From f1d5f8b686c875a38f5bc11feb1279bd705cfd17 Mon Sep 17 00:00:00 2001
From: quackerd <d@quacker.org>
Date: Fri, 12 Mar 2021 18:55:03 -0500
Subject: [PATCH] modularize

---
 ansible/add-user.yml                          | 48 +++++++++++++++++++
 ansible/dnf-update.yml                        |  1 -
 ansible/install-docker.yml                    | 39 +++++++++++++++
 .../{vm-setup.yml => pkg-ssh-firewall.yml}    | 48 +++++--------------
 ssh_pub.pub                                   |  1 +
 5 files changed, 101 insertions(+), 36 deletions(-)
 create mode 100644 ansible/add-user.yml
 create mode 100644 ansible/install-docker.yml
 rename ansible/{vm-setup.yml => pkg-ssh-firewall.yml} (67%)
 create mode 100644 ssh_pub.pub

diff --git a/ansible/add-user.yml b/ansible/add-user.yml
new file mode 100644
index 0000000..0018db5
--- /dev/null
+++ b/ansible/add-user.yml
@@ -0,0 +1,48 @@
+- hosts: '{{ target }}'
+  gather_facts: false
+  become: true
+  remote_user: root
+  any_errors_fatal: yes
+  tasks:
+  - name: dnf install packages
+    dnf:
+      name: ["zsh", "wget", "git"]
+      state: latest
+
+  - name: add user
+    user:
+      name: quackerd
+      password: "{{ password | password_hash('sha512', salt) }}"
+      shell: /usr/bin/sh
+      groups: wheel
+      append: yes
+      state: present
+  
+  - name: add user ssh key
+    ansible.posix.authorized_key:
+      user: quackerd
+      state: present
+      key: "{{ lookup('file', '../ssh_pub') }}"
+
+  - name: download ozsh script
+    get_url:
+      url: "https://git.quacker.org/d/ozsh/raw/branch/master/setup.sh"
+      dest: "/home/quackerd/setup.sh"
+
+  - name: configure user shell
+    become: yes
+    become_user: quackerd
+    shell:
+      cmd: "sh /home/quackerd/setup.sh"
+      creates: "/home/quackerd/.zshrc"
+
+  - name: cleanup ozsh script
+    file:
+      dest: "/home/quackerd/setup.sh"
+      state: absent
+
+  - name: chsh to zsh
+    user:
+      name: quackerd
+      shell: /usr/bin/zsh
+      state: present
\ No newline at end of file
diff --git a/ansible/dnf-update.yml b/ansible/dnf-update.yml
index 1dc468b..1281be6 100644
--- a/ansible/dnf-update.yml
+++ b/ansible/dnf-update.yml
@@ -3,7 +3,6 @@
   become: true
   remote_user: root
   strategy: free
-    #any_errors_fatal: yes
   tasks:
   - name: dnf update
     dnf:
diff --git a/ansible/install-docker.yml b/ansible/install-docker.yml
new file mode 100644
index 0000000..a860624
--- /dev/null
+++ b/ansible/install-docker.yml
@@ -0,0 +1,39 @@
+- hosts: '{{ target }}'
+  gather_facts: false
+  become: true
+  remote_user: root
+  any_errors_fatal: yes
+  tasks:
+  - name: dnf add repo
+    get_url:
+      url: "https://download.docker.com/linux/centos/docker-ce.repo"
+      dest: "/etc/yum.repos.d/docker-ce.repo"
+
+  - name: dnf install
+    dnf:
+      name: ['python3', 'python3-jinja2', 'python3-pip', 'docker-ce']
+      state: latest
+
+  - name: updating pip
+    pip:
+      executable: "/usr/bin/pip3"
+      state: latest
+      name: "pip"
+
+  - name: installing docker-compose
+    pip:
+      executable: "/usr/bin/pip3"
+      state: latest
+      name: "docker-compose"
+
+  - name: symlinking docker-compose
+    file:
+      src: "/usr/local/bin/docker-compose"
+      dest: "/usr/bin/docker-compose"
+      state: link
+
+  - name: enabling docker
+    service:
+      name: docker
+      enabled: yes 
+      state: started
diff --git a/ansible/vm-setup.yml b/ansible/pkg-ssh-firewall.yml
similarity index 67%
rename from ansible/vm-setup.yml
rename to ansible/pkg-ssh-firewall.yml
index 8c20693..47dabf0 100644
--- a/ansible/vm-setup.yml
+++ b/ansible/pkg-ssh-firewall.yml
@@ -9,11 +9,6 @@
       name: firewalld
       state: stopped
 
-  - name: dnf add repo
-    get_url:
-      url: "https://download.docker.com/linux/centos/docker-ce.repo"
-      dest: /etc/yum.repos.d/docker-ce.repo
-
   - name: dnf install epel    
     dnf:
       name: "epel-release"
@@ -26,30 +21,9 @@
 
   - name: dnf install
     dnf:
-      name: ['git', 'vim', 'curl', 'yum-utils', 'policycoreutils-python-utils', 'zsh', 'docker-ce']
+      name: ['git', 'vim', 'curl', 'yum-utils', 'policycoreutils-python-utils']
       state: latest
       update_cache: True
-  
-  - name: Change root password
-    user:
-      name: root 
-      update_password: always 
-      password: "{{ root_password | password_hash('sha512', user_salt) }}"
-
-  - name: add user
-    user:
-      name: quackerd
-      password: "{{ user_password | password_hash('sha512', user_salt) }}"
-      shell: /usr/bin/bash
-      groups: wheel
-      append: yes
-      state: present
-  
-  - name: add user ssh key
-    ansible.posix.authorized_key:
-      user: quackerd
-      state: present
-      key: "{{ lookup('file', '../ssh_pub') }}"
 
   - name: configure sshd
     lineinfile:
@@ -59,10 +33,20 @@
       state: present
       validate: "/usr/sbin/sshd -t -f %s"
     loop:
-      - { key: "PermitRootLogin", value: "without-password" }
-      - { key: "PasswordAuthentication", value: "yes" }
+      - { key: "PermitRootLogin", value: "no" }
+      - { key: "PasswordAuthentication", value: "no" }
       - { key: "Port", value: "77" }
 
+  - name: configure sshd match
+    blockinfile:
+      path: "/etc/ssh/sshd_config"
+      state: present
+      validate: "/usr/sbin/sshd -t -f %s"
+      block: |
+        Match Address 129.97.75.0/24
+          PermitRootLogin without-password 
+          PasswordAuthentication yes
+
   - name: enable selinux
     lineinfile:
       path: "/etc/selinux/config"
@@ -107,12 +91,6 @@
       state: disabled
       offline: yes
 
-  - name: enable docker
-    service:
-      name: docker
-      state: started
-      enabled: yes
-
   - name: start firewalld
     service:
       name: firewalld
diff --git a/ssh_pub.pub b/ssh_pub.pub
new file mode 100644
index 0000000..b2adc1f
--- /dev/null
+++ b/ssh_pub.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHi3i3BgGrOEm6LAXkE7sEVGNIXQ5DFdNZM+l/yjbtQh
\ No newline at end of file