+        key: "{{ item.ssh_keys | join('\n') }}"
+        exclusive: true
+      loop: "{{ users }}"
+
+    - name: Grant passwordless sudo
+      ansible.builtin.copy:
+        dest: "/etc/sudoers.d/{{ item.name }}"
+        mode: '0440'
+        content: "{{ item.name }} ALL=(ALL) NOPASSWD:ALL\n"
+        validate: 'visudo -cf %s'
+      loop: "{{ users }}"
+      when: item.sudo_nopasswd
+
+# ==============================
+# SECOND PLAY: SSH HARDENING
+# ==============================
+
+- name: SSH Hardening
+  hosts: all
+  become: true
+  tags: never,hardening
+
+  tasks:
+
+    - name: Detect if system is Proxmox
+      ansible.builtin.stat:
+        path: /usr/bin/pveversion
+      register: proxmox_check
+
+    - name: Ensure sshd_config.d directory exists
+      ansible.builtin.file:
+        path: /etc/ssh/sshd_config.d
+        state: directory
+
+    - name: Deploy SSH hardening config
+      ansible.builtin.copy:
+        dest: /etc/ssh/sshd_config.d/99-ansible-hardening.conf
+        mode: '0644'
+        content: |
+          PasswordAuthentication no
+          ChallengeResponseAuthentication no
+          PubkeyAuthentication yes
+          AuthenticationMethods publickey
+          UsePAM yes
+
+          {% if not proxmox_check.stat.exists %}
+          PermitRootLogin no
+          {% else %}
+          PermitRootLogin prohibit-password
+          {% endif %}
+        validate: 'sshd -t -f %s'
+      notify: Restart SSH
+
+  handlers:
+    - name: Restart SSH
+      ansible.builtin.service:
+        name: "{{ 'sshd'
+                  if ansible_facts.os_family in
+                  ['RedHat','Rocky','AlmaLinux','Fedora','OracleLinux','Suse']
+                  else 'ssh' }}"
+        state: restarted