temp monitor

2025-10-26 23:39:02 +01:00 · 2025-10-26 23:39:02 +01:00 · 4a4c61308a
commit 4a4c61308a
parent 85012f8ba5
5 changed files with 366 additions and 1 deletions
--- a/ansible/infra/nodito/30_proxmox_bootstrap_playbook.yml
+++ b/ansible/infra/nodito/30_proxmox_bootstrap_playbook.yml
@ -0,0 +1,128 @@
+- name: Bootstrap Nodito SSH Key Access
+  hosts: nodito
+  become: true
+  vars_files:
+    - ../infra_vars.yml
+
+  tasks:
+    - name: Install sudo package
+      package:
+        name: sudo
+        state: present
+
+    - name: Ensure SSH directory exists for root
+      file:
+        path: /root/.ssh
+        state: directory
+        mode: "0700"
+        owner: root
+        group: root
+
+    - name: Install SSH public key for root
+      authorized_key:
+        user: root
+        key: "{{ lookup('file', ansible_ssh_private_key_file + '.pub') }}"
+        state: present
+
+    - name: Ensure SSH key-based authentication is enabled
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: "^#?PubkeyAuthentication"
+        line: "PubkeyAuthentication yes"
+        state: present
+        backrefs: yes
+
+    - name: Ensure AuthorizedKeysFile is properly configured
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: "^#?AuthorizedKeysFile"
+        line: "AuthorizedKeysFile .ssh/authorized_keys"
+        state: present
+        backrefs: yes
+
+    - name: Restart SSH service
+      service:
+        name: ssh
+        state: restarted
+
+    - name: Wait for SSH to be ready
+      wait_for:
+        port: "{{ ssh_port }}"
+        host: "{{ ansible_host }}"
+        delay: 2
+        timeout: 30
+
+    - name: Test SSH key authentication
+      command: whoami
+      register: ssh_key_test
+      changed_when: false
+
+    - name: Verify SSH key authentication works
+      assert:
+        that:
+          - ssh_key_test.stdout == "root"
+        fail_msg: "SSH key authentication failed - expected 'root', got '{{ ssh_key_test.stdout }}'"
+
+    - name: Create new user
+      user:
+        name: "{{ new_user }}"
+        groups: sudo
+        shell: /bin/bash
+        state: present
+        create_home: yes
+
+    - name: Set up SSH directory for new user
+      file:
+        path: "/home/{{ new_user }}/.ssh"
+        state: directory
+        mode: "0700"
+        owner: "{{ new_user }}"
+        group: "{{ new_user }}"
+
+    - name: Install SSH public key for new user
+      authorized_key:
+        user: "{{ new_user }}"
+        key: "{{ lookup('file', ansible_ssh_private_key_file + '.pub') }}"
+        state: present
+
+    - name: Allow new user to run sudo without password
+      copy:
+        dest: "/etc/sudoers.d/{{ new_user }}"
+        content: "{{ new_user }} ALL=(ALL) NOPASSWD:ALL"
+        owner: root
+        group: root
+        mode: "0440"
+
+    - name: Disable root login
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: "^#?PermitRootLogin .*"
+        line: "PermitRootLogin no"
+        state: present
+        backrefs: yes
+
+    - name: Disable password authentication
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: "^#?PasswordAuthentication .*"
+        line: "PasswordAuthentication no"
+        state: present
+        backrefs: yes
+
+    - name: Restart SSH service
+      service:
+        name: ssh
+        state: restarted
+
+    - name: Wait for SSH to be ready
+      wait_for:
+        port: "{{ ssh_port }}"
+        host: "{{ ansible_host }}"
+        delay: 2
+        timeout: 30
+
+    - name: Test connection with new user
+      command: whoami
+      become_user: "{{ new_user }}"
+      register: new_user_test
+      changed_when: false