aboutsummaryrefslogtreecommitdiffstats
path: root/roles/setup_security/tasks/main.yml
diff options
context:
space:
mode:
Diffstat (limited to 'roles/setup_security/tasks/main.yml')
-rw-r--r--roles/setup_security/tasks/main.yml43
1 files changed, 43 insertions, 0 deletions
diff --git a/roles/setup_security/tasks/main.yml b/roles/setup_security/tasks/main.yml
index 7d29cf5..36844c3 100644
--- a/roles/setup_security/tasks/main.yml
+++ b/roles/setup_security/tasks/main.yml
@@ -20,3 +20,46 @@
group:
name: pi
state: absent
+
+- name: Apply syspatch for system type = {{ ansible_distribution }}
+ syspatch:
+ apply: true
+ when: inventory_hostname in groups["openbsd"]
+
+- name: Add puffy account for system type = {{ ansible_distribution }}
+ user:
+ name: puffy
+ group: wheel
+ when: inventory_hostname in groups["openbsd"]
+
+- name: Copy doas.conf to /etc/doas.conf for system type = {{ ansible_distribution }}
+ copy:
+ src: "{{ role_path }}/files/doas.conf"
+ dest: "/etc/doas.conf"
+
+- name: Copy ssh key for puffy account
+ authorized_key:
+ user: puffy
+ state: present
+ key: "{{ item }}"
+ with_file:
+ - "{{ playbook_dir }}/files/pub_ssh/rgoncalves.pub.ssh"
+
+- name: Copy ssh key for root account
+ authorized_key:
+ user: root
+ state: present
+ key: "{{ item }}"
+ with_file:
+ - "{{ playbook_dir }}/files/pub_ssh/rgoncalves.pub.ssh"
+
+- name: Disable password login in sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ regexp: "PasswordAuthentication"
+ line: "PasswordAuthentication no"
+
+- name: Restart sshd daemon
+ service:
+ name: sshd
+ state: restarted
remember that computers suck.