no solarized color scheme

update dockprom playbook to use machine_name var (still hard-coding vpn ip addr)
run commands as regular user, not root
2021-01-20 19:41:31 -08:00 · 2021-01-20 19:41:16 -08:00 · 2021-01-20 19:40:46 -08:00 · 2021-01-20 19:39:57 -08:00 · 2021-01-20 19:39:41 -08:00 · 2021-01-20 19:39:30 -08:00
21 changed files with 499 additions and 99 deletions
--- a/base.yml
+++ b/base.yml
@@ -40,6 +40,22 @@
      tags: sshkeys
 - name: Install firewall
  hosts: "{{ machine_name }}"
  vars:
  - firewall_allowed_tcp_ports:
    - "{{ ssh_port }}"
    - "80"
    - "443"
    - "8080" # cadvisor
    - "9100" # nodeexporter
    - "3100" # loki
    - "9113" # nginxexporter
  roles:
    - role: firewall
      become: yes
 - name: Set up dotfiles
  hosts: "{{ machine_name }}"
  roles:
--- a/dockprom.yml
+++ b/dockprom.yml
@@ -2,12 +2,10 @@
 # deploy dockprom pod to dev stage
 - name: Install dockprom docker pod
-  hosts:
+  hosts: "{{ machine_name }}"
  - bespin
  vars:
-    install_client_service: "true"
+  - install_client_service: "true"
-    dockprom_bind_ip: "192.168.30.10"
+  - dockprom_bind_ip: "192.168.30.40"
  roles:
  - role: pod-dockprom
    become: yes
--- a/firewall.yml
+++ b/firewall.yml
@@ -0,0 +1,25 @@
 ---
 # Playbook for firewall role
 - name: Set up SSH keys
  hosts: "{{ machine_name }}"
  roles:
    - role: sshkeys
      tags: sshkeys
 - name: Install firewall
  hosts: "{{ machine_name }}"
  vars:
  - firewall_allowed_tcp_ports:
    - "{{ ssh_port }}"
    - "80"
    - "443"
    - "8080" # cadvisor
    - "9100" # nodeexporter
    - "3100" # loki
    - "9113" # nginxexporter
  roles:
    - role: firewall
      become: yes
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@@ -30,15 +30,20 @@ charlesreid1_port_ssl_gitea: "443"
 # pyenv variables
 pyenv_root: "/home/{{ username }}/.pyenv"
 pyenv_versions:
-  - miniconda3-4.3.30
+  - 3.7.9
 #  - miniconda3-4.3.30
 #  - 3.7.5
 #  - 3.8.0
-pyenv_global_version: miniconda3-4.3.30
+pyenv_global_version: 3.7.9
 pyenv_python: "{{ pyenv_root }}/versions/{{ pyenv_global_version }}/bin/python"
 pyenv_pip: "{{ pyenv_root }}/versions/{{ pyenv_global_version }}/bin/pip"
 # ports
 ssh_port: 5778
 ########################
 # vault variables
--- a/group_vars/all/vault
+++ b/group_vars/all/vault
@@ -1,60 +1,59 @@
 $ANSIBLE_VAULT;1.1;AES256
-37633430646463656366396433396462383465383039636132376164626364336664366230383964
+62626164613766613162653233616565393064366366303463653761626435663236366237663931
-3835663562353932346533306238653031623937313935320a306134636538383366383637636234
+3938316262353261666435313766306438656330653561330a303036313536363263633635636435
-34633239656434313565306133366539353664333536313739333766303666373162636532633436
+33363266643233363838616239333061316432346362383063326630623532363862666331373137
-3935623266616435340a356234616231646334633239336363633166373563343363313366663464
+6161643632353730350a656335663536366264633634323263386461646161386233646639393862
-33316161626238373162306332343335656534663963316365396635623237333631336564636161
+32663162613130343463646363653663363237303436623138633366316163323164623366616538
-61363861313564323539333836393364373738373236633636373365343632613435383237623562
+31306336383434656536383339383535646461326539653934363436333363633963313239383938
-61393261333431626234623437636433643964383138623633316465653562623533326562663837
+30666333373537653338316633643436313732346261656330643162343230636163343136353464
-39356633366539346433303139663733383239316434376137313838376462646231643839646163
+33646237663338636134613832623338316463366338623662363665633561316565306664663533
-66373237653136333534643636666138653136623465633738633165366632363235633134356362
+62336636626136613465346533316237626335656632373535383137353264306337633637653762
-36346261363837643238306332323238336132306265616363303532346362613766306433623565
