# Host Bootstrap Bundle

Ansible playbook for bootstrapping new servers with a secure user and hardened SSH configuration. Designed to be built with [ansible-bundler](https://pypi.org/project/ansible-bundler/) and distributed via CI/CD.

## Features

- Creates a user with SSH key authentication
- Configures passwordless sudo (optional)
- Hardens SSH with secure defaults (no root login, no password auth)
- Works with Debian, Ubuntu, RHEL/CentOS, Arch Linux

## Usage

### Direct with Ansible

```bash
ansible-playbook bootstrap.yml -i "host," -e user_name=operator \
  -e 'user_pubkey="ssh-ed25519 AAAA..."'
```

### With Bundled Version

```bash
# Download and verify
curl -sL https://your-server/bootstrap.run -o /tmp/bootstrap.run
curl -sL https://your-server/bootstrap.run.sha256 -o /tmp/bootstrap.run.sha256
cd /tmp && sha256sum -c bootstrap.run.sha256

# Run
chmod +x /tmp/bootstrap.run
./bootstrap.run -e user_name=operator \
  -e 'user_pubkey="ssh-ed25519 AAAA..."' \
  -e user_password=changeme
```

## Variables

### Required

| Variable | Description |
|----------|-------------|
| `user_name` | Username to create |
| `user_pubkey` | SSH public key (or use `user_pubkey_file` / `user_pubkey_url`) |

### Optional

| Variable | Default | Description |
|----------|---------|-------------|
| `user_password` | - | Password for the user |
| `user_shell` | `/bin/bash` | User's login shell |
| `user_home` | `/home/{user}` | Home directory |
| `user_sudo_enabled` | `true` | Enable sudo access |
| `user_sudo_nopasswd` | `true` | Passwordless sudo |
| `user_pubkey_exclusive` | `true` | Replace existing authorized_keys |
| `ssh_server_ports` | `["22"]` | SSH port(s) |
| `ssh_permit_root_login` | `"no"` | Allow root SSH login |
| `ssh_allow_users` | - | Restrict SSH to specific users |

See `bootstrap.example.yml` for all options.

## Building

```bash
pip install ansible ansible-bundler
ansible-bundler bootstrap.yml -o bootstrap.run
sha256sum bootstrap.run > bootstrap.run.sha256
```

## CI/CD

The included Gitea Actions workflow (`.gitea/workflows/build.yml`) automatically builds and publishes the bundle on push to main.

Required secret: `DEPLOY_TOKEN` - Gitea token with `write:package` scope.

## License

MIT