initial working commit

2026-03-20 03:18:57 +00:00 · 2022-10-16 18:54:37 -04:00
commit 1505e39da7
13 changed files with 396 additions and 0 deletions
--- a/roles/common/files/keys-default
+++ b/roles/common/files/keys-default
@@ -0,0 +1 @@
+# SSH public keys for all devices that will access the server.
--- a/roles/common/files/keys-mothershipbu
+++ b/roles/common/files/keys-mothershipbu
@@ -0,0 +1,2 @@
+# SSH public keys for all devices that will access the server.
+# Backup server needs to grant access to my primary VM host for ZFS snapshot replication, so this additional file is needed.
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+- name: restart ssh service - Debian
+  ansible.builtin.systemd:
+    state: restarted
+    name: ssh
+    
+- name: restart ssh service - RedHat
+  ansible.builtin.systemd:
+    state: restarted
+    name: sshd
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -0,0 +1,61 @@
+---
+- name: get package facts
+  ansible.builtin.package_facts:
+
+- name: get service facts
+  service_facts:
+
+- name: add default ssh keys
+  authorized_key:
+    key: "{{ lookup('file', '{{ ssh_keyfile }}') }}"
+    user: "{{ remote_user }}"
+    state: present
+    exclusive: True
+  when: "'mothershipbu.lyon' not in inventory_hostname"
+
+- name: add default ssh keys - mothershipbu
+  authorized_key:
+    key: "{{ lookup('file', 'keys-mothershipbu') }}"
+    user: "{{ remote_user }}"
+    state: present
+    exclusive: True
+  when: "'mothershipbu.lyon' in inventory_hostname"
+
+- name: disable password ssh auth
+  ansible.builtin.lineinfile:
+    path: "/etc/ssh/sshd_config"
+    regexp: '^PasswordAuthentication'
+    line: 'PasswordAuthentication no'
+    backrefs: yes
+  notify: restart ssh service - {{ ansible_distribution_file_variety }}
+
+- name: automatic security updates - debian
+  package: name=unattended-upgrades state=latest
+  when: ansible_distribution_file_variety == "Debian"
+
+- name: automatic security updates - redhat
+  package: name=dnf-automatic state=latest
+  when: ansible_distribution_file_variety == "RedHat"
+
+- name: configure automatic security updates step 01 - redhat
+  ansible.builtin.lineinfile:
+    path: "/etc/dnf/automatic.conf"
+    regexp: '^upgrade_type ='
+    line: 'upgrade_type = security'
+    backrefs: yes
+  when: ansible_distribution_file_variety == "RedHat"
+
+- name: configure automatic security updates step 02 - redhat
+  ansible.builtin.lineinfile:
+    path: "/etc/dnf/automatic.conf"
+    regexp: '^apply_updates ='
+    line: 'apply_updates = yes'
+    backrefs: yes
+  when: ansible_distribution_file_variety == "RedHat"
+  
+- name: enable and start dnf-automatic.timer - redhat
+  ansible.builtin.systemd:
+    state: started
+    enabled: yes
+    name: dnf-automatic.timer
+  when: ansible_distribution_file_variety == "RedHat"
				`@@ -0,0 +1 @@`
				`# SSH public keys for all devices that will access the server.`