add basic ansible playbook for alpine setup

2024-11-28 16:52:27 -03:00 · 2024-11-28 16:52:27 -03:00 · 79c8123c6f
commit 79c8123c6f
parent 8caf2e826e
7 changed files with 150 additions and 0 deletions
--- a/playbooks/setup/alpine.yaml
+++ b/playbooks/setup/alpine.yaml
@ -0,0 +1,101 @@
+- name: Setup an alpine machine
+  hosts: homelab
+  user: root
+  vars:
+    # alpine_version: v3.19
+    alpine_version: latest-stable
+    robo:
+      authorized_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPiEGbVaaSJq/9hGaou3gd6m4Jzyj4AIgCL5wGTxVz1"
+      allowed_commands:
+        - "docker ps"
+  vars_files:
+    ../../variables/secrets.yaml
+  tasks:
+    - name: Change login message
+      template:
+        src: ../../files/alpine/motd.j2
+        dest: /etc/motd
+        owner: root
+        group: root
+        mode: 0644
+        backup: yes
+
+    - name: Update repositories
+      template:
+        src: ../../files/alpine/repositories.j2
+        dest: /etc/apk/repositories
+        owner: root
+        group: root
+        mode: 0644
+        backup: yes
+
+    - name: Update all packages
+      command: /sbin/apk upgrade -U -a
+
+    - name: Be sure python is installed
+      command: /sbin/apk add python3
+      args:
+        creates: /usr/bin/python3
+
+    - name: Disable password authentication for SSH
+      become: true
+      notify: Restart sshd
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^#?PasswordAuthentication'
+        line: 'PasswordAuthentication no'
+        state: present
+
+    - name: Allow users of the weel group to use doas command
+      become: true
+      ansible.builtin.lineinfile:
+        path: /etc/doas.conf
+        regexp: '^#\s*permit persist :wheel'
+        line: 'permit persist :wheel'
+        state: present
+
+    - name: Create a user group named docker
+      ansible.builtin.group:
+        name: docker
+
+    - name: Setup users
+      ansible.builtin.user:
+        state: present
+        name: aleidk
+        password: "{{ users.aleidk.password | password_hash('sha512') }}"
+        groups:
+          - wheel
+          - docker
+
+    - name: Create a user for executing remote commands
+      ansible.builtin.user:
+        name: robo
+        system: true
+        create_home: true
+        groups: nogroup
+        state: present
+
+    - name: Add SSH public key for robo user
+      ansible.posix.authorized_key:
+        user: robo
+        state: present
+        key: "{{ robo.authorized_key }}"
+        key_options: "command=\"{{ robo.allowed_commands | join('; ') }}\""
+
+    - name: Install packages
+      ansible.builtin.package:
+        state: present
+        name:
+          - docker
+
+    - name: Start docker service
+      ansible.builtin.service:
+        name: docker
+        state: started
+        enabled: true
+
+  handlers:
+    - name: Restart sshd
+      ansible.builtin.service:
+        name: sshd
+        state: restarted