Initial base playbooks

Signed-off-by: Nis Wechselberg <enbewe@enbewe.de>

playbooks/access.yml

@@ -0,0 +1,36 @@
+---
+- name: 'Configure access permissions'
+  hosts: 'all'
+
+  vars:
+    ssh_public_keys_exclusive: true
+
+  tasks:
+    - name: 'Install ssh keys in target system'
+      ansible.posix.authorized_key:
+        user: '{{ ansible_user }}'
+        key: '{{ ssh_public_keys }}'
+        exclusive: '{{ ssh_public_keys_exclusive }}'
+
+    - name: 'Allow ansible user to use sudo'
+      become: true
+      ansible.builtin.template:
+        src: 'sudoers.d/ansible.j2'
+        dest: '/etc/sudoers.d/ansible'
+        owner: 'root'
+        group: 'root'
+        mode: 'u=rw,g=r,o='
+
+    - name: 'Disallow ssh password login'
+      become: true
+      ansible.builtin.lineinfile:
+        path: '/etc/ssh/sshd_config'
+        regexp: '^#?PasswordAuthentication '
+        line: 'PasswordAuthentication no'
+
+    - name: 'Disallow ssh root login without key'
+      become: true
+      ansible.builtin.lineinfile:
+        path: '/etc/ssh/sshd_config'
+        regexp: '^#?PermitRootLogin '
+        line: 'PermitRootLogin prohibit-password'