M .gitignore => .gitignore +1 -0
@@ 1,1 1,2 @@
hosts.yml
+group_vars/all/secret.yml
M README.org => README.org +11 -0
@@ 1,2 1,13 @@
* ccw.icu infra
Ansible Playbook I use to provision my Alpine Linux server
+
+* Requirements
+- ~ansible~
+
+* Running
+#+begin_src bash
+ansible-playbook run.yml -K --ask-vault-pass
+#+end_src
+
+* More
+- [[https://www.youtube.com/watch?v=Z7p9-m4cimg][Ansible IaC Deep Dive (Wolfang's Channel)]]
M group_vars/all/vars.yml => group_vars/all/vars.yml +1 -0
@@ 5,3 5,4 @@ base_packages:
- exa
- htop
- doas
+shell: /bin/ash
M roles/system/defaults/main.yml => roles/system/defaults/main.yml +9 -1
@@ 1,4 1,12 @@
+# default username
username: user
-packages:
+# default user password
+password: changeme
+# default user login shell
+shell: /bin/ash
+
+# List of default preinstalled packages
+base_packages:
- pfetch
- neovim
+ - doas
A roles/system/handlers/main.yml => roles/system/handlers/main.yml +5 -0
@@ 0,0 1,5 @@
+---
+- name: Restart sshd
+ service:
+ name: sshd
+ state: restarted
M roles/system/tasks/shell.yml => roles/system/tasks/shell.yml +5 -0
@@ 11,3 11,8 @@
create: true
search_string: "^export EDITOR=neovim"
line: "export EDITOR=nvim"
+
+- name: Disable login message
+ file:
+ path: /etc/motd
+ state: absent
M roles/system/tasks/ssh.yml => roles/system/tasks/ssh.yml +3 -7
@@ 4,13 4,9 @@
path: /etc/ssh/sshd_config
regexp: "^#PasswordAuthentication yes"
line: "PasswordAuthentication no"
- register: sshd_config
-
-- name: Restart sshd
- service:
- name: sshd
- state: restarted
- when: sshd_config.changed
+ validate: 'sshd -T -f %s'
+ mode: 0644
+ notify: Restart sshd
- name: Enable ssh on boot
service:
A roles/system/tasks/user.yml => roles/system/tasks/user.yml +26 -0
@@ 0,0 1,26 @@
+---
+- name: Ensure all necessary groups are created
+ group:
+ name: "{{ item }}"
+ loop:
+ - docker
+ - "{{ username }}"
+
+- name: Ensure a non-root user is created
+ user:
+ name: "{{ username }}"
+ password: "{{ password | password_hash('sha512') }}"
+ groups:
+ - docker
+ - users
+ - wheel
+ append: yes
+ shell: "{{ shell }}"
+ update_password: on_create
+
+- name: Enable passwordless doas for "{{ username }}"
+ lineinfile:
+ path: /etc/doas.d/user.conf
+ regexp: "^permit nopass :wheel"
+ line: "permit nopass :wheel"
+ validate: "doas -C %s"