homelab/bootstrap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
bootstrap/bootstrap.yml
Sebastian Rust 19d21ee53a
Some checks failed
Build Bootstrap Bundle / build (push) Failing after 48s
Details
fix(bundle): added collection to main file
2026-02-08 09:45:50 +01:00

78 lines
2.3 KiB
YAML
Raw Permalink Blame History

---
# Generic Host Bootstrap Playbook
#
# This playbook sets up a user and hardens SSH on target hosts.
# Designed to be built with ansible-bundler.
#
# Usage:
# ansible-playbook bootstrap.yml -i inventory -e @vars.yml
#
# Or with bundled version:
# ./bootstrap.run -e user_name=operator -e user_pubkey="ssh-ed25519 AAAA..."
#
# Required variables:
# - user_name: Username to create
# - One of: user_pubkey, user_pubkey_file, user_pubkey_url
#
# Optional variables (see roles/users/defaults/main.yml for full list):
# - user_password: Password for the user
# - user_sudo_enabled: Enable sudo (default: true)
# - user_sudo_nopasswd: Passwordless sudo (default: true)
# - ssh_server_ports: SSH port(s) (default: ["22"])
# - ssh_permit_root_login: Allow root login (default: "no")
#
- name: Bootstrap and harden host
hosts: all
gather_facts: yes
collections:
- devsec.hardening
vars:
# User defaults (override via -e or vars file)
user_name: "operator"
user_pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIElTjmqtmr7xPTDjmWz7bN9vw7HXZds8Hxc99qBEGN/Y jack@turing"
# Include sshd_config.d for distro-specific configs
sshd_custom_options:
- "Include /etc/ssh/sshd_config.d/*"
# Restrict SSH to created user (set to empty string to allow all users)
ssh_allow_users: "{{ user_name }}"
pre_tasks:
- name: Update apt cache
ansible.builtin.apt:
update_cache: yes
cache_valid_time: 3600
become: yes
when: ansible_os_family == "Debian"
- name: Ensure sudo is installed
ansible.builtin.package:
name: sudo
state: present
become: yes
roles:
- role: users
become: yes
- role: devsec.hardening.ssh_hardening
become: yes
post_tasks:
- name: Display connection info
ansible.builtin.debug:
msg: |
Host bootstrap complete!
User '{{ user_name }}' has been created with SSH key authentication.
SSH has been hardened with the following settings:
- Root login: {{ ssh_permit_root_login }}
- Password authentication: {{ ssh_server_password_login }}
- Port(s): {{ ssh_server_ports | default(['22']) | join(', ') }}
To connect: ssh {{ user_name }}@{{ ansible_host | default(inventory_hostname) }}
Reference in New Issue View Git Blame Copy Permalink