blob: a335b0235dec5f683ef7d2f3d126bd10b87b8a1a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
|
# Ansible playbook to install stuff for a standard install with v-i.
# You should inspect the user_* variables at the end, and override
# them with "ansible_vars" in the system spec file. v-i sets the
# hostname variable automatically.
- hosts: image
tasks:
- name: "set /etc/hostname"
copy:
content: |
{{ hostname }}
dest: /etc/hostname
- name: "lock root password"
shell: |
passwd -l root
when: passwordless_root is not defined or not passwordless_root
- name: "remove root password"
shell: |
sed -i '/^root:[^:]*:/s//root::/' /etc/passwd
when: passwordless_root
- name: "create ~root/.ssh"
when: user_pub is defined
file:
state: directory
path: /root/.ssh
owner: root
group: root
mode: 0700
- name: "set ~root/.ssh/authorized keys"
when: user_pub is defined
copy:
content: |
{{ user_pub }}
dest: /root/.ssh/authorized_keys
owner: root
group: root
mode: 0600
- name: "install user CA public key"
when: user_ca_pubkey is defined
copy:
content: |
{{ user_ca_pubkey }}
dest: /etc/ssh/user_ca_pubs
- name: "restrict root logins over ssh to require a key"
lineinfile:
path: /etc/ssh/sshd_config
regex: "#* *PasswordAuthentication"
line: "PasswordAuthentication no"
- name: "configure sshd to accept CA for users"
when: user_ca_pubkey is defined
copy:
content: |
TrustedUserCAKeys /etc/ssh/user_ca_pubs
dest: /etc/ssh/sshd_config.d/user_ca.conf
- name: "install host key"
when: host_key is defined
copy:
content: |
{{ host_key }}
dest: /etc/ssh/ssh_host_key
mode: 0600
- name: "install host cert"
when: host_cert is defined
copy:
content: |
{{ host_cert }}
dest: /etc/ssh/ssh_host_key-cert.pub
mode: 0644
- name: "configue sshd to use host cert"
when: host_cert is defined
copy:
content: |
HostKey /etc/ssh/ssh_host_key
HostCertificate /etc/ssh/ssh_host_key-cert.pub
dest: /etc/ssh/sshd_config.d/host_cert.conf
- name: "configure keyboard layout"
copy:
content: |
XKBMODEL="{{ user_keyboard_model }}"
XKBLAYOUT="{{ user_keyboard_layout }}"
XKBVARIANT=""
XKBOPTIONS=""
BACKSPACE="guess"
dest: /etc/default/keyboard
- name: "configure console"
copy:
content: |
ACTIVE_CONSOLES="/dev/tty[1-6]"
CHARMAP="UTF-8"
CODESET="{{ user_console_codeset }}"
FONTFACE="Fixed"
FONTSIZE="8x16"
VIDEOMODE=
dest: /etc/default/console-setup
- name: "set default locales for all users"
copy:
content: |
{{ user_locale }}
dest: /etc/profile.d/locale.sh
- name: "remove ifupdown"
apt:
name: ifupdown
state: absent
- name: "configure networkd"
copy:
content: |
[Match]
Name=eth0
[Network]
DHCP=yes
dest: /etc/systemd/network/external.network
- name: "enable networkd"
systemd:
name: systemd-networkd
enabled: yes
vars:
ansible_python_interpreter: /usr/bin/python3
# You may want to override these.
user_locale: |
export LC_CTYPE=fi_FI.UTF8
user_keyboard_model: pc105
user_keyboard_layout: fi
user_console_codeset: Lat15
passwordless_root: false
|