From ef4aab6a5d670e9e857939aec31e4784bed48b8a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20V=C3=B6lkel?= Date: Tue, 18 Mar 2025 23:37:20 +0100 Subject: [PATCH] inital commit: add playbooks with roles to setup server and add user --- ansible.cfg | 4 + inventory/hosts.ini | 5 + playbooks/add_user.yml | 16 +++ playbooks/setup_server.yml | 18 +++ roles/create_user_with_root/handlers/main.yml | 8 ++ roles/create_user_with_root/tasks/main.yml | 47 ++++++++ roles/setup_server/defaults/main.yml | 4 + roles/setup_server/handlers/main.yml | 7 ++ roles/setup_server/tasks/main.yml | 109 ++++++++++++++++++ 9 files changed, 218 insertions(+) create mode 100644 ansible.cfg create mode 100644 inventory/hosts.ini create mode 100644 playbooks/add_user.yml create mode 100644 playbooks/setup_server.yml create mode 100644 roles/create_user_with_root/handlers/main.yml create mode 100644 roles/create_user_with_root/tasks/main.yml create mode 100644 roles/setup_server/defaults/main.yml create mode 100644 roles/setup_server/handlers/main.yml create mode 100644 roles/setup_server/tasks/main.yml diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..ad15904 --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,4 @@ +[defaults] +inventory = inventory/hosts.ini +roles_path = ./roles +host_key_checking = False \ No newline at end of file diff --git a/inventory/hosts.ini b/inventory/hosts.ini new file mode 100644 index 0000000..50cae5e --- /dev/null +++ b/inventory/hosts.ini @@ -0,0 +1,5 @@ +[almalinux] +vps-root + +[almalinux-user] +vps diff --git a/playbooks/add_user.yml b/playbooks/add_user.yml new file mode 100644 index 0000000..866e0f8 --- /dev/null +++ b/playbooks/add_user.yml @@ -0,0 +1,16 @@ +--- +- name: Server setup with roles + hosts: almalinux-user + become: yes + vars_prompt: + - name: "username" + prompt: "Please enter the username to be created" + private: no # Der Benutzername wird sichtbar eingegeben + - name: "user_password" + prompt: "Please enter the password for the new user" + private: yes # Das Passwort wird versteckt eingegeben + - name: "ssh_public_key" + prompt: "Please enter the public key for shh of your pc" + private: no + roles: + - create_user_with_root \ No newline at end of file diff --git a/playbooks/setup_server.yml b/playbooks/setup_server.yml new file mode 100644 index 0000000..72b9072 --- /dev/null +++ b/playbooks/setup_server.yml @@ -0,0 +1,18 @@ +--- +- name: Server setup with roles + hosts: almalinux # Hier verwenden wir die Gruppe 'almalinux' aus der hosts.ini + become: yes + vars_prompt: + - name: "username" + prompt: "Please enter the username to be created" + private: no # Der Benutzername wird sichtbar eingegeben + - name: "user_password" + prompt: "Please enter the password for the new user" + private: yes # Das Passwort wird versteckt eingegeben + - name: "ssh_public_key" + prompt: "Please enter the public key for shh of your pc" + private: no + roles: + # firewall + - create_user_with_root + # firewall \ No newline at end of file diff --git a/roles/create_user_with_root/handlers/main.yml b/roles/create_user_with_root/handlers/main.yml new file mode 100644 index 0000000..bef2348 --- /dev/null +++ b/roles/create_user_with_root/handlers/main.yml @@ -0,0 +1,8 @@ +--- +# Handler zum Neustarten des SSH-Dienstes + +- name: restart sshd + systemd: + name: sshd + state: restarted + enabled: yes \ No newline at end of file diff --git a/roles/create_user_with_root/tasks/main.yml b/roles/create_user_with_root/tasks/main.yml new file mode 100644 index 0000000..d7c3f45 --- /dev/null +++ b/roles/create_user_with_root/tasks/main.yml @@ -0,0 +1,47 @@ + +- name: Erstelle einen neuen User mit Sudo-Rechten + user: + name: "{{ username }}" + password: "{{ user_password | password_hash('sha512') }}" # Das Passwort wird mit SHA-512 gehasht + state: present + shell: /bin/bash + groups: wheel # Gibt Sudo-Rechte + append: yes + +- name: Erstelle den SSH-Ordner für den neuen