From 8d8f209d2f6c1b1013e88475b0ffe3e314cabe3d Mon Sep 17 00:00:00 2001
From: Vaclav Uruba <uruba@outlook.com>
Date: Fri, 21 Jul 2023 13:50:26 +0200
Subject: [PATCH] add urubamba playbooks

---
 .gitignore                             |  1 +
 urubamba/playbook-setup.yml            |  4 ++
 urubamba/playbook-update.yml           | 14 +++++++
 urubamba/roles/users/defaults/main.yml |  2 +
 urubamba/roles/users/files/.gitkeep    |  0
 urubamba/roles/users/handlers/main.yml |  5 +++
 urubamba/roles/users/meta/main.yml     | 51 ++++++++++++++++++++++++++
 urubamba/roles/users/tasks/main.yml    | 31 ++++++++++++++++
 8 files changed, 108 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 urubamba/playbook-setup.yml
 create mode 100644 urubamba/playbook-update.yml
 create mode 100644 urubamba/roles/users/defaults/main.yml
 create mode 100644 urubamba/roles/users/files/.gitkeep
 create mode 100644 urubamba/roles/users/handlers/main.yml
 create mode 100644 urubamba/roles/users/meta/main.yml
 create mode 100644 urubamba/roles/users/tasks/main.yml

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..66a27b5
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+**/files/*.key.pub
diff --git a/urubamba/playbook-setup.yml b/urubamba/playbook-setup.yml
new file mode 100644
index 0000000..bd9098f
--- /dev/null
+++ b/urubamba/playbook-setup.yml
@@ -0,0 +1,4 @@
+- name: Server setup
+  hosts: all
+  roles:
+    - users
diff --git a/urubamba/playbook-update.yml b/urubamba/playbook-update.yml
new file mode 100644
index 0000000..6cd44cc
--- /dev/null
+++ b/urubamba/playbook-update.yml
@@ -0,0 +1,14 @@
+- name: Server update
+  hosts: all
+  tasks:
+    - name: Update all packages
+      ansible.builtin.apt:
+        name: "*"
+        state: latest # noqa package-latest
+      register: result_update
+    - name: Print update result
+      ansible.builtin.debug:
+        msg: "{{ result_update.stdout_lines }}"
+    - name: Remove dependencies that are no longer required
+      ansible.builtin.apt:
+        autoremove: true
diff --git a/urubamba/roles/users/defaults/main.yml b/urubamba/roles/users/defaults/main.yml
new file mode 100644
index 0000000..14cbea1
--- /dev/null
+++ b/urubamba/roles/users/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+sshd_config_path: /etc/ssh/sshd_config
diff --git a/urubamba/roles/users/files/.gitkeep b/urubamba/roles/users/files/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/urubamba/roles/users/handlers/main.yml b/urubamba/roles/users/handlers/main.yml
new file mode 100644
index 0000000..4fd0341
--- /dev/null
+++ b/urubamba/roles/users/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: "Restart ssh daemon"
+  ansible.builtin.service:
+    name: sshd
+    state: restarted
diff --git a/urubamba/roles/users/meta/main.yml b/urubamba/roles/users/meta/main.yml
new file mode 100644
index 0000000..40a774f
--- /dev/null
+++ b/urubamba/roles/users/meta/main.yml
@@ -0,0 +1,51 @@
+galaxy_info:
+  author: Václav Uruba
+  description: create users
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: MIT
+
+  min_ansible_version: "2.1"
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.
diff --git a/urubamba/roles/users/tasks/main.yml b/urubamba/roles/users/tasks/main.yml
new file mode 100644
index 0000000..683b4f1
--- /dev/null
+++ b/urubamba/roles/users/tasks/main.yml
@@ -0,0 +1,31 @@
+---
+- name: "Create admin user accounts"
+  ansible.builtin.user:
+    name: "{{ item.username }}"
+    password: "{{ item.password | password_hash('sha512') }}"
+    shell: /bin/bash
+  with_items: "{{ admin_users }}"
+
+- name: "Add authorized keys for admin user accounts"
+  ansible.posix.authorized_key:
+    user: "{{ item.username }}"
+    key: "{{ lookup('file', 'files/' + item.username + '.key.pub') }}"
+  with_items: "{{ admin_users }}"
+  register: add_authorized_keys
+
+- name: "Add admin user accounts to sudoers file"
+  community.general.sudoers:
+    name: "sudo-{{ item.username }}"
+    user: "{{ item.username }}"
+    nopassword: false
+    commands: ALL
+  with_items: "{{ admin_users }}"
+
+- name: "Disable password login"
+  ansible.builtin.lineinfile:
+    dest: "{{ sshd_config_path }}"
+    regexp: '^(#\s*)?PasswordAuthentication '
+    line: 'PasswordAuthentication no'
+  when:
+    - add_authorized_keys is succeeded
+  notify: restart sshd