114 lines
2.9 KiB
YAML
114 lines
2.9 KiB
YAML
---
|
|
# Playbook de base : applique sur TOUTES les VMs
|
|
# - Mise a jour systeme
|
|
# - Creation user admin Elewyn
|
|
# - Hardening SSH
|
|
# - Installation qemu-guest-agent (integration Proxmox)
|
|
# - Paquets utilitaires
|
|
|
|
- name: Configuration de base des VMs
|
|
hosts: all
|
|
become: true
|
|
|
|
tasks:
|
|
# -- Mise a jour systeme --
|
|
- name: Mise a jour des paquets
|
|
ansible.builtin.dnf:
|
|
name: "*"
|
|
state: latest
|
|
update_cache: true
|
|
tags: [update]
|
|
|
|
# -- Installation paquets de base --
|
|
- name: Installation des paquets utilitaires
|
|
ansible.builtin.dnf:
|
|
name:
|
|
- qemu-guest-agent
|
|
- vim
|
|
- curl
|
|
- wget
|
|
- tar
|
|
- nfs-utils
|
|
- bash-completion
|
|
- python3
|
|
state: present
|
|
tags: [packages]
|
|
|
|
- name: Activation qemu-guest-agent
|
|
ansible.builtin.systemd:
|
|
name: qemu-guest-agent
|
|
state: started
|
|
enabled: true
|
|
tags: [packages]
|
|
|
|
# -- Creation utilisateur Elewyn --
|
|
- name: Creation du groupe {{ admin_user }}
|
|
ansible.builtin.group:
|
|
name: "{{ admin_user }}"
|
|
state: present
|
|
tags: [users]
|
|
|
|
- name: Creation de l'utilisateur {{ admin_user }}
|
|
ansible.builtin.user:
|
|
name: "{{ admin_user }}"
|
|
group: "{{ admin_user }}"
|
|
groups: wheel
|
|
shell: /bin/bash
|
|
create_home: true
|
|
password: "{{ vault_admin_password | password_hash('sha512') }}"
|
|
state: present
|
|
tags: [users]
|
|
|
|
- name: Cle SSH pour {{ admin_user }}
|
|
ansible.posix.authorized_key:
|
|
user: "{{ admin_user }}"
|
|
key: "{{ lookup('file', '~/.ssh/homelab.pub') }}"
|
|
state: present
|
|
tags: [users]
|
|
|
|
# wheel peut sudo sans mot de passe (deja par defaut sur Rocky, on s'assure)
|
|
- name: Sudo sans mot de passe pour wheel
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/sudoers.d/wheel-nopasswd
|
|
line: "%wheel ALL=(ALL) NOPASSWD: ALL"
|
|
create: true
|
|
mode: "0440"
|
|
validate: "visudo -cf %s"
|
|
tags: [users]
|
|
|
|
# -- Hardening SSH --
|
|
- name: Desactiver l'authentification par mot de passe SSH
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "^#?PasswordAuthentication"
|
|
line: "PasswordAuthentication no"
|
|
notify: restart sshd
|
|
tags: [ssh]
|
|
|
|
- name: Desactiver le login root SSH
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "^#?PermitRootLogin"
|
|
line: "PermitRootLogin no"
|
|
notify: restart sshd
|
|
tags: [ssh]
|
|
|
|
# -- Firewalld --
|
|
- name: Installation firewalld
|
|
ansible.builtin.dnf:
|
|
name: firewalld
|
|
state: present
|
|
tags: [firewall]
|
|
|
|
- name: Activer firewalld
|
|
ansible.builtin.systemd:
|
|
name: firewalld
|
|
state: started
|
|
enabled: true
|
|
tags: [firewall]
|
|
|
|
handlers:
|
|
- name: restart sshd
|
|
ansible.builtin.systemd:
|
|
name: sshd
|
|
state: restarted
|