feat: initial commit

roles/system_baseline/defaults/main.yml

@@ -0,0 +1,12 @@
+---
+system_baseline_admin_users:
+  - user: irl
+    comment: irl
+    ssh_public_key: "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIJpoCJEax0XTNK6qfYfZV60euSwoc0RQ0bwFDQGMWYQnAAAABHNzaDo="
+system_baseline_admin_user_groups_debian:
+  - adm
+  - staff
+  - sudo
+  - systemd-journal
+system_baseline_retired_admin_users: []
+system_baseline_service_users: []

roles/system_baseline/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: reload sshd
+  service:
+    name: sshd
+    state: reloaded
+  become: true

roles/system_baseline/tasks/main.yml

@@ -0,0 +1,29 @@
+---
+- name: upgrade debian packages (apt)
+  ansible.builtin.apt:
+    upgrade: safe
+    cache_valid_time: 3600
+  become: true
+  when: ansible_distribution == 'Debian'
+
+- name: install system packages (dnf)
+  dnf:
+    name: "*"
+    state: latest
+    update_cache: true
+  become: true
+  when: ansible_distribution == 'AlmaLinux'
+
+- name: setup users
+  ansible.builtin.include_tasks:
+    file: users.yml
+
+- name: setup OpenSSH server
+  ansible.builtin.include_tasks:
+    file: sshd.yml
+
+- name: remove root authorised keys
+  ansible.builtin.file:
+    path: /root/.ssh/authorized_keys
+    state: absent
+  become: true

roles/system_baseline/tasks/sshd.yml

@@ -0,0 +1,24 @@
+---
+- name: sshd PermitRootLogin=no
+  lineinfile:
+    dest: "/etc/ssh/sshd_config"
+    regexp: "^#?\\w*PermitRootLogin"
+    line: "PermitRootLogin no"
+    state: present
+  become: true
+  notify: "reload sshd"
+
+- name: sshd PasswordAuthentication=no
+  lineinfile:
+    dest: "/etc/ssh/sshd_config"
+    regexp: "^#?\\w*PasswordAuthentication"
+    line: "PasswordAuthentication no"
+    state: present
+  become: true
+  notify: "reload sshd"
+
+- name: retrieve ssh host key
+  fetch:
+    src: "/etc/ssh/ssh_host_ed25519_key.pub"
+    dest: "files/ssh_host_keys/{{ inventory_hostname }}_ed25519.pub"
+    flat: yes

roles/system_baseline/tasks/users.yml

@@ -0,0 +1,74 @@
+---
+- name: create a group for admin users
+  ansible.builtin.group:
+    name: ops
+    state: present
+  become: true
+
+- name: create admin users
+  ansible.builtin.user:
+    name: "{{ item.user }}"
+    comment: "{{ item.comment | default(item.user) }}"
+    group: ops
+  with_items: "{{ system_baseline_admin_users }}"
+  become: true
+
+- name: remove retired admin users
+  ansible.builtin.user:
+    name: "{{ item }}"
+    state: absent
+  with_items: "{{ system_baseline_retired_admin_users }}"
+  become: true
+
+- name: additional groups for admin users (Debian only)
+  ansible.builtin.user:
+    name: "{{ item.user }}"
+    groups: "{{ system_baseline_admin_user_groups_debian }}"
+    append: true
+  with_items: "{{ system_baseline_admin_users }}"
+  become: true
+  when: ansible_distribution == 'Debian'
+
+- name: install SSH keys for admin users
+  ansible.posix.authorized_key:
+    user: "{{ item.user }}"
+    state: present
+    key: "{{ item.ssh_public_key }}"
+    exclusive: true
+  with_items: "{{ system_baseline_admin_users }}"
+  become: true
+
+- name: allow passwordless sudo for sudo group (Debian only)
+  ansible.builtin.lineinfile:
+    path: /etc/sudoers
+    state: present
+    regexp: "^#?\\w*%sudo "
+    line: "%sudo ALL=(ALL) NOPASSWD: ALL"
+    validate: "/usr/sbin/visudo -cf %s"
+  become: true
+  when: ansible_distribution == 'Debian'
+
+- name: create a group for service users
+  ansible.builtin.group:
+    name: services
+    state: present
+  become: true
+
+- name: create service users
+  ansible.builtin.user:
+    name: "{{ item.user }}"
+    comment: "{{ item.comment | default(item.user) }}"
+    group: services
+  with_items: "{{ system_baseline_service_users }}"
+  become: true
+
+- name: enable linger for service users
+  ansible.builtin.command:
+    argv:
+      - /usr/bin/loginctl
+      - enable-linger
+      - "{{ item.user }}"
+    creates: "/var/lib/systemd/linger/{{ item.user }}"
+  when: "ansible_distribution == 'Debian' and (item.linger is not defined or item.linger)"
+  become: true
+  with_items: "{{ system_baseline_service_users }}"