inital commit: add playbooks with roles to setup server and add user

ansible.cfg

@@ -0,0 +1,4 @@
+[defaults]
+inventory = inventory/hosts.ini
+roles_path = ./roles
+host_key_checking = False

inventory/hosts.ini

@@ -0,0 +1,5 @@
+[almalinux]
+vps-root
+
+[almalinux-user]
+vps

playbooks/add_user.yml

@@ -0,0 +1,16 @@
+---
+- name: Server setup with roles
+  hosts: almalinux-user
+  become: yes
+  vars_prompt:
+    - name: "username"
+      prompt: "Please enter the username to be created"
+      private: no  # Der Benutzername wird sichtbar eingegeben
+    - name: "user_password"
+      prompt: "Please enter the password for the new user"
+      private: yes  # Das Passwort wird versteckt eingegeben
+    - name: "ssh_public_key"
+      prompt: "Please enter the public key for shh of your pc"
+      private: no
+  roles:
+    - create_user_with_root

playbooks/setup_server.yml

@@ -0,0 +1,18 @@
+---
+- name: Server setup with roles
+  hosts: almalinux  # Hier verwenden wir die Gruppe 'almalinux' aus der hosts.ini
+  become: yes
+  vars_prompt:
+    - name: "username"
+      prompt: "Please enter the username to be created"
+      private: no  # Der Benutzername wird sichtbar eingegeben
+    - name: "user_password"
+      prompt: "Please enter the password for the new user"
+      private: yes  # Das Passwort wird versteckt eingegeben
+    - name: "ssh_public_key"
+      prompt: "Please enter the public key for shh of your pc"
+      private: no
+  roles:
+  # firewall
+    - create_user_with_root
+  # firewall

roles/create_user_with_root/handlers/main.yml

@@ -0,0 +1,8 @@
+---
+# Handler zum Neustarten des SSH-Dienstes
+
+- name: restart sshd
+  systemd:
+    name: sshd
+    state: restarted
+    enabled: yes

roles/create_user_with_root/tasks/main.yml

@@ -0,0 +1,47 @@
+
+- name: Erstelle einen neuen User mit Sudo-Rechten
+  user:
+    name: "{{ username }}"
+    password: "{{ user_password | password_hash('sha512') }}"  # Das Passwort wird mit SHA-512 gehasht
+    state: present
+    shell: /bin/bash
+    groups: wheel  # Gibt Sudo-Rechte
+    append: yes
+
+- name: Erstelle den SSH-Ordner für den neuen User
+  file:
+    path: "/home/{{ username }}/.ssh"
+    state: directory
+    mode: '0700'
+    owner: "{{ username }}"
+    group: "{{ username }}"
+
+- name: Setze die Berechtigungen für die authorized_keys-Datei
+  file:
+    path: "/home/{{ username }}/.ssh/authorized_keys"
+    state: touch
+    mode: '0600'
+    owner: "{{ username }}"
+    group: "{{ username }}"
+
+- name: Add public key to enable user ssh
+  lineinfile:
+    path: "/home/{{ username }}/.ssh/authorized_keys"
+    line: '{{ ssh_public_key }}'
+    state: present
+  
+- name: Grant sudo privileges to the user
+  lineinfile:
+    path: /etc/sudoers
+    regexp: "^{{ username }} "
+    line: "{{ username }} ALL=(ALL) ALL"
+    validate: visudo -cf %s
+
+- name: Entferne den Root-SSH-Zugang
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^PermitRootLogin'
+    line: 'PermitRootLogin no'
+    state: present
+  notify:
+    - restart sshd

roles/setup_server/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+# roles/setup_server/defaults/main.yml
+
+username: jan

roles/setup_server/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+# roles/setup_server/handlers/main.yml
+
+- name: restart sshd
+  service:
+    name: sshd
+    state: restarted

roles/setup_server/tasks/main.yml

@@ -0,0 +1,109 @@
+---
+# roles/setup_server/tasks/main.yml
+
+- name: Erstelle einen neuen User mit Sudo-Rechten
+  user:
+    name: "{{ username }}"
+    password: "{{ user_password | password_hash('sha512') }}"  # Das Passwort wird mit SHA-512 gehasht
+    state: present
+    shell: /bin/bash
+    groups: wheel  # Gibt Sudo-Rechte
+    append: yes
+
+- name: Erstelle den SSH-Ordner für den neuen User
+  file:
+    path: "/home/{{ username }}/.ssh"
+    state: directory
+    mode: '0700'
+    owner: "{{ username }}"
+    group: "{{ username }}"
+
+- name: Setze die Berechtigungen für die authorized_keys-Datei
+  file:
+    path: "/home/{{ username }}/.ssh/authorized_keys"
+    state: touch
+    mode: '0600'
+    owner: "{{ username }}"
+    group: "{{ username }}"
+
+- name: Entferne den Root-SSH-Zugang
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^PermitRootLogin'
+    line: 'PermitRootLogin no'
+    state: present
+  notify:
+    - restart sshd
+
+- name: Installiere firewalld
+  package:
+    name: firewalld
+    state: present
+
+- name: Starte und aktiviere firewalld
+  service:
+    name: firewalld
+    state: started
+    enabled: yes
+
+- name: Sperre alle Ports in firewalld
+  firewalld:
+    zone: public
+    service: ssh
+    permanent: yes
+    state: enabled
+
+# roles/setup_server/tasks/main.yml
+
+- name: Entferne alte Docker-Versionen, falls vorhanden
+  dnf:
+    name:
+      - docker
+      - docker-client
+      - docker-client-latest
+      - docker-common
+      - docker-latest
+      - docker-latest-logrotate
+      - docker-logrotate
+      - docker-engine
+      - podman
+      - runc
+    state: absent
+
+- name: Installiere DNF-Plugins und Docker-Repository
+  dnf:
+    name: dnf-plugins-core
+    state: present
+
+- name: Installiere Docker CE, CLI und andere Docker-Komponenten
+  dnf:
+    name:
+      - docker-ce
+      - docker-ce-cli
+      - containerd.io
+      - docker-buildx-plugin
+      - docker-compose-plugin
+    state: present
+
+- name: Aktiviere und starte Docker
+  service:
+    name: docker
+    state: started
+    enabled: yes
+
+- name: Füge den neuen User zur Docker-Gruppe hinzu
+  user:
+    name: "{{ username }}"
+    groups: docker
+    append: yes
+
+- name: Starte den Docker-Dienst neu, um Änderungen zu übernehmen
+  systemd:
+    name: docker
+    state: restarted
+
+- name: Deaktiviere Docker-Zone in firewalld
+  firewalld:
+    zone: docker
+    state: disabled
+    permanent: yes