semaphore/hardening-linux.yml

- hosts: all
  #! Need first setup with root access user
  become: true
  vars:
    # os_remove_additional_root_users: false
    #* USERS 
    users:
      - username: bot
        name: bot user
        # groups: ['wheel','systemd-journal']
        # uid: 1000
        home: /home/bot
        # profile: |
        #   alias ll='ls -lah'
        ssh_key:
          #- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK7/ReeTsubS/KwTRaR/5k/6d5CEef0XTXvyRwfVBjwW"
          - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFof5AdYrrwtMsxSWB8KW04/s3hl5rrHzF0zhk7zK5dF"
      # - username: dbtest
      #   name: dbtest user
        # groups: ['wheel','systemd-journal']
        # uid: 1000
    sudo_sudoers_files:
      - path: /etc/sudoers.d/bot
        user_specifications:
          - users:
              - bot
            hosts:
              - ALL
            operators:
              - ALL
            commands:
              - "NOPASSWD: ALL"
      # - path: /etc/sudoers.d/orbstack
      #   user_specifications:
      #     - users:
      #         - stephanegratias
      #       hosts:
      #         - ALL
      #       operators:
      #         - ALL
      #       commands:
      #         - "NOPASSWD: ALL"
    #* PACKAGES
    package_repo:
      - python3-pip
      - podman
      - lsof
    # package_pip:
    #   - python3-libsemanage
    #* FIREWALL
    firewall_allowed_tcp_ports:
      - "22"
      - "6443"
      - "80"
      - "443"
      - "6881"
  pre_tasks:

    - ansible.builtin.apt:
        update_cache: yes

    - ansible.builtin.apt:
        name: "*"
        state: latest

    - ansible.builtin.apt:
        upgrade: safe

    - ansible.builtin.apt:
        clean: yes

    - ansible.builtin.apt:
        name: "{{ item }}"
        state: latest
      loop: "{{ package_repo }}"
      when: package_repo is defined

    - ansible.builtin.pip:
        name: "{{ item }}"
      loop: "{{ package_pip }}"
      when: package_pip is defined

#! ROLES
  roles:
    - name: singleplatform-eng.users
    - name: linux-system-roles.sudo
    - name: devsec.hardening.ssh_hardening
    #! delete user like root
    # - name: devsec.hardening.os_hardening
    - name: geerlingguy.firewall




# # #! Launch single node 
# alias docker=podman
# docker run -d --name k0s-controller --hostname k0s-controller \
#   --network host \
#   --privileged \
#   -v /var/lib/k0s \
#   --tmpfs /run \
#   --tmpfs /tmp \
#   -p 6443:6443  \
#   docker.io/k0sproject/k0s:v1.34.3-k0s.0 \
#   k0s controller --enable-worker --single=true --ignore-pre-flight-checks