+34366561386462306464373263363537303465306533303935383130393161343030323337343932
-33373134646366346265633562306634303736613563653061333461636465313261343565386131
+33323839326665643734643064353838643436626363643733363232386665323761303165383236
-39333438633332376638373431643064653337303564643533386436353865346139383936643737
+33393533333361383566616335343336303730656432306632326134653239306334306438646437
-66666130323533373966363062646433336235373766313363666539383865646464326465363332
+65323339303038656239333230323037343466393134353731643033643065333431623333663264
-30616662623863623533316536653132316535376630623165656335353163653761633465383332
+61306132636637353734373064343965386233663031313836306639313533303130306663316666
-33623530316135616264366436346332353265346136626337633632323538653539326234346632
+30626564373066333561633363383733313063346564336338653737346130313432653231353732
-37336461646666346235306535646530336635326536616635316162326133636261656262636138
+64636661346434616536636638623265396330343639613139623965373131336363376333626162
-34636534313536623364663830366264373433373066363934396338303766333831643163326130
+65386562613362613266336565303065663132336263636535623639383035343131336532393466
-64623761383334333266356338626630366162643764666264316139663361373562353164393431
+66666563623863653566336464363738366566343462366263653434303364623237633763333864
-65656134333561643165623036666139333335323066636262386336666461646631623564653733
+34313362643665613834303533653533326531396132613539363434363463303263643433363866
-30646462396131336262376264373963626531616665616630623532353739623938623234326635
+35353331633436346238616231656166343030613935343332363132363135353063386563366438
-62633166303563383564363465333433316263623665323332663131353765393463306561663861
+61653739373534313164373262326233613032353835616334396332643262616665326130386462
-64326564663165666234306664396335313933656332363064643661656162393831386431653339
+37363734633964363937633336326361313561373066643766356462333562373565643138333065
-62653365393031383836626139303335396236326239643266313261326164646338613733363063
+66613165393539663239396561393235653236646537656637356430323731643761613061393665
-33666436653439336639316539626634626661646638333863643266626466633530376266313339
+32636262343861386264326666613230373966316561653637336465653831343531363439323433
-32383636646131346639656238373962393539633231386663343533336266393862383163383962
+65343430303361663437666230383236656538326466636366373366326637633063383538643461
-34626264383635303435616234396664646136373436326163323761373636373162653531646434
+64643431656535623961313164623764376130633839306632376237633734343635393164356363
-31643263636433656161303666313130306165613336343934343761636537643566666436623235
+39636261666639626261313962386434626533313538393463623365643065633432386630386434
-65353737663034376333373835366131383235303863666231643663626130663737313662653533
+34313164313366353862653838356431323764633133303962346663303836333361613333666463
-34353732386562383863306637663266363064336536613631373464636334646166396435363763
+34633032393861386332383236366432396337353539616132336537326663303263613464346235
-66323232653437313535346561356632343039636435373739306263396533616333616532306439
+37373163383164306233653265356136393364316637626361353432333436306634643462333530
-61383730353534333962363334313331636232666261613566393833313932353434323763343733
+63623330666237636138633131646232663531326462303837393236656662666233316532373162
-34346639363037383962653437343630366237316530396365343364363434653766386239343438
+62353366326238313131366234646532626565666563393139376536643936313736626166313466
-30626166333163333164326536323334646465613235363734653736626163303361396233646135
+61383461383538386566356333396464373636626266373239623266356263323532646366343966
-61313862616431353161306238376336373434373331666233356264343466353536373961653662
