Make systems production ready.

2023-09-06 10:07:16 +02:00 · 2023-09-06 10:07:16 +02:00 · 9d11c95794
commit 9d11c95794
parent b518b9a206
2 changed files with 29 additions and 0 deletions
--- a/lmn-desktop.yml
+++ b/lmn-desktop.yml
@ -36,6 +36,14 @@
    mirror_msfonts: http://livebox.pn.steinbeis.schule/mscorefonts/

    rsyncsecret: Muster!
+    keys2deploy:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKOY0hChWaCDtuiuQcM0v4/u1499esjTtnMjl4uYlnS0 andi@netboot'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAN5ylqP936MPjGNxzrzV5jMwIfMhKJdOGuVh3xGQKTM andi@yogi'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxgeu7Rpb/1++531+MopqP9haUkyh1XXpv5kmbgSjx6'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBbdOT+WSDmsBcaVFfzPRcmvOfd3CqO/FBOH44UVm7c7 raphael@uranus'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGICjy88HnMg5oaz4BJ20hgzqFWSem+HHD2PQ+As42pA raphael@pluto'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKm9lu9dDo5TG99QWTkl2G5G+ZbYikLlRNOXfs/bRTHy sascha@america'
+
    ## Use grub-mkpasswd-pbkdf2 to calculate the password hash:
    grub_pwd: 'grub.pbkdf2.sha512.10000.FB60266F69FB181327AFB76193192454FC64151559EFF4D6B8FB7C7904A2A9C4778EDD515B46F770DB6A009F36903C193917BBBC571C5B6AAB2A69208BE01A6E.7B82114A0239C0EC55A50E95C48FA74A8910DEE4088447786DAB35770B9C2CF2D1550CF3B7452155EB55D5F84E5D357BF12B8D299CF9B01BF5D71D516CF826DB'
    nfs4: false
@ -60,6 +68,7 @@
    - lmn_vm
    - lmn_printer
    - kerberize
+    - lmn_security

  tasks:
    - name: Add local user 'virti' in the 'libvirt' group
--- a/roles/lmn_security/tasks/main.yml
+++ b/roles/lmn_security/tasks/main.yml
@ -0,0 +1,20 @@
+---
+- name: Deploy SSH keys
+  ansible.posix.authorized_key:
+    user: ansible
+    key: "{{ item }}"
+  loop: "{{ keys2deploy }}"
+
+- name: Allow sudo access without password
+  ansible.builtin.lineinfile:
+    path: /etc/sudoers.d/95-lmn-ansible
+    line: 'ansible ALL=(root) NOPASSWD: ALL'
+    create: True
+    owner: root
+    group: root
+    mode: '0700'
+
+- name: Disable ansible user login
+  ansible.builtin.user:
+    name: ansible
+    password_lock: True