diff --git a/playbooks/rpi-basics.yaml b/playbooks/rpi-basics.yaml index 6c0f603..502f6c9 100644 --- a/playbooks/rpi-basics.yaml +++ b/playbooks/rpi-basics.yaml @@ -1,23 +1,30 @@ --- - name: Ensures basic scripts & configs set up for Raspberry Pis hosts: raspberries + vars: + password_excluded_hosts: + - pikvm tasks: - - name: Include the rpi_scripts role - include_role: + - name: Set root passwords + ansible.builtin.include_role: + name: random_root_password + when: ansible_hostname not in password_excluded_hosts + - name: Ensure rpi scripts are present + ansible.builtin.include_role: name: rpi_scripts - name: Include the rpi_watchdog role - include_role: + ansible.builtin.include_role: name: rpi_watchdog - - name: Include configure_vim role - include_role: + - name: Ensure vim config is present for pi + ansible.builtin.include_role: name: configure_vim - name: Include profile aliases - include_role: + ansible.builtin.include_role: name: profile_aliases - name: Include basic package list - include_role: + ansible.builtin.include_role: name: basic_setup - name: Configure pibox extras - include_role: + ansible.builtin.include_role: name: pibox_basics when: ansible_hostname == 'piparcel' diff --git a/roles/basic_setup/tasks/main.yaml b/roles/basic_setup/tasks/main.yaml new file mode 100644 index 0000000..0a272e5 --- /dev/null +++ b/roles/basic_setup/tasks/main.yaml @@ -0,0 +1,22 @@ +--- +- name: Performing APT cache update + ansible.builtin.apt: + upgrade: no + update_cache: yes + cache_valid_time: 86400 + become: true + become_method: sudo + +- name: Install basic packages + ansible.builtin.package: + name: + - apt-transport-https + - mlocate + - wget + - curl + - net-tools + - git + - software-properties-common + state: latest + become: true + become_method: sudo diff --git a/roles/profile_aliases/tasks/main.yaml b/roles/profile_aliases/tasks/main.yaml new file mode 100644 index 0000000..92b529e --- /dev/null +++ b/roles/profile_aliases/tasks/main.yaml @@ -0,0 +1,12 @@ +--- +- name: Ensure colored ip alias is set + ansible.builtin.lineinfile: + path: ~/.profile + line: "alias ip=\"ip -c\"" + state: present +- name: Ensure dfh alias is set + ansible.builtin.lineinfile: + path: ~/.profile + line: "alias dfh=\"df -h | grep -v tmpfs\"" + state: present + diff --git a/roles/random_root_password/files/root-password-print.sh b/roles/random_root_password/files/root-password-print.sh new file mode 100755 index 0000000..b9dcc3a --- /dev/null +++ b/roles/random_root_password/files/root-password-print.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# For printing the passwords to save to a password manager + +password_dir=~/ansible/secrets/passwords/ + +for dir in $(ls $password_dir); do + printf "%-17s : %20s\n" "$dir" "$(cat $password_dir/$dir/root_password)" +done diff --git a/roles/random_root_password/tasks/main.yaml b/roles/random_root_password/tasks/main.yaml new file mode 100644 index 0000000..86654b8 --- /dev/null +++ b/roles/random_root_password/tasks/main.yaml @@ -0,0 +1,12 @@ +--- +- name: Generate & set random password for root + ansible.builtin.user: + name: root + create_home: false + # The rounds & salt MUST be set in the password_hash function if you don't want the task + # to return 'changed' every time the playbook runs, updating the /etc/passwd file each time. Fun! + # https://docs.ansible.com/ansible/latest/collections/ansible/builtin/password_hash_filter.html + password: "{{ lookup('ansible.builtin.password', password_dir + '/' + ansible_hostname + '/root_password', length=20) | password_hash('sha512', rounds=16384, salt=8008135) }}" + update_password: always + become: true + become_method: sudo diff --git a/roles/random_root_password/vars/main.yaml b/roles/random_root_password/vars/main.yaml new file mode 100644 index 0000000..f679f69 --- /dev/null +++ b/roles/random_root_password/vars/main.yaml @@ -0,0 +1,2 @@ +--- +password_dir: ~/ansible/secrets/passwords/