reodered and added functionality

hosts

@@ -26,6 +26,7 @@ coruscant.universe.local
 [mailserver]
 coruscant.universe.local
 mewitoot.de
+mail.mewissen.site
 
 [mobile]
 tuxedo-book-xp1511.universe.local

roles/base/files/system_setup/sshd_custom.conf

@@ -0,0 +1,27 @@
+PermitRootLogin prohibit-password
+MaxAuthTries 3
+
+PubkeyAuthentication yes
+
+PasswordAuthentication no
+
+ChallengeResponseAuthentication no
+
+UsePAM yes
+
+X11Forwarding no
+PrintMotd no
+PrintLastLog no
+
+AllowUsers rene
+Match Address 192.168.1.240
+        AllowUsers root,rene
+
+Match User root
+        PasswordAuthentication no
+
+Match User rene
+        PasswordAuthentication no
+
+Match Host *
+        MaxAuthTries 1

roles/base/tasks/main.yml

@@ -5,6 +5,24 @@
 - block:
   - debug:
       msg: Debug
+  # install software
+  # - import_tasks: software/repositories.yml
+  - import_tasks: software/packages_zsh.yml
+  # - import_tasks: software/packages_development.yml
+  - import_tasks: software/packages_cleanup.yml
+  # - import_tasks: software/packages_pip.yml
+  - import_tasks: software/packages_utilities.yml
+
+  # Perform remaining tasks:
+  - import_tasks: system_setup/clock.yml
+  # - import_tasks: system_setup/cron.yml
+  - import_tasks: system_setup/locale.yml
+  # - import_tasks: system_setup/logging.yml
+  # - import_tasks: system_setup/memory.yml
+  # - import_tasks: system_setup/microcode.yml
+  - import_tasks: system_setup/openssh.yml
+  # - import_tasks: system_setup/scripts.yml
+
   # Make sure users exist on the system
   #- import_tasks: users/rene.yml
   #- import_tasks: users/root.yml
@@ -12,22 +30,5 @@
   # Set up the ansible environment
   # - import_tasks: ansible_setup.yml
 
-  # install software
-  # - import_tasks: software/repositories.yml
-  # - import_tasks: software/packages_development.yml
-  # - import_tasks: software/packages_cleanup.yml
-  # - import_tasks: software/packages_pip.yml
-  # - import_tasks: software/packages_utilities.yml
-
-  # Perform remeining tasks:
-  # - import_tasks: system_setup/clock.yml
-  # - import_tasks: system_setup/cron.yml
-  # - import_tasks: system_setup/locale.yml
-  # - import_tasks: system_setup/logging.yml
-  # - import_tasks: system_setup/memory.yml
-  # - import_tasks: system_setup/microcode.yml
-  # - import_tasks: system_setup/openssh.yml
-  # - import_tasks: system_setup/scripts.yml
-
   rescue:
     - set_fact: task_failed=true

roles/base/tasks/system_setup/openssh.yml

@@ -14,10 +14,17 @@
 
 - name: system setup | openssh | generate sshd_config file from template
   tags: openssh,ssh,system,settings
-  template:
+  copy:
-    src: sshd_config.j2
+    src: system_setup/sshd_custom.conf
-    dest: /etc/ssh/sshd_config
+    dest: /etc/ssh/sshd_config.d/custom.conf
     owner: root
     group: root
-    mode: 0644
+    mode: '0644'
-  notify: restart_sshd
+
+#  template:
+#    src: sshd_config.j2
+#    dest: /etc/ssh/sshd_config
+#    owner: root
+#    group: root
+#    mode: 0644
+#  notify: restart_sshd

roles/base/tasks/users/ansible.yml

@@ -0,0 +1,14 @@
+- name: users | ansible | add user
+  user:
+    name: ansible
+    comment: Ansible-Pull user
+    shell: /bin/bash
+    password_lock: yes
+
+- name: users | ansible | add sudoers file
+  copy:
+    src: users/sudoers_ansible
+    dst: /etc/sudoers.d/ansible
+    owner: root
+    group: root
+    mode: 0440

roles/base/tasks/users/rene.yml

@@ -3,30 +3,30 @@
     name: rene
     password_lock: yes
 
-- name: users | rene | create config directories
+# - name: users | rene | create config directories
-  file:
+#   file:
-    path: /rene/{{ item.dir }}
+#     path: /rene/{{ item.dir }}
-    state: directory
+#     state: directory
-    owner: rene
+#     owner: rene
-    group: rene
+#     group: rene
-    mode: 0700
+#     mode: 0700
-  with_items:
+#   with_items:
-    - {dir: '.vim'}
+#     - {dir: '.vim'}
-    - {dir: '.vim/colors'}
+#     - {dir: '.vim/colors'}
-  tags: dotfiles
+#   tags: dotfiles
 
