add basic ansible playbook for alpine setup

.gitignore

@@ -204,3 +204,4 @@ cython_debug/
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 #.idea/
 
+.decrypt-pass.txt

.justfile

@@ -0,0 +1,18 @@
+export ANSIBLE_VAULT_PASSWORD_FILE := "./.decrypt-pass.txt"
+
+inventory := "./hosts/inventory.ini"
+
+play +ARGS:
+  ansible-playbook -i {{ inventory }} {{ ARGS }}
+
+ansible +ARGS:
+  ansible -i {{ inventory }} {{ ARGS }}
+
+list-host:
+  ansible-inventory -i {{ inventory }} --list
+
+encrypt +ARGS:
+  ansible-valut encrypt {{ ARGS }}
+
+decrypt +ARGS:
+  ansible-vault edit {{ ARGS }}

files/alpine/motd.j2

@@ -0,0 +1,15 @@
+
+                      This system is managed by Ansible.
+              _    _       _              _     _
+             / \  | |_ __ (_)_ __   ___  | |   (_)_ __  _   ___  __
+            / _ \ | | '_ \| | '_ \ / _ \ | |   | | '_ \| | | \ \/ /
+           / ___ \| | |_) | | | | |  __/ | |___| | | | | |_| |>  <
+          /_/   \_\_| .__/|_|_| |_|\___| |_____|_|_| |_|\__,_/_/\_\
+                    |_|
+
+          OS          : {{ ansible_distribution }} {{ ansible_distribution_version }}
+          Hostname    : {{ ansible_hostname }}
+          IP address  : {{ ansible_eth0.ipv4.address }}
+          System type : {{ ansible_system }}
+          Kernel      : {{ ansible_kernel }}
+

files/alpine/repositories.j2

@@ -0,0 +1,4 @@
+https://dl-cdn.alpinelinux.org/alpine/{{ alpine_version }}/main
+https://dl-cdn.alpinelinux.org/alpine/{{ alpine_version }}/community
+http://elmirror.cl/alpine/{{ alpine_version }}/main
+http://elmirror.cl/alpine/{{ alpine_version }}/community

hosts/inventory.ini

@@ -0,0 +1,2 @@
+[homelab]
+10.0.10.50

playbooks/setup/alpine.yaml

@@ -0,0 +1,101 @@
+- name: Setup an alpine machine
+  hosts: homelab
+  user: root
+  vars:
+    # alpine_version: v3.19
+    alpine_version: latest-stable
+    robo:
+      authorized_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPiEGbVaaSJq/9hGaou3gd6m4Jzyj4AIgCL5wGTxVz1"
+      allowed_commands:
+        - "docker ps"
+  vars_files:
+    ../../variables/secrets.yaml
+  tasks:
+    - name: Change login message
+      template:
+        src: ../../files/alpine/motd.j2
+        dest: /etc/motd
+        owner: root
+        group: root
+        mode: 0644
+        backup: yes
+
+    - name: Update repositories
+      template:
+        src: ../../files/alpine/repositories.j2
+        dest: /etc/apk/repositories
+        owner: root
+        group: root
+        mode: 0644
+        backup: yes
+
+    - name: Update all packages
+      command: /sbin/apk upgrade -U -a
+
+    - name: Be sure python is installed
+      command: /sbin/apk add python3
+      args:
+        creates: /usr/bin/python3
+
+    - name: Disable password authentication for SSH
+      become: true
+      notify: Restart sshd
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^#?PasswordAuthentication'
+        line: 'PasswordAuthentication no'
+        state: present
+
+    - name: Allow users of the weel group to use doas command
+      become: true
+      ansible.builtin.lineinfile:
+        path: /etc/doas.conf
+        regexp: '^#\s*permit persist :wheel'
+        line: 'permit persist :wheel'
+        state: present
+
+    - name: Create a user group named docker
+      ansible.builtin.group:
+        name: docker
+
+    - name: Setup users
+      ansible.builtin.user:
+        state: present
+        name: aleidk
+        password: "{{ users.aleidk.password | password_hash('sha512') }}"
+        groups:
+          - wheel
+          - docker
+
+    - name: Create a user for executing remote commands
+      ansible.builtin.user:
+        name: robo
+        system: true
+        create_home: true
+        groups: nogroup
+        state: present
+
+    - name: Add SSH public key for robo user
+      ansible.posix.authorized_key:
+        user: robo
+        state: present
+        key: "{{ robo.authorized_key }}"
+        key_options: "command=\"{{ robo.allowed_commands | join('; ') }}\""
+
+    - name: Install packages
+      ansible.builtin.package:
+        state: present
+        name:
+          - docker
+
+    - name: Start docker service
+      ansible.builtin.service:
+        name: docker
+        state: started
+        enabled: true
+
+  handlers:
+    - name: Restart sshd
+      ansible.builtin.service:
+        name: sshd
+        state: restarted

variables/secrets.yaml

@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+62343433336464323761613330643861353862393130383631306536366639323233663233623735
+3131393037626664333235623764353939613835313030330a346133636334323132623536663830
+65386432383562343738333137386564653963396537653435613566326463356131316437393537
+3239353134323261340a306234393263383331396430396666376337343161313232396566343933
+39356161346439663764663763346666653933316537306336383339626136326639343564613231
+34343730326166356433336266643532393037653363356334383630646335313162366237343234
+34353933383365636662343364303366633662316430646536323861356163383039346234663239
+62376366373864373336