+39666566623964303834326330303437626431356261396663373031306164636131383338313661
-63363936333938303037323730636262356136336564623064356666636334666364646130613134
+38373034663266663763656436666137336235646635326664326633616662383039386139616266
-66663063303361666366613163393861303835356461643865333035363161383237356434356538
+61306630373838333234613566386431633534653961633234653364326437356233343965666465
-38623831316363656435313737666163313137323431313936316534366430633264633033653038
+65326266656665633331356665363435343438613134343339393762373762643530376363343930
-37666663383763303936373465383437616338653430343035626662393330326562643139333364
+35333735386331343530343239393864323838633364363338373734323434393736333837373363
-36616465636231393266373638373433616438343564366233343631643234393764653337636334
+38383464303434316436343764373934643162616237333930383239353862366532316263303461
-64396236333965613537393034623232373731303965346263613161633336636131366533333635
+66333031323563626461363134656636393734323531343163373736353965323865613963646332
-65343732313963313062303333383839333130653766393334366331363336346137323261363639
+32653363336366643261323063323662326239346135316664393366623532333865343461666532
-64626364616361386365633066363566643530383564663063623931313833626264326463376139
+34343761636135363035313338353934653533366165633361653738333836336630383538336264
-36613836316538373366653537333430613765633032663235383661626331363438323962363133
+61633538623663313136363636393332616335626137326332613131363934373235306662356163
-62363836313837373665306263663733336564633936306331656334353665633936633339626235
+65643334376634626665316136393236313437376233333963316134613861623035666132386136
-63626637656462343438326536643837393339653837366433396633646461643731616265616238
+63363062653235663136383665356661306538373566313136336564356563326138656635353466
-63656332313434633866643961633130396432363431306562653530343736373630623061386636
+31646333373334623931353037663863636366386530383435623139336630353261633339323961
-61386165373730623934653736343964383039366437613063383636363862646233666137623635
+65646332623336616536343063643666646634326462366131613930653538613433373230326633
-36303765633431313933353161336236663736643036636365623965653164303535366637343937
+38353733656561353938306235303231623438396366356235666131323366633061313361656533
-36386235353339336239303961663165313263303334643238393039373233656164356138383136
+38646331336636303138623962646464363062313462366664653466326335393437333336366133
-38643863666230353938653062383963393362396266393165333461333035666632356131373835
+37383462303635316661343935353762666633366334343430326562663434313239373235356235
-39646231613332343638373961356666393533653235303034626162666633626566366564396330
+32303962653437366363363739646263663264376665353362383033383466336435303736313731
-63323939376539646261353433663237393237323833613933323332643334366663653836306535
+35646361306535373532393038383030336634353737343534663461393830346464386138623139
-32353736376665396235353661313866643633613239626638343662363832303363386638646261
+61623664626164386630623633363237643161656434343465633530653836373439376339313831
-31383565646438313331626330316462613638346565303232363437333531363330636435666338
+39343739336461333535663264626230393737306137653864323734626639313133626132626436
-66316364303138323835663761373865656266396231643339613934396562383665663736393561
+66616465386333626332663064396137666561663162383337333634303037366234633632623538
-64646438326262386464656236636162323064396431383333316134313238626464653565396237
+36356464323333613861383432356263636438316133333531393331323262316438343633643333
-64353336323636303532383932306436393631333132383565373134636230356634356266306338
+39363130376562373163663633363363306133643161313063303165643934633266613330616130
-34303332666666616636633265346563383738363762356136346163363665353332383763323238
