- hosts: all #! Need first setup with root access user become: true vars: # os_remove_additional_root_users: false #* USERS users: - username: bot name: bot user # groups: ['wheel','systemd-journal'] # uid: 1000 home: /home/bot # profile: | # alias ll='ls -lah' ssh_key: #- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK7/ReeTsubS/KwTRaR/5k/6d5CEef0XTXvyRwfVBjwW" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFof5AdYrrwtMsxSWB8KW04/s3hl5rrHzF0zhk7zK5dF" # - username: dbtest # name: dbtest user # groups: ['wheel','systemd-journal'] # uid: 1000 sudo_sudoers_files: - path: /etc/sudoers.d/bot user_specifications: - users: - bot hosts: - ALL operators: - ALL commands: - "NOPASSWD: ALL" # - path: /etc/sudoers.d/orbstack # user_specifications: # - users: # - stephanegratias # hosts: # - ALL # operators: # - ALL # commands: # - "NOPASSWD: ALL" #* PACKAGES package_repo: - python3-pip - podman - lsof # package_pip: # - python3-libsemanage #* FIREWALL firewall_allowed_tcp_ports: - "22" - "6443" - "80" - "443" - "6881" pre_tasks: - ansible.builtin.apt: update_cache: yes - ansible.builtin.apt: name: "*" state: latest - ansible.builtin.apt: upgrade: safe - ansible.builtin.apt: clean: yes - ansible.builtin.apt: name: "{{ item }}" state: latest loop: "{{ package_repo }}" when: package_repo is defined - ansible.builtin.pip: name: "{{ item }}" loop: "{{ package_pip }}" when: package_pip is defined #! ROLES roles: - name: singleplatform-eng.users - name: linux-system-roles.sudo - name: devsec.hardening.ssh_hardening #! delete user like root # - name: devsec.hardening.os_hardening - name: geerlingguy.firewall # # #! Launch single node # alias docker=podman # docker run -d --name k0s-controller --hostname k0s-controller \ # --network host \ # --privileged \ # -v /var/lib/k0s \ # --tmpfs /run \ # --tmpfs /tmp \ # -p 6443:6443 \ # docker.io/k0sproject/k0s:v1.34.3-k0s.0 \ # k0s controller --enable-worker --single=true --ignore-pre-flight-checks