Host Setup, User Setup, SSH Configuration

2025-06-23 13:10:20 -04:00 · 2025-06-23 13:10:20 -04:00 · 0402882891
commit 0402882891
parent 78bf4efed1
5 changed files with 116 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,23 @@
+# NibTech Shared Role - Host
+
+This role is intended to setup and maintain a host.
+
+## Tasks
+
+### Root Tasks
+
+The following tasks are run as the root user, and are generally only ran once.
+
+**Users**: Creates various user accounts used. This set of tasks requires the
+root user.
+
+**SSH**: Configures the SSH daemon and user setup. Hardens the SSH
+configuration, and adds user keys.
+
+**Packages**: Installs required packages
+
+### Deploy Tasks
+
+The following tasks are run as the deploy user, and are run on-demand.
+
+**Update**: Handles updating an existing host
--- a/files/nibtech-sshd.conf
+++ b/files/nibtech-sshd.conf
@ -0,0 +1,27 @@
+# Note that while many of these are the defaults, this file is loaded after
+# other drop-in configuration files, and so ensures that the defaults are still
+# the defaults.
+
+# Authentication
+#   Dis-allow password authentication [Default: yes]
+#   Dis-allow root login [Default: prohibit-password]
+#   Dis-allow empty password login attempts [Default: no]
+#   Disable keyboard-interactive authentication [Default: yes]
+PasswordAuthentication no
+PermitRootLogin no
+PermitEmptyPasswords no
+KbdInteractiveAuthentication no
+
+# Enable PAM ("If UsePAM is enabled, you will not be able to run sshd as a
+# non-root user" -- handy!) [Default: no]
+# WARNING: 'UsePAM no' is not supported in RHEL and may cause several problems
+UsePAM yes
+
+# Disable X11 Forwarding [Default: no]
+X11Forwarding no
+
+ClientAliveInterval 300
+ClientAliveCountMax 2
+
+# Restrict to only NibTech logins
+AllowGroups nibtech
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -0,0 +1,20 @@
+# NibTech::Host::Tasks::main
+# This role does host setup
+# Role repository:
+---
+
+- name: Setup Users
+  ansible.builtin.include_tasks: users.yml
+  tags: ['users']
+
+- name: Setup SSH
+  ansible.builtin.include_tasks: ssh.yml
+  tags: ['ssh']
+
+- name: Setup Packages
+  ansible.builtin.include_tasks: packages.yml
+  tags: ['packages']
+
+- name: Perform System Update
+  ansible.builtin.include_tasks: update.yml
+  tags: ['update']
--- a/tasks/ssh.yml
+++ b/tasks/ssh.yml
@ -0,0 +1,18 @@
+# NibTech::Host::Tasks::ssh
+# This role does host setup
+# This task configures SSH
+# Role repository:
+---
+
+- name: Install SSH
+  ansible.builtin.package:
+    name: "openssh"
+    state: "present"
+
+- name: Add Custom SSHD Configuration File
+  ansible.builtin.copy:
+    src: "nibtech-sshd.conf"
+    dest: "/etc/ssh/sshd_config.d/90-nibtech.conf"
+    owner: "root"
+    group: "root"
+    mode: "0600"
--- a/tasks/users.yml
+++ b/tasks/users.yml
@ -0,0 +1,28 @@
+# NibTech::Host::Tasks::users
+# This role does host setup
+# This task configures users, groups, and permissions
+# Role repository:
+---
+
+- name: Configure Service Group
+  ansible.builtin.group:
+    name: "nibtech"
+    state: "present"
+
+- name: Configure Ansible Deploy User
+  ansible.builtin.user:
+    name: "nibtech-deploy"
+    system: true
+    group: "nibtech"
+    shell: "/bin/bash"
+    create_home: true
+    home: "/opt/ansible"
+
+- name: Configure NibTech Admin User
+  ansible.builtin.user:
+    name: "nibtech-admin"
+    append: true
+    groups: "['wheel','nibtech']"
+    shell: "/bin/bash"
+    create_home: true
+