+6633313739623562656533376639346132333338373030303561
 313736636134323433336637303939303836
--- a/linode.cfg
+++ b/linode.cfg
@@ -1,6 +1,6 @@
 [defaults]
 inventory = linodehosts
-remote_user = root
+remote_user = charles
 private_key_file = ~/.ssh/id_rsa
 host_key_checking = False
 vault_password_file = .vault_secret
--- a/5
+++ b/5
@@ -1,10 +1,13 @@
 [servers:children]
 bear
 bespin
 dorky
 dracaena
 [bear]
 linode_bear ansible_host=300.300.300.300 ansible_port=22 ansible_python_interpreter=/usr/bin/python3
 [dorky]
 linode_dorky ansible_host=400.400.400.400 ansible_port=22 ansible_python_interpreter=/usr/bin/python3
 [dracaena]
 linode_dracaena ansible_host=500.500.500.500 ansible_port=22 ansible_python_interpreter=/usr/bin/python3
--- a/roles/firewall/.gitignore
+++ b/roles/firewall/.gitignore
@@ -0,0 +1,3 @@
 *.retry
 */__pycache__
 *.pyc
--- a/roles/firewall/LICENSE
+++ b/roles/firewall/LICENSE
@@ -0,0 +1,20 @@
 The MIT License (MIT)
 Copyright (c) 2017 Jeff Geerling
 Permission is hereby granted, free of charge, to any person obtaining a copy of
 this software and associated documentation files (the "Software"), to deal in
 the Software without restriction, including without limitation the rights to
 use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
 the Software, and to permit persons to whom the Software is furnished to do so,
 subject to the following conditions:
 The above copyright notice and this permission notice shall be included in all
 copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
 FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
 COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
 IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
--- a/roles/firewall/README.md
+++ b/roles/firewall/README.md
@@ -0,0 +1,4 @@
 # Firewall Ansible Role
 Source: <https://github.com/geerlingguy/ansible-role-firewall>
--- a/roles/firewall/defaults/main.yml
+++ b/roles/firewall/defaults/main.yml
@@ -0,0 +1,22 @@
 ---
 firewall_state: started
 firewall_enabled_at_boot: true
 firewall_flush_rules_and_chains: true
 firewall_allowed_tcp_ports:
  - "22"
  - "80"
  - "443"
 firewall_allowed_udp_ports: []
 firewall_forwarded_tcp_ports: []
 firewall_forwarded_udp_ports: []
 firewall_additional_rules: []
 firewall_enable_ipv6: true
 firewall_ip6_additional_rules: []
 firewall_log_dropped_packets: true
 # Set to true to ensure other firewall management software is disabled.
 firewall_disable_firewalld: true
 firewall_disable_ufw: true
--- a/roles/firewall/handlers/main.yml
+++ b/roles/firewall/handlers/main.yml
@@ -0,0 +1,3 @@
 ---
 - name: restart firewall
  service: name=firewall state=restarted
--- a/roles/firewall/tasks/main.yml
+++ b/roles/firewall/tasks/main.yml
@@ -0,0 +1,52 @@
 ---
 - name: Ensure iptables is present.
  package: name=iptables state=present
 - name: Flush iptables the first time playbook runs.
  command: >
    iptables -F
    creates=/etc/firewall.bash
 - name: Copy firewall script into place.
  template:
    src: firewall.bash.j2
    dest: /etc/firewall.bash
    owner: root
    group: root
    mode: 0744
  notify: restart firewall
 - name: Copy firewall init script into place.
  template:
    src: firewall.init.j2
    dest: /etc/init.d/firewall
    owner: root
    group: root
    mode: 0755
  when: "ansible_service_mgr != 'systemd'"
 - name: Copy firewall systemd unit file into place (for systemd systems).
  template:
    src: firewall.unit.j2
    dest: /etc/systemd/system/firewall.service
    owner: root
    group: root
    mode: 0644
  when: "ansible_service_mgr == 'systemd'"
 - name: Configure the firewall service.
  service:
    name: firewall
    state: "restarted"
    #state: "{{ firewall_state }}"
    enabled: "{{ firewall_enabled_at_boot }}"
 - name: Stop the docker service.
  service:
    name: docker
    state: stopped
 - name: Start the docker service.
  service:
