---
# This ansible-playbook prepares fresh-from-hetzner
# servers for work with ansible.
#
# It should be played as first thing after getting your hands over new
# hardware
#
# The documentation for this playbook is in `README.rst`.  Please read
# it! Do not run this playbook without having read the README.
#
- hosts: yet-untouched
  become: yes
  vars:
    # Enable root access via SSH? Set to false not before user
    # accounts are active.
    permit_ssh_root: true
    # create hashed passwords like this:
    #      $ diceware -d '-' -n 6 --no-caps | tee mypw | mkpasswd -s --method=sha-512 >> mypw
    admin_users:
      uli:
        hashed_pw: "$6$W3DjhWuk/dDzw2F$ozaXblaUYnEX6NiS9jg.NYFelyPIV8ySxDJGNwbPpTd.oAnmA.754pntuGT1XP.cAcpkCI5b9zWSgOQ09f5HG1"

  roles:
  - openssh

  handlers:
  - name: "Restart sshd"
    service:
      name="ssh"
      enabled=yes
      state=restarted

  tasks:
  - name: Create admin users
    user:
      name: "{{ item.key }}"
      shell: /bin/bash
      groups: sudo
      password: "{{ item.value.hashed_pw }}"
      update_password: on_create
      state: present
    with_dict: "{{ admin_users }}"

  - name: Disable SSH root access
    # make sure this is not run before you can log in otherwise!
    lineinfile:
      dest=/etc/ssh/sshd_config
      backrefs=yes
      line='PermitRootLogin no'
      regexp='^PermitRootLogin yes'
      state=present
    notify: "restart sshd"
    when: not permit_ssh_root