modularize

2021-03-12 18:55:03 -05:00 · 2021-03-12 18:55:03 -05:00 · f1d5f8b686
parent db85e1a726
commit f1d5f8b686
5 changed files with 101 additions and 36 deletions
--- a/ansible/add-user.yml
+++ b/ansible/add-user.yml
@ -0,0 +1,48 @@
+- hosts: '{{ target }}'
+  gather_facts: false
+  become: true
+  remote_user: root
+  any_errors_fatal: yes
+  tasks:
+  - name: dnf install packages
+    dnf:
+      name: ["zsh", "wget", "git"]
+      state: latest
+
+  - name: add user
+    user:
+      name: quackerd
+      password: "{{ password | password_hash('sha512', salt) }}"
+      shell: /usr/bin/sh
+      groups: wheel
+      append: yes
+      state: present
+  
+  - name: add user ssh key
+    ansible.posix.authorized_key:
+      user: quackerd
+      state: present
+      key: "{{ lookup('file', '../ssh_pub') }}"
+
+  - name: download ozsh script
+    get_url:
+      url: "https://git.quacker.org/d/ozsh/raw/branch/master/setup.sh"
+      dest: "/home/quackerd/setup.sh"
+
+  - name: configure user shell
+    become: yes
+    become_user: quackerd
+    shell:
+      cmd: "sh /home/quackerd/setup.sh"
+      creates: "/home/quackerd/.zshrc"
+
+  - name: cleanup ozsh script
+    file:
+      dest: "/home/quackerd/setup.sh"
+      state: absent
+
+  - name: chsh to zsh
+    user:
+      name: quackerd
+      shell: /usr/bin/zsh
+      state: present
--- a/ansible/dnf-update.yml
+++ b/ansible/dnf-update.yml
@ -3,7 +3,6 @@
  become: true
  remote_user: root
  strategy: free
-    #any_errors_fatal: yes
  tasks:
  - name: dnf update
    dnf:
--- a/ansible/install-docker.yml
+++ b/ansible/install-docker.yml
@ -0,0 +1,39 @@
+- hosts: '{{ target }}'
+  gather_facts: false
+  become: true
+  remote_user: root
+  any_errors_fatal: yes
+  tasks:
+  - name: dnf add repo
+    get_url:
+      url: "https://download.docker.com/linux/centos/docker-ce.repo"
+      dest: "/etc/yum.repos.d/docker-ce.repo"
+
+  - name: dnf install
+    dnf:
+      name: ['python3', 'python3-jinja2', 'python3-pip', 'docker-ce']
+      state: latest
+
+  - name: updating pip
+    pip:
+      executable: "/usr/bin/pip3"
+      state: latest
+      name: "pip"
+
+  - name: installing docker-compose
+    pip:
+      executable: "/usr/bin/pip3"
+      state: latest
+      name: "docker-compose"
+
+  - name: symlinking docker-compose
+    file:
+      src: "/usr/local/bin/docker-compose"
+      dest: "/usr/bin/docker-compose"
+      state: link
+
+  - name: enabling docker
+    service:
+      name: docker
+      enabled: yes 
+      state: started
--- a/ansible/pkg-ssh-firewall.yml
+++ b/ansible/pkg-ssh-firewall.yml
@ -9,11 +9,6 @@
      name: firewalld
      state: stopped

-  - name: dnf add repo
-    get_url:
-      url: "https://download.docker.com/linux/centos/docker-ce.repo"
-      dest: /etc/yum.repos.d/docker-ce.repo
-
  - name: dnf install epel    
    dnf:
      name: "epel-release"
@ -26,30 +21,9 @@

  - name: dnf install
    dnf:
-      name: ['git', 'vim', 'curl', 'yum-utils', 'policycoreutils-python-utils', 'zsh', 'docker-ce']
+      name: ['git', 'vim', 'curl', 'yum-utils', 'policycoreutils-python-utils']
      state: latest
      update_cache: True
-  
-  - name: Change root password
-    user:
-      name: root 
-      update_password: always 
-      password: "{{ root_password | password_hash('sha512', user_salt) }}"
-
-  - name: add user
-    user:
-      name: quackerd
-      password: "{{ user_password | password_hash('sha512', user_salt) }}"
-      shell: /usr/bin/bash
-      groups: wheel
-      append: yes
-      state: present
-  
-  - name: add user ssh key
-    ansible.posix.authorized_key:
-      user: quackerd
-      state: present
-      key: "{{ lookup('file', '../ssh_pub') }}"

  - name: configure sshd
    lineinfile:
@ -59,10 +33,20 @@
      state: present
      validate: "/usr/sbin/sshd -t -f %s"
    loop:
-      - { key: "PermitRootLogin", value: "without-password" }
-      - { key: "PasswordAuthentication", value: "yes" }
+      - { key: "PermitRootLogin", value: "no" }
+      - { key: "PasswordAuthentication", value: "no" }
      - { key: "Port", value: "77" }

+  - name: configure sshd match
+    blockinfile:
+      path: "/etc/ssh/sshd_config"
+      state: present
+      validate: "/usr/sbin/sshd -t -f %s"
+      block: |
+        Match Address 129.97.75.0/24
+          PermitRootLogin without-password 
+          PasswordAuthentication yes
+
  - name: enable selinux
    lineinfile:
      path: "/etc/selinux/config"
@ -107,12 +91,6 @@
      state: disabled
      offline: yes

-  - name: enable docker
-    service:
-      name: docker
-      state: started
-      enabled: yes
-
  - name: start firewalld
    service:
      name: firewalld
--- a/ssh_pub.pub
+++ b/ssh_pub.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHi3i3BgGrOEm6LAXkE7sEVGNIXQ5DFdNZM+l/yjbtQh
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHi3i3BgGrOEm6LAXkE7sEVGNIXQ5DFdNZM+l/yjbtQh`