    name: docker
    state: started
--- a/roles/firewall/templates/firewall.bash.j2
+++ b/roles/firewall/templates/firewall.bash.j2
@@ -0,0 +1,138 @@
 #!/bin/bash
 # iptables firewall.
 #
 # This file should be located at /etc/firewall.bash, and is meant to work with
 # the `geerlingguy.firewall` Ansible role.
 #
 # Common port reference:
 #   22: SSH
 #   25: SMTP
 #   80: HTTP
 #   123: NTP
 #   443: HTTPS
 #   2222: SSH alternate
 #   8080: HTTP alternate
 #
 # @author Jeff Geerling
 # No spoofing.
 if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
 then
 for filter in /proc/sys/net/ipv4/conf/*/rp_filter
 do
 echo 1 > $filter
 done
 fi
 # Set the default rules.
 iptables -P INPUT ACCEPT
 iptables -P FORWARD ACCEPT
 iptables -P OUTPUT ACCEPT
 {% if firewall_flush_rules_and_chains %}
 # Remove all rules and chains.
 iptables -t nat -F
 iptables -t mangle -F
 iptables -F
 iptables -X
 {% endif %}
 # Accept traffic from loopback interface (localhost).
 iptables -A INPUT -i lo -j ACCEPT
 # Forwarded ports.
 {# Add a rule for each forwarded port #}
 {% for forwarded_port in firewall_forwarded_tcp_ports %}
 iptables -t nat -I PREROUTING -p tcp --dport {{ forwarded_port.src }} -j REDIRECT --to-port {{ forwarded_port.dest }}
 iptables -t nat -I OUTPUT -p tcp -o lo --dport {{ forwarded_port.src }} -j REDIRECT --to-port {{ forwarded_port.dest }}
 {% endfor %}
 {% for forwarded_port in firewall_forwarded_udp_ports %}
 iptables -t nat -I PREROUTING -p udp --dport {{ forwarded_port.src }} -j REDIRECT --to-port {{ forwarded_port.dest }}
 iptables -t nat -I OUTPUT -p udp -o lo --dport {{ forwarded_port.src }} -j REDIRECT --to-port {{ forwarded_port.dest }}
 {% endfor %}
 # Open ports.
 {# Add a rule for each open port #}
 {% for port in firewall_allowed_tcp_ports %}
 iptables -A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
 {% endfor %}
 {% for port in firewall_allowed_udp_ports %}
 iptables -A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT
 {% endfor %}
 # Accept icmp ping requests.
 iptables -A INPUT -p icmp -j ACCEPT
 # Allow NTP traffic for time synchronization.
 iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
 iptables -A INPUT -p udp --sport 123 -j ACCEPT
 # Additional custom rules.
 {% for rule in firewall_additional_rules %}
 {{ rule }}
 {% endfor %}
 # Allow established connections:
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 # Log EVERYTHING (ONLY for Debug).
 # iptables -A INPUT -j LOG
 {% if firewall_log_dropped_packets %}
 # Log other incoming requests (all of which are dropped) at 15/minute max.
 iptables -A INPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
 {% endif %}
 # Drop all other traffic.
 iptables -A INPUT -j DROP
 {% if firewall_enable_ipv6 %}
 # Configure IPv6 if ip6tables is present.
 if [ -x "$(which ip6tables 2>/dev/null)" ]; then
 {% if firewall_flush_rules_and_chains %}
  # Remove all rules and chains.
  ip6tables -F
  ip6tables -X
 {% endif %}
  # Accept traffic from loopback interface (localhost).
  ip6tables -A INPUT -i lo -j ACCEPT
  # Open ports.
 {# Add a rule for each open port #}
 {% for port in firewall_allowed_tcp_ports %}
  ip6tables -A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
 {% endfor %}
 {% for port in firewall_allowed_udp_ports %}
  ip6tables -A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT
 {% endfor %}
  # Accept icmp ping requests.
  ip6tables -A INPUT -p icmpv6 -j ACCEPT
  # Allow NTP traffic for time synchronization.
  ip6tables -A OUTPUT -p udp --dport 123 -j ACCEPT
  ip6tables -A INPUT -p udp --sport 123 -j ACCEPT
  # Additional custom rules.
 {% for rule in firewall_ip6_additional_rules %}
  {{ rule }}
 {% endfor %}
  # Allow established connections:
  ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  # Log EVERYTHING (ONLY for Debug).
  # ip6tables -A INPUT -j LOG
 {% if firewall_log_dropped_packets %}
  # Log other incoming requests (all of which are dropped) at 15/minute max.
  ip6tables -A INPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
 {% endif %}
  # Drop all other traffic.
  ip6tables -A INPUT -j DROP
 fi
 {% endif %}
--- a/roles/firewall/templates/firewall.init.j2
+++ b/roles/firewall/templates/firewall.init.j2
@@ -0,0 +1,52 @@
 #! /bin/sh
 # /etc/init.d/firewall
 #
 # Firewall init script, to be used with /etc/firewall.bash by Jeff Geerling.
 #
 # @author Jeff Geerling
 ### BEGIN INIT INFO
 # Provides:          firewall
 # Required-Start:    $remote_fs $syslog
 # Required-Stop:     $remote_fs $syslog
 # Default-Start:     2 3 4 5
 # Default-Stop:      0 1 6
 # Short-Description: Start firewall at boot time.
 # Description:       Enable the firewall.
 ### END INIT INFO
 # Carry out specific functions when asked to by the system
 case "$1" in
  start)
    echo "Starting firewall."