-- name: users | rene | copy dotfiles
+# - name: users | rene | copy dotfiles
-  copy:
+#   copy:
-    src: users/rene/{{ item.src }}
+#     src: users/rene/{{ item.src }}
-    dest: /rene/{{ item.dest }}
+#     dest: /rene/{{ item.dest }}
-    owner: rene
+#     owner: rene
-    group: rene
+#     group: rene
-    mode: 0600
+#     mode: 0600
-  with_items:
+#   with_items:
-    - {src: 'bash/bashrc', dest: '.bashrc'}
+#     - {src: 'bash/bashrc', dest: '.bashrc'}
-    - {src: 'bash/bash_profile', dest: '.bash_profile'}
+#     - {src: 'bash/bash_profile', dest: '.bash_profile'}
-    - {src: 'bash/profile', dest: '.profile'}
+#     - {src: 'bash/profile', dest: '.profile'}
-    - {src: 'tmux/tmux.conf', dest: '.tmux.conf'}
+#     - {src: 'tmux/tmux.conf', dest: '.tmux.conf'}
-    - {src: 'vim/vimrc', dest: '.vimrc'}
+#     - {src: 'vim/vimrc', dest: '.vimrc'}
-    - {src: 'zsh/zshrc', dest: '.zshrc'}
+#     - {src: 'zsh/zshrc', dest: '.zshrc'}
-  tags: dotfiles
+#   tags: dotfiles

roles/base/tasks/users/root.yml

@@ -3,30 +3,30 @@
     name: root
     password_lock: yes
 
-- name: users | root | create config directories
+# - name: users | root | create config directories
-  file:
+#   file:
-    path: /root/{{ item.dir }}
+#     path: /root/{{ item.dir }}
-    state: directory
+#     state: directory
-    owner: root
+#     owner: root
-    group: root
+#     group: root
-    mode: 0700
+#     mode: 0700
-  with_items:
+#   with_items:
-    - {dir: '.vim'}
+#     - {dir: '.vim'}
-    - {dir: '.vim/colors'}
+#     - {dir: '.vim/colors'}
-  tags: dotfiles
+#   tags: dotfiles
 
-- name: users | root | copy dotfiles
+# - name: users | root | copy dotfiles
-  copy:
+#   copy:
-    src: users/root/{{ item.src }}
+#     src: users/root/{{ item.src }}
-    dest: /root/{{ item.dest }}
+#     dest: /root/{{ item.dest }}
-    owner: root
+#     owner: root
-    group: root
+#     group: root
-    mode: 0600
+#     mode: 0600
-  with_items:
+#   with_items:
-    - {src: 'bash/bashrc', dest: '.bashrc'}
+#     - {src: 'bash/bashrc', dest: '.bashrc'}
-    - {src: 'bash/bash_profile', dest: '.bash_profile'}
+#     - {src: 'bash/bash_profile', dest: '.bash_profile'}
-    - {src: 'bash/profile', dest: '.profile'}
+#     - {src: 'bash/profile', dest: '.profile'}
-    - {src: 'tmux/tmux.conf', dest: '.tmux.conf'}
+#     - {src: 'tmux/tmux.conf', dest: '.tmux.conf'}
-    - {src: 'vim/vimrc', dest: '.vimrc'}
+#     - {src: 'vim/vimrc', dest: '.vimrc'}
-    - {src: 'zsh/zshrc', dest: '.zshrc'}
+#     - {src: 'zsh/zshrc', dest: '.zshrc'}
-  tags: dotfiles
+#   tags: dotfiles

roles/base/templates/provision.sh.j2

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+
+# Options
+ANSIBLEUSER="ansible"
+BRANCH="{{ branch | default('master') }}"
+LOGFILE="/var/log/ansible.log"
+REPO="https://gitlab.social.my-wan.de/rene/ansible-pull.git"
+VAULT_KEY="</path/to/ansible_vault_key>"
+PRECMD="sudo systemd-inhibit --who='ansible-pull' --why='provisioning'"
+
+
+# check if ansible-pull is already running, and if not, run it
+if pgrep -f ansible-pull; then
+    printf "\n$(date +"%Y-%m-%d %H:%M:%S") A running ansible-pull process was found.\nExiting.\n"\
+        | tee -a "${LOGFILE}"
+    exit 1
+else
+    if [[ ! $1 == "" ]]; then
+        "${PRECMD}" sudo -iH -u "${ANSIBLEUSER}" ansible-pull --vault-password-file="${VAULT_KEY}" -U "${REPO}" -C "${BRANCH}" --tags $1 2>&1
+    else
+        "${PRECMD}" sudo -iH -u "${ANSIBLEUSER}" ansible-pull --vault-password-file="${VAULT_KEY}" -o -U "${REPO}" -C "${BRANCH}" 2>&1
+    fi
+fi