---
# This ansible-playbook prepares fresh-from-hetzner
# servers for work with ansible.
#
# What it does:
#   secures sshd (according to bettercrypto.org)
#   adds accounts uli/henrik/deploy
#   disables root access
#
# This playbook should be executed as first thing
# after getting your hands over new hardware
#
# It will normally be run with ``ask-pass``
#
- hosts: yet-untouched
  vars:
    deploy_user: 'deploy'
    deploy_public_key: "{{ lookup('file', 'files/id-deploy.pub') }}"

  tasks:
    - name: "bootstrap | update authorized key of 'deploy'"
      authorized_key:
        user="{{ deploy_user }}"
        key="{{ deploy_public_key }}"

    - name: "bootstrap | grant sudoers perms to 'deploy'"
      lineinfile:
        dest=/etc/sudoers
        insertafter="^root"
        line="{{ deploy_user }}  ALL=(ALL) NOPASSWD{{ ':' }} ALL"
        state=present

  roles:
    - openssh
    - core