ansible/initial_setup.yml

---
- name: Baseline user setup
  hosts: all
  become: true

  vars:
    users:
      - name: automation
        shell: /bin/bash
        groups: []
        sudo_nopasswd: true
        ssh_keys:
          - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEx+ltCKNIEM7F4PzGLv22cIu7N0Fpn5gxwV02xq0GS9 automation@internet-master.cz"

      - name: hellsos
        shell: /bin/bash
        groups: []
        sudo_nopasswd: true
        ssh_keys:
          - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB+wC3T4/HSs1q5jf34sCqicSQOb05k+bxfmNMMKEGzRrGT3BfCG428F19OBIswvcuBPC0Q4TpPz84BkiATCx2o1JUH1xIOFcHzxxXbyzHAhjwto1wOr1DkwZWAvDPbdnJ39OsC0EdmrAHSXut93q4vzOsLlS34bOWP1THGY9nBKOHwJUQmS5tLw6dqbhKA886TrPXJDR9euEC+SYaytMyDUPYEa6dlDyRp77eII/uI/hf/6e+34wm9XyFyGMiMrQeO0u6Gq5NhsoBlhrCW3ds0To+DBZ/YKNzpzcN+uPKM1+r9nN8KwdwjRkQEwSdB4osz/UeGTiXB0jwb0+ftFthBFdOil86cd1OiAMmuKB/19QHv0NsVhs2JocP5JcrAgx8ktQzLIkOM4lt6Kt9rjHv1KNfdsZdiHqlOwrDv9B2Ei44qEUAsWlFSzEi7R3mOED4F04N3FeQ9TkrRRH6SE733t1Kum2VAz6wr4BSNyYxQOCnXoANy/JyoM5e5tQ7pht7tuxX78zhFlC7pAmVu0dnCQimSsIsXNlYGM7DQ7QMva8mKu49V3B7tU0ChghSRJUb2Sg0tkTAxzCR+WOOf8kAnkXNOV5vExQ3h5Xmb52A+az37Hyex379ryKqpffaf9RTx9pBagQf1XbUtA4KazuEi3fMmqCQjz+xFZJAZQ== hellsos@hellsos-PC"
          - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhfQt1VNQo8EbIog4yjU5VEF3mTyMEC7o1Qe95X4JwG jan@rabcan.cz"

      - name: jim
        shell: /bin/bash
        groups: []
        sudo_nopasswd: true
        ssh_keys:
          - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPFS4fsqMjMMu/Bi/884bw7yJBqvWusDRESvanH6Owco jakub@jimbuntu"

  tasks:

    - name: Pick sudo group per distro
      set_fact:
        sudo_group: >-
          {{ 'wheel'
             if ansible_facts.os_family in
             ['RedHat','Rocky','AlmaLinux','Fedora','OracleLinux','Suse']
             else 'sudo' }}

    - name: Ensure user exists
      ansible.builtin.user:
        name: "{{ item.name }}"
        shell: "{{ item.shell }}"
        groups: "{{ sudo_group }}"
        append: true
        create_home: true
      loop: "{{ users }}"

    - name: Enforce authorized SSH keys
      ansible.builtin.authorized_key:
        user: "{{ item.name }}"
        key: "{{ item.ssh_keys | join('\n') }}"
        exclusive: true
      loop: "{{ users }}"

    - name: Grant passwordless sudo
      ansible.builtin.copy:
        dest: "/etc/sudoers.d/{{ item.name }}"
        mode: '0440'
        content: "{{ item.name }} ALL=(ALL) NOPASSWD:ALL\n"
        validate: 'visudo -cf %s'
      loop: "{{ users }}"
      when: item.sudo_nopasswd

# ==============================
# SECOND PLAY: SSH HARDENING
# ==============================

- name: SSH Hardening
  hosts: all
  become: true
  tags: never,hardening

  tasks:

    - name: Detect if system is Proxmox
      ansible.builtin.stat:
        path: /usr/bin/pveversion
      register: proxmox_check

    - name: Ensure sshd_config.d directory exists
      ansible.builtin.file:
        path: /etc/ssh/sshd_config.d
        state: directory

    - name: Deploy SSH hardening config
      ansible.builtin.copy:
        dest: /etc/ssh/sshd_config.d/99-ansible-hardening.conf
        mode: '0644'
        content: |
          PasswordAuthentication no
          ChallengeResponseAuthentication no
          PubkeyAuthentication yes
          AuthenticationMethods publickey
          UsePAM yes

          {% if not proxmox_check.stat.exists %}
          PermitRootLogin no
          {% else %}
          PermitRootLogin prohibit-password
          {% endif %}
        validate: 'sshd -t -f %s'
      notify: Restart SSH

  handlers:
    - name: Restart SSH
      ansible.builtin.service:
        name: "{{ 'sshd'
                  if ansible_facts.os_family in
                  ['RedHat','Rocky','AlmaLinux','Fedora','OracleLinux','Suse']
                  else 'ssh' }}"
        state: restarted

# ==============================
# THIRD PLAY: HOSTNAME
# ==============================

- name: Set hostname from inventory
  hosts: all
  become: true
  tags: never,hostname

  tasks:

    - name: Set system hostname to inventory_hostname
      ansible.builtin.hostname:
        name: "{{ inventory_hostname }}"