From 9d11c957944b2c9a5beff8d6abd09befa98fee14 Mon Sep 17 00:00:00 2001
From: "Andreas B. Mundt" <andreas.mundt@steinbeisschule-reutlingen.de>
Date: Wed, 6 Sep 2023 10:07:16 +0200
Subject: [PATCH] Make systems production ready.

---
 lmn-desktop.yml                   |  9 +++++++++
 roles/lmn_security/tasks/main.yml | 20 ++++++++++++++++++++
 2 files changed, 29 insertions(+)
 create mode 100644 roles/lmn_security/tasks/main.yml

diff --git a/lmn-desktop.yml b/lmn-desktop.yml
index b079a23..69a9c74 100644
--- a/lmn-desktop.yml
+++ b/lmn-desktop.yml
@@ -36,6 +36,14 @@
     mirror_msfonts: http://livebox.pn.steinbeis.schule/mscorefonts/
 
     rsyncsecret: Muster!
+    keys2deploy:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKOY0hChWaCDtuiuQcM0v4/u1499esjTtnMjl4uYlnS0 andi@netboot'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAN5ylqP936MPjGNxzrzV5jMwIfMhKJdOGuVh3xGQKTM andi@yogi'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxgeu7Rpb/1++531+MopqP9haUkyh1XXpv5kmbgSjx6'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBbdOT+WSDmsBcaVFfzPRcmvOfd3CqO/FBOH44UVm7c7 raphael@uranus'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGICjy88HnMg5oaz4BJ20hgzqFWSem+HHD2PQ+As42pA raphael@pluto'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKm9lu9dDo5TG99QWTkl2G5G+ZbYikLlRNOXfs/bRTHy sascha@america'
+
     ## Use grub-mkpasswd-pbkdf2 to calculate the password hash:
     grub_pwd: 'grub.pbkdf2.sha512.10000.FB60266F69FB181327AFB76193192454FC64151559EFF4D6B8FB7C7904A2A9C4778EDD515B46F770DB6A009F36903C193917BBBC571C5B6AAB2A69208BE01A6E.7B82114A0239C0EC55A50E95C48FA74A8910DEE4088447786DAB35770B9C2CF2D1550CF3B7452155EB55D5F84E5D357BF12B8D299CF9B01BF5D71D516CF826DB'
     nfs4: false
@@ -60,6 +68,7 @@
     - lmn_vm
     - lmn_printer
     - kerberize
+    - lmn_security
 
   tasks:
     - name: Add local user 'virti' in the 'libvirt' group
diff --git a/roles/lmn_security/tasks/main.yml b/roles/lmn_security/tasks/main.yml
new file mode 100644
index 0000000..7ddb591
--- /dev/null
+++ b/roles/lmn_security/tasks/main.yml
@@ -0,0 +1,20 @@
+---
+- name: Deploy SSH keys
+  ansible.posix.authorized_key:
+    user: ansible
+    key: "{{ item }}"
+  loop: "{{ keys2deploy }}"
+
+- name: Allow sudo access without password
+  ansible.builtin.lineinfile:
+    path: /etc/sudoers.d/95-lmn-ansible
+    line: 'ansible ALL=(root) NOPASSWD: ALL'
+    create: True
+    owner: root
+    group: root
+    mode: '0700'
+
+- name: Disable ansible user login
+  ansible.builtin.user:
+    name: ansible
+    password_lock: True