    /etc/firewall.bash
    ;;
  stop)
    echo "Stopping firewall."
    iptables -F
    if [ -x "$(which ip6tables 2>/dev/null)" ]; then
        ip6tables -F
    fi
    ;;
  restart)
    echo "Restarting firewall."
    /etc/firewall.bash
    ;;
  status)
    echo -e "`iptables -L -n`"
    EXIT=4 # program or service status is unknown
    NUMBER_OF_RULES=$(iptables-save | grep '^\-' | wc -l)
    if [ 0 -eq $NUMBER_OF_RULES ]; then
        EXIT=3 # program is not running
    else
        EXIT=0 # program is running or service is OK
    fi
    exit $EXIT
    ;;
  *)
    echo "Usage: /etc/init.d/firewall {start|stop|status|restart}"
    exit 1
    ;;
 esac
 exit 0
--- a/roles/firewall/templates/firewall.unit.j2
+++ b/roles/firewall/templates/firewall.unit.j2
@@ -0,0 +1,12 @@
 [Unit]
 Description=Firewall
 After=syslog.target network.target
 [Service]
 Type=oneshot
 ExecStart=/etc/firewall.bash
 ExecStop=/sbin/iptables -F
 RemainAfterExit=yes
 [Install]
 WantedBy=multi-user.target
--- a/roles/sshkeys/defaults/main.yml
+++ b/roles/sshkeys/defaults/main.yml
@@ -7,3 +7,4 @@ username: "{{ nonroot_user }}"
 # link it with this email.
 ssh_key_email: ""
 ssh_port: 22
--- a/roles/sshkeys/files/config
+++ b/roles/sshkeys/files/config
@@ -0,0 +1,2 @@
 Host *
    StrictHostKeyChecking accept-new
--- a/roles/sshkeys/handlers/main.yml
+++ b/roles/sshkeys/handlers/main.yml
@@ -0,0 +1,6 @@
 ---
 - name: restart ssh
  service:
    name: "ssh"
    state: "restarted"
--- a/roles/sshkeys/tasks/main.yml
+++ b/roles/sshkeys/tasks/main.yml
@@ -12,6 +12,7 @@
    path: /root/.ssh
    state: directory
  tags:
    - ssh
    - root-ssh
 - name: Check if a root user SSH key already exists
@@ -20,6 +21,7 @@
    path: "/root/.ssh/id_rsa"
  register: root_key_check
  tags:
    - ssh
    - root-ssh
 - name: "Generate SSH keys for root user ({{ ssh_key_email }})"
@@ -28,6 +30,7 @@
  when:
    - "not root_key_check.stat.exists"
  tags:
    - ssh
    - root-ssh
 - name: Set permissions on root .ssh directory
@@ -40,22 +43,7 @@
  when:
    - "not root_key_check.stat.exists"
  tags:
-    - root-ssh
+    - ssh
 ###############################
 # root: copy authorized keys
 - name: Copy (overwrite) the authorized keys file into the root .ssh directory
  become: yes
  copy:
    src: authorized_keys
    dest: /root/.ssh/authorized_keys
    mode: 0600
    force: yes
  tags:
    - root-ssh
@@ -72,6 +60,7 @@
    owner: "{{ username }}"
    group: "{{ username }}"
  tags:
    - ssh
    - nonroot-ssh
 - name: Check if a nonroot user SSH key already exists
@@ -81,6 +70,7 @@
    path: "/home/{{ username }}/.ssh/id_rsa"
  register: nonroot_key_check
  tags:
    - ssh
    - nonroot-ssh
 - name: "Generate SSH keys for nonroot user {{ username }} ({{ ssh_key_email }})"
@@ -90,6 +80,7 @@
  when:
    - "not nonroot_key_check.stat.exists"
  tags:
    - ssh
    - nonroot-ssh
 - name: Set permissions on nonroot .ssh directory
@@ -103,6 +94,7 @@
    owner: "{{ username }}"
    group: "{{ username }}"
  tags:
    - ssh
    - nonroot-ssh
@@ -121,15 +113,74 @@
    owner: "{{ username }}"
    group: "{{ username }}"
  tags:
    - ssh
    - nonroot-ssh
 ##################################
-# nonroot: automatically accept new keys
+# nonroot: copy ssh configuration
- name: Automatically accept new SSH keys
+- name: Copy the ssh configuration to the nonroot user .ssh directory
  become: yes
  become_user: "{{ username }}"
-  command: "echo 'StrictHostKeyChecking=accept-new' > ~/.ssh/config"
+  copy:
    src: config
    dest: "/home/{{ username }}/.ssh/config"
    mode: 0600
    force: yes
    owner: "{{ username }}"
    group: "{{ username }}"
  tags:
    - ssh
    - nonroot-ssh
 ##################################
 # system ssh configuration
 - name: Ensure SSH daemon is running.
