2 files changed, 45 insertions, 0 deletions

diff --git a/roles/setup_security/files/doas.conf b/roles/setup_security/files/doas.conf
new file mode 100644
index 0000000..cf3a9d0
--- /dev/null
+++ b/roles/setup_security/files/doas.conf
@@ -0,0 +1,2 @@
+permit keepenv nopass puffy as root
+permit keepenv nopass root
diff --git a/roles/setup_security/tasks/main.yml b/roles/setup_security/tasks/main.yml
index 7d29cf5..36844c3 100644
--- a/roles/setup_security/tasks/main.yml
+++ b/roles/setup_security/tasks/main.yml
@@ -20,3 +20,46 @@
   group:
     name: pi
     state: absent
+
+- name: Apply syspatch for system type = {{ ansible_distribution }}
+  syspatch:
+    apply: true
+  when: inventory_hostname in groups["openbsd"]
+
+- name: Add puffy account for system type = {{ ansible_distribution }}
+  user:
+    name: puffy
+    group: wheel
+  when: inventory_hostname in groups["openbsd"]
+
+- name: Copy doas.conf to /etc/doas.conf for system type = {{ ansible_distribution }}
+  copy:
+    src: "{{ role_path }}/files/doas.conf"
+    dest: "/etc/doas.conf"
+
+- name: Copy ssh key for puffy account
+  authorized_key:
+    user: puffy
+    state: present
+    key: "{{ item }}"
+  with_file:
+    - "{{ playbook_dir }}/files/pub_ssh/rgoncalves.pub.ssh"
+
+- name: Copy ssh key for root account
+  authorized_key:
+    user: root
+    state: present
+    key: "{{ item }}"
+  with_file:
+    - "{{ playbook_dir }}/files/pub_ssh/rgoncalves.pub.ssh"
+
+- name: Disable password login in sshd_config
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "PasswordAuthentication"
+    line: "PasswordAuthentication no"
+
+- name: Restart sshd daemon
+  service:
+    name: sshd
+    state: restarted