128 lines
3.2 KiB
YAML
128 lines
3.2 KiB
YAML
- name: Bootstrap Nodito SSH Key Access
|
|
hosts: nodito
|
|
become: true
|
|
vars_files:
|
|
- ../infra_vars.yml
|
|
|
|
tasks:
|
|
- name: Install sudo package
|
|
package:
|
|
name: sudo
|
|
state: present
|
|
|
|
- name: Ensure SSH directory exists for root
|
|
file:
|
|
path: /root/.ssh
|
|
state: directory
|
|
mode: "0700"
|
|
owner: root
|
|
group: root
|
|
|
|
- name: Install SSH public key for root
|
|
authorized_key:
|
|
user: root
|
|
key: "{{ lookup('file', ansible_ssh_private_key_file + '.pub') }}"
|
|
state: present
|
|
|
|
- name: Ensure SSH key-based authentication is enabled
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "^#?PubkeyAuthentication"
|
|
line: "PubkeyAuthentication yes"
|
|
state: present
|
|
backrefs: yes
|
|
|
|
- name: Ensure AuthorizedKeysFile is properly configured
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "^#?AuthorizedKeysFile"
|
|
line: "AuthorizedKeysFile .ssh/authorized_keys"
|
|
state: present
|
|
backrefs: yes
|
|
|
|
- name: Restart SSH service
|
|
service:
|
|
name: ssh
|
|
state: restarted
|
|
|
|
- name: Wait for SSH to be ready
|
|
wait_for:
|
|
port: "{{ ssh_port }}"
|
|
host: "{{ ansible_host }}"
|
|
delay: 2
|
|
timeout: 30
|
|
|
|
- name: Test SSH key authentication
|
|
command: whoami
|
|
register: ssh_key_test
|
|
changed_when: false
|
|
|
|
- name: Verify SSH key authentication works
|
|
assert:
|
|
that:
|
|
- ssh_key_test.stdout == "root"
|
|
fail_msg: "SSH key authentication failed - expected 'root', got '{{ ssh_key_test.stdout }}'"
|
|
|
|
- name: Create new user
|
|
user:
|
|
name: "{{ new_user }}"
|
|
groups: sudo
|
|
shell: /bin/bash
|
|
state: present
|
|
create_home: yes
|
|
|
|
- name: Set up SSH directory for new user
|
|
file:
|
|
path: "/home/{{ new_user }}/.ssh"
|
|
state: directory
|
|
mode: "0700"
|
|
owner: "{{ new_user }}"
|
|
group: "{{ new_user }}"
|
|
|
|
- name: Install SSH public key for new user
|
|
authorized_key:
|
|
user: "{{ new_user }}"
|
|
key: "{{ lookup('file', ansible_ssh_private_key_file + '.pub') }}"
|
|
state: present
|
|
|
|
- name: Allow new user to run sudo without password
|
|
copy:
|
|
dest: "/etc/sudoers.d/{{ new_user }}"
|
|
content: "{{ new_user }} ALL=(ALL) NOPASSWD:ALL"
|
|
owner: root
|
|
group: root
|
|
mode: "0440"
|
|
|
|
- name: Disable root login
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "^#?PermitRootLogin .*"
|
|
line: "PermitRootLogin no"
|
|
state: present
|
|
backrefs: yes
|
|
|
|
- name: Disable password authentication
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "^#?PasswordAuthentication .*"
|
|
line: "PasswordAuthentication no"
|
|
state: present
|
|
backrefs: yes
|
|
|
|
- name: Restart SSH service
|
|
service:
|
|
name: ssh
|
|
state: restarted
|
|
|
|
- name: Wait for SSH to be ready
|
|
wait_for:
|
|
port: "{{ ssh_port }}"
|
|
host: "{{ ansible_host }}"
|
|
delay: 2
|
|
timeout: 30
|
|
|
|
- name: Test connection with new user
|
|
command: whoami
|
|
become_user: "{{ new_user }}"
|
|
register: new_user_test
|
|
changed_when: false
|