  service:
    name: "ssh"
    state: "started"
 - name: Update SSH configuration to be more secure.
  lineinfile:
    dest: "/etc/ssh/sshd_config"
    regexp: "{{ item.regexp }}"
    line: "{{ item.line }}"
    state: present
    validate: 'sshd -T -f %s'
    mode: 0644
  with_items:
    - regexp: "^PasswordAuthentication"
      line: "PasswordAuthentication no"
    - regexp: "^PermitRootLogin"
      line: "PermitRootLogin no"
    - regexp: "^Port"
      line: "Port {{ ssh_port }}"
    - regexp: "^UseDNS"
      line: "UseDNS no"
    - regexp: "^PermitEmptyPasswords"
      line: "PermitEmptyPasswords no"
    - regexp: "^ChallengeResponseAuthentication"
      line: "ChallengeResponseAuthentication no"
    - regexp: "^GSSAPIAuthentication"
      line: "GSSAPIAuthentication no"
    - regexp: "^X11Forwarding"
      line: "X11Forwarding no"
  notify: restart ssh
  tags:
    - ssh
    - root-ssh
 ## 
 ## - name: Automatically accept new SSH keys
 ##   become: yes
 ##   become_user: "{{ username }}"
 ##   command: "echo 'StrictHostKeyChecking=accept-new' > ~/.ssh/config"
 ##   tags:
 ##     - nonroot-ssh
--- a/roles/vim/tasks/main.yml
+++ b/roles/vim/tasks/main.yml
@@ -82,15 +82,3 @@
    mode: 0755
 ############################
 # install solarized color scheme
 - name: Download solarized color scheme to ~/.vim/colors
  become: yes
  become_user: "{{ username }}"
  get_url:
    url: "https://raw.githubusercontent.com/altercation/vim-colors-solarized/master/colors/solarized.vim"
    dest: "/home/{{ username }}/.vim/colors/solarized.vim"
    mode: 0755
Author	SHA1	Message	Date
Charles Reid	97f50bf4e2	no solarized color scheme	2021-01-20 19:41:31 -08:00
Charles Reid	5dd9e21593	update dockprom playbook to use machine_name var (still hard-coding vpn ip addr)	2021-01-20 19:41:16 -08:00
Charles Reid	18b143c82f	run commands as regular user, not root	2021-01-20 19:40:46 -08:00
Charles Reid	434d1acc24	update firewall	2021-01-20 19:39:57 -08:00
Charles Reid	2579bb8aab	update group_vars	2021-01-20 19:39:41 -08:00
Charles Reid	61c286d1e0	expand on ssh role, set system and user configuration	2021-01-20 19:39:30 -08:00
Charles Reid	ac6334eff5	add firewall role	2021-01-20 19:38:34 -08:00
Charles Reid	b137995503	scrub local and linode hosts	2021-01-20 19:38:14 -08:00
		`@@ -0,0 +1,4 @@`
							`# Firewall Ansible Role`

							`Source: <https://github.com/geerlingguy/ansible-role-firewall>`