WIP: Notes

pi/README.md

@@ -0,0 +1,7 @@
+# Debian Ansible Playbooks
+
+## Wireguard
+
+```bash
+ansible-playbook -i hosts --ask-pass --ask-become-pass pi/pi.yml --extra-vars "hostname="
+```

pi/ansible/hostname/tasks/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Set a hostname
+  ansible.builtin.hostname:
+    name: "{{ hostname }}"
+  become: yes

pi/ansible/openssh/tasks/main.yml

@@ -0,0 +1,30 @@
+---
+# SSH
+- name: Curl SSH trusted CA
+  get_url:
+    url: https://vault.ducoterra.net/v1/ssh-client-signer/public_key
+    dest: /etc/ssh/trusted-user-ca-keys.pem
+    mode: '0660'
+  become: yes
+- name: Create sshd_config file
+  copy:
+    dest: "/etc/ssh/sshd_config"
+    content: |
+      Include /etc/ssh/sshd_config.d/*.conf
+      PasswordAuthentication no
+      ChallengeResponseAuthentication no
+      UsePAM yes
+      KbdInteractiveAuthentication no
+      X11Forwarding yes
+      PrintMotd no
+      AcceptEnv LANG LC_*
+      Subsystem	sftp	/usr/lib/openssh/sftp-server
+      TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem
+  become: yes
+- name: Ensure ssh service started
+  ansible.builtin.systemd:
+    name: sshd
+    state: restarted
+    daemon_reload: yes
+    enabled: yes
+  become: yes

pi/ansible/reboot/tasks/main.yml

@@ -0,0 +1,4 @@
+---
+- name: Return motd to registered var
+  ansible.builtin.command: shutdown -r now
+  become: yes

pi/pi.yml

@@ -0,0 +1,10 @@
+---
+# Run through all tasks to setup machines
+# https://community.frame.work/t/fedora-linux-35-on-the-framework-laptop/6613/10
+- hosts: raspberrypi
+  gather_facts: true
+  order: inventory
+  roles:
+    - role: ansible/openssh
+    - role: ansible/hostname
+    - role: ansible/reboot