User + file: + path: "/home/{{ username }}/.ssh" + state: directory + mode: '0700' + owner: "{{ username }}" + group: "{{ username }}" + +- name: Setze die Berechtigungen für die authorized_keys-Datei + file: + path: "/home/{{ username }}/.ssh/authorized_keys" + state: touch + mode: '0600' + owner: "{{ username }}" + group: "{{ username }}" + +- name: Add public key to enable user ssh + lineinfile: + path: "/home/{{ username }}/.ssh/authorized_keys" + line: '{{ ssh_public_key }}' + state: present + +- name: Grant sudo privileges to the user + lineinfile: + path: /etc/sudoers + regexp: "^{{ username }} " + line: "{{ username }} ALL=(ALL) ALL" + validate: visudo -cf %s + +- name: Entferne den Root-SSH-Zugang + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^PermitRootLogin' + line: 'PermitRootLogin no' + state: present + notify: + - restart sshd \ No newline at end of file diff --git a/roles/setup_server/defaults/main.yml b/roles/setup_server/defaults/main.yml new file mode 100644 index 0000000..c2e6879 --- /dev/null +++ b/roles/setup_server/defaults/main.yml @@ -0,0 +1,4 @@ +--- +# roles/setup_server/defaults/main.yml + +username: jan diff --git a/roles/setup_server/handlers/main.yml b/roles/setup_server/handlers/main.yml new file mode 100644 index 0000000..d1fe11d --- /dev/null +++ b/roles/setup_server/handlers/main.yml @@ -0,0 +1,7 @@ +--- +# roles/setup_server/handlers/main.yml + +- name: restart sshd + service: + name: sshd + state: restarted diff --git a/roles/setup_server/tasks/main.yml b/roles/setup_server/tasks/main.yml new file mode 100644 index 0000000..2517f66 --- /dev/null +++ b/roles/setup_server/tasks/main.yml @@ -0,0 +1,109 @@ +--- +# roles/setup_server/tasks/main.yml + +- name: Erstelle einen neuen User mit Sudo-Rechten + user: + name: "{{ username }}" + password: "{{ user_password | password_hash('sha512') }}" # Das Passwort wird mit SHA-512 gehasht + state: present + shell: /bin/bash + groups: wheel # Gibt Sudo-Rechte + append: yes + +- name: Erstelle den SSH-Ordner für den neuen User + file: + path: "/home/{{ username }}/.ssh" + state: directory + mode: '0700' + owner: "{{ username }}" + group: "{{ username }}" + +- name: Setze die Berechtigungen für die authorized_keys-Datei + file: + path: "/home/{{ username }}/.ssh/authorized_keys" + state: touch + mode: '0600' + owner: "{{ username }}" + group: "{{ username }}" + +- name: Entferne den Root-SSH-Zugang + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^PermitRootLogin' + line: 'PermitRootLogin no' + state: present + notify: + - restart sshd + +- name: Installiere firewalld + package: + name: firewalld + state: present + +- name: Starte und aktiviere firewalld + service: + name: firewalld + state: started + enabled: yes + +- name: Sperre alle Ports in firewalld + firewalld: + zone: public + service: ssh + permanent: yes + state: enabled + +# roles/setup_server/tasks/main.yml + +- name: Entferne alte Docker-Versionen, falls vorhanden + dnf: + name: + - docker + - docker-client + - docker-client-latest + - docker-common + - docker-latest + - docker-latest-logrotate + - docker-logrotate + - docker-engine + - podman + - runc + state: absent + +- name: Installiere DNF-Plugins und Docker-Repository + dnf: + name: dnf-plugins-core + state: present + +- name: Installiere Docker CE, CLI und andere Docker-Komponenten + dnf: + name: + - docker-ce + - docker-ce-cli + - containerd.io + - docker-buildx-plugin + - docker-compose-plugin + state: present + +- name: Aktiviere und starte Docker + service: + name: docker + state: started + enabled: yes + +- name: Füge den neuen User zur Docker-Gruppe hinzu + user: + name: "{{ username }}" + groups: docker + append: yes + +- name: Starte den Docker-Dienst neu, um Änderungen zu übernehmen + systemd: + name: docker + state: restarted + +- name: Deaktiviere Docker-Zone in firewalld + firewalld: + zone: docker + state: disabled + permanent: yes \ No newline at end of file