homelab/playbooks/setup/alpine.yaml

- name: Setup an alpine machine
  hosts: homelab
  user: root
  vars:
    # alpine_version: v3.19
    alpine_version: latest-stable
    robo:
      authorized_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPiEGbVaaSJq/9hGaou3gd6m4Jzyj4AIgCL5wGTxVz1"
      allowed_commands:
        - "docker ps"
  vars_files:
    ../../variables/secrets.yaml
  tasks:
    - name: Change login message
      template:
        src: ../../files/alpine/motd.j2
        dest: /etc/motd
        owner: root
        group: root
        mode: 0644
        backup: yes

    - name: Update repositories
      template:
        src: ../../files/alpine/repositories.j2
        dest: /etc/apk/repositories
        owner: root
        group: root
        mode: 0644
        backup: yes

    - name: Update all packages
      command: /sbin/apk upgrade -U -a

    - name: Be sure python is installed
      command: /sbin/apk add python3
      args:
        creates: /usr/bin/python3

    - name: Disable password authentication for SSH
      become: true
      notify: Restart sshd
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^#?PasswordAuthentication'
        line: 'PasswordAuthentication no'
        state: present

    - name: Allow users of the weel group to use doas command
      become: true
      ansible.builtin.lineinfile:
        path: /etc/doas.conf
        regexp: '^#\s*permit persist :wheel'
        line: 'permit persist :wheel'
        state: present

    - name: Create a user group named docker
      ansible.builtin.group:
        name: docker

    - name: Setup users
      ansible.builtin.user:
        state: present
        name: aleidk
        password: "{{ users.aleidk.password | password_hash('sha512') }}"
        groups:
          - wheel
          - docker

    - name: Create a user for executing remote commands
      ansible.builtin.user:
        name: robo
        system: true
        create_home: true
        groups: nogroup
        state: present

    - name: Add SSH public key for robo user
      ansible.posix.authorized_key:
        user: robo
        state: present
        key: "{{ robo.authorized_key }}"
        key_options: "command=\"{{ robo.allowed_commands | join('; ') }}\""

    - name: Install packages
      ansible.builtin.package:
        state: present
        name:
          - docker

    - name: Start docker service
      ansible.builtin.service:
        name: docker
        state: started
        enabled: true

  handlers:
    - name: Restart sshd
      ansible.builtin.service:
        name: sshd
        state: restarted