~comcloudway/ansible-ccw.icu: Added Basic user setup

8 files changed, 61 insertions(+), 8 deletions(-)

M .gitignore
M README.org
M group_vars/all/vars.yml
M roles/system/defaults/main.yml
A roles/system/handlers/main.yml
M roles/system/tasks/shell.yml
M roles/system/tasks/ssh.yml
A roles/system/tasks/user.yml

M .gitignore => .gitignore +1 -0

@@ 1,1 1,2 @@
 hosts.yml
+group_vars/all/secret.yml

M README.org => README.org +11 -0

@@ 1,2 1,13 @@
 * ccw.icu infra
 Ansible Playbook I use to provision my Alpine Linux server
+
+* Requirements
+- ~ansible~
+
+* Running
+#+begin_src bash
+ansible-playbook run.yml -K --ask-vault-pass
+#+end_src
+
+* More
+- [[https://www.youtube.com/watch?v=Z7p9-m4cimg][Ansible IaC Deep Dive (Wolfang's Channel)]]

M group_vars/all/vars.yml => group_vars/all/vars.yml +1 -0

@@ 5,3 5,4 @@ base_packages:
   - exa
   - htop
   - doas
+shell: /bin/ash

M roles/system/defaults/main.yml => roles/system/defaults/main.yml +9 -1

@@ 1,4 1,12 @@
+# default username
 username: user
-packages:
+# default user password
+password: changeme
+# default user login shell
+shell: /bin/ash
+
+# List of default preinstalled packages
+base_packages:
   - pfetch
   - neovim
+  - doas

A roles/system/handlers/main.yml => roles/system/handlers/main.yml +5 -0

@@ 0,0 1,5 @@
+---
+- name: Restart sshd
+  service:
+    name: sshd
+    state: restarted

M roles/system/tasks/shell.yml => roles/system/tasks/shell.yml +5 -0

@@ 11,3 11,8 @@
     create: true
     search_string: "^export EDITOR=neovim"
     line: "export EDITOR=nvim"
+
+- name: Disable login message
+  file:
+    path: /etc/motd
+    state: absent

M roles/system/tasks/ssh.yml => roles/system/tasks/ssh.yml +3 -7

@@ 4,13 4,9 @@
     path: /etc/ssh/sshd_config
     regexp: "^#PasswordAuthentication yes"
     line: "PasswordAuthentication no"
-  register: sshd_config
-
-- name: Restart sshd
-  service:
-    name: sshd
-    state: restarted
-  when: sshd_config.changed
+    validate: 'sshd -T -f %s'
+    mode: 0644
+  notify: Restart sshd
 
 - name: Enable ssh on boot
   service:

A roles/system/tasks/user.yml => roles/system/tasks/user.yml +26 -0

@@ 0,0 1,26 @@
+---
+- name: Ensure all necessary groups are created
+  group:
+    name: "{{ item }}"
+  loop:
+    - docker
+    - "{{ username }}"
+
+- name: Ensure a non-root user is created
+  user:
+    name: "{{ username }}"
+    password: "{{ password | password_hash('sha512') }}"
+    groups:
+      - docker
+      - users
+      - wheel
+    append: yes
+    shell: "{{ shell }}"
+    update_password: on_create
+
+- name: Enable passwordless doas for "{{ username }}"
+  lineinfile:
+    path: /etc/doas.d/user.conf
+    regexp: "^permit nopass :wheel"
+    line: "permit nopass :wheel"
+    validate: "doas -C %s"