---
# This ansible-playbook prepares fresh-from-hetzner
# servers for work with ansible.
#
# It should be played as first thing after getting your hands over new
# hardware
#
# The documentation for this playbook is in `README.rst`.  Please read
# it! Do not run this playbook without having read the README.
#
- hosts: yet_untouched
  become: yes
  vars:
    # Enable root access via SSH? Set to false not before user
    # accounts are active.
    permit_ssh_root: false
    # Allow admin users below to become root w/o entering password?
    permit_become_root_no_password: true
    create_admin_user: false
    # create hashed passwords like this:
    #      $ diceware -d '-' -n 6 --no-caps | tee mypw | mkpasswd -s --method=sha-512 >> mypw
    admin_users: {}

        #    uli:
        #         hashed_pw: "$6$iuoXy2wO3elWM6d2$NR/ayKF58q0Bm0BdsR.g.Nt5xYzD0s0t17ZjrYaRpY7nkRekjgHTnqw849pK9FdynmNZAioW6oQBQx3BB5kcd0"

  roles:
  - openssh

  handlers:
  - name: "Restart sshd"
    service:
      name="ssh"
      enabled=yes
      state=restarted

  tasks:
  - name: Create admin users
    when: create_admin_users
    user:
      name: "{{ item.key }}"
      shell: /bin/bash
      groups: sudo
      password: "{{ item.value.hashed_pw }}"
      update_password: on_create
      state: present
    with_dict: "{{ admin_users }}"

  - name: Disable SSH root access
    # make sure this is not run before you can log in otherwise!
    lineinfile:
      dest=/etc/ssh/sshd_config
      backrefs=yes
      line='PermitRootLogin no'
      regexp='^PermitRootLogin yes'
      state=present
    notify: "restart sshd"
    when: not permit_ssh_root

  - name: Disable SSH root access
    # make sure this is not run before you can log in otherwise!
    lineinfile:
      dest=/etc/ssh/sshd_config
      line="AuthenticationMethods publickey"
      state=present
    notify: "restart sshd"
    when: not permit_ssh_root