From e0277109907d0c0c0bf4335c5cddbc3db836ac51 Mon Sep 17 00:00:00 2001
From: Jakob Meier <comcloudway@ccw.icu>
Date: Sun, 11 Jun 2023 16:22:31 +0200
Subject: [PATCH] Added Basic user setup

---
 .gitignore                     |  1 +
 README.org                     | 11 +++++++++++
 group_vars/all/vars.yml        |  1 +
 roles/system/defaults/main.yml | 10 +++++++++-
 roles/system/handlers/main.yml |  5 +++++
 roles/system/tasks/shell.yml   |  5 +++++
 roles/system/tasks/ssh.yml     | 10 +++-------
 roles/system/tasks/user.yml    | 26 ++++++++++++++++++++++++++
 8 files changed, 61 insertions(+), 8 deletions(-)
 create mode 100644 roles/system/handlers/main.yml
 create mode 100644 roles/system/tasks/user.yml

diff --git a/.gitignore b/.gitignore
index 1ba9c4b..f7f37f6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 hosts.yml
+group_vars/all/secret.yml
diff --git a/README.org b/README.org
index deb7bdf..60c3ea4 100644
--- a/README.org
+++ b/README.org
@@ -1,2 +1,13 @@
 * ccw.icu infra
 Ansible Playbook I use to provision my Alpine Linux server
+
+* Requirements
+- ~ansible~
+
+* Running
+#+begin_src bash
+ansible-playbook run.yml -K --ask-vault-pass
+#+end_src
+
+* More
+- [[https://www.youtube.com/watch?v=Z7p9-m4cimg][Ansible IaC Deep Dive (Wolfang's Channel)]]
diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
index 620236f..92554f8 100644
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@@ -5,3 +5,4 @@ base_packages:
   - exa
   - htop
   - doas
+shell: /bin/ash
diff --git a/roles/system/defaults/main.yml b/roles/system/defaults/main.yml
index 40ebff1..99b38f6 100644
--- a/roles/system/defaults/main.yml
+++ b/roles/system/defaults/main.yml
@@ -1,4 +1,12 @@
+# default username
 username: user
-packages:
+# default user password
+password: changeme
+# default user login shell
+shell: /bin/ash
+
+# List of default preinstalled packages
+base_packages:
   - pfetch
   - neovim
+  - doas
diff --git a/roles/system/handlers/main.yml b/roles/system/handlers/main.yml
new file mode 100644
index 0000000..0416cca
--- /dev/null
+++ b/roles/system/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Restart sshd
+  service:
+    name: sshd
+    state: restarted
diff --git a/roles/system/tasks/shell.yml b/roles/system/tasks/shell.yml
index f3752c0..ee6d052 100644
--- a/roles/system/tasks/shell.yml
+++ b/roles/system/tasks/shell.yml
@@ -11,3 +11,8 @@
     create: true
     search_string: "^export EDITOR=neovim"
     line: "export EDITOR=nvim"
+
+- name: Disable login message
+  file:
+    path: /etc/motd
+    state: absent
diff --git a/roles/system/tasks/ssh.yml b/roles/system/tasks/ssh.yml
index 9301f50..5589a88 100644
--- a/roles/system/tasks/ssh.yml
+++ b/roles/system/tasks/ssh.yml
@@ -4,13 +4,9 @@
     path: /etc/ssh/sshd_config
     regexp: "^#PasswordAuthentication yes"
     line: "PasswordAuthentication no"
-  register: sshd_config
-
-- name: Restart sshd
-  service:
-    name: sshd
-    state: restarted
-  when: sshd_config.changed
+    validate: 'sshd -T -f %s'
+    mode: 0644
+  notify: Restart sshd
 
 - name: Enable ssh on boot
   service:
diff --git a/roles/system/tasks/user.yml b/roles/system/tasks/user.yml
new file mode 100644
index 0000000..cb64846
--- /dev/null
+++ b/roles/system/tasks/user.yml
@@ -0,0 +1,26 @@
+---
+- name: Ensure all necessary groups are created
+  group:
+    name: "{{ item }}"
+  loop:
+    - docker
+    - "{{ username }}"
+
+- name: Ensure a non-root user is created
+  user:
+    name: "{{ username }}"
+    password: "{{ password | password_hash('sha512') }}"
+    groups:
+      - docker
+      - users
+      - wheel
+    append: yes
+    shell: "{{ shell }}"
+    update_password: on_create
+
+- name: Enable passwordless doas for "{{ username }}"
+  lineinfile:
+    path: /etc/doas.d/user.conf
+    regexp: "^permit nopass :wheel"
+    line: "permit nopass :wheel"
+    validate: "doas -C %s"
-- 
2.38.5