Alevsk/add-public-keys.yaml

## add-public-keys.yaml
- hosts: "{{ HOSTS }}"
  name: Install authentication keys and certificates
  become: yes
  tasks:

    - name: install public keys
      register: pub_keys_installed
      ansible.posix.authorized_key:
        exclusive: yes
        user: "{{ ansible_user }}"
        state: present
        key: "{{ lookup('pipe','cat ~/.ssh/id_ecdsa_sk-*.pub') }}"

    - name: add user to sudoers list
      lineinfile:
        path: "/etc/sudoers.d/{{ ansible_user }}"
        line: "{{ ansible_user }} ALL=(ALL) NOPASSWD: ALL"
        state: present
        mode: 0440
        create: yes
        validate: 'visudo -cf %s'

    - name: install local certificate authority certs
      copy:
        src: /usr/local/share/ca-certificates/network.lan.ca.crt
        dest: /usr/local/share/ca-certificates/network.lan.ca.crt

    - name: set timezone to America/Los_Angeles
      community.general.timezone:
        name: "America/Los_Angeles"

    - name: Install additional tools
      ansible.builtin.apt:
        name:
          - ca-certificates
        state: latest
        update_cache: true

    - name: Update certificates index
      shell: /usr/sbin/update-ca-certificates

    - name: Disable root login over SSH
      lineinfile:
        path: "/etc/ssh/sshd_config"
        regexp: "^PermitRootLogin"
        line: "PermitRootLogin no"
        state: "present"
        validate: 'sshd -t -f %s'

    - name: Disable password login over SSH
      lineinfile:
        path: "/etc/ssh/sshd_config"
        regexp: "^PasswordAuthentication"
        line: "PasswordAuthentication no"
        state: "present"
        validate: 'sshd -t -f %s'
      notify:
        - restart ssh

  handlers:
  - name: restart ssh
    service:
      name: ssh
      state: restarted
	- hosts: "{{ HOSTS }}"
	name: Install authentication keys and certificates
	become: yes
	tasks:

	- name: install public keys
	register: pub_keys_installed
	ansible.posix.authorized_key:
	exclusive: yes
	user: "{{ ansible_user }}"
	state: present
	key: "{{ lookup('pipe','cat ~/.ssh/id_ecdsa_sk-*.pub') }}"

	- name: add user to sudoers list
	lineinfile:
	path: "/etc/sudoers.d/{{ ansible_user }}"
	line: "{{ ansible_user }} ALL=(ALL) NOPASSWD: ALL"
	state: present
	mode: 0440
	create: yes
	validate: 'visudo -cf %s'

	- name: install local certificate authority certs
	copy:
	src: /usr/local/share/ca-certificates/network.lan.ca.crt
	dest: /usr/local/share/ca-certificates/network.lan.ca.crt

	- name: set timezone to America/Los_Angeles
	community.general.timezone:
	name: "America/Los_Angeles"

	- name: Install additional tools
	ansible.builtin.apt:
	name:
	- ca-certificates
	state: latest
	update_cache: true

	- name: Update certificates index
	shell: /usr/sbin/update-ca-certificates

	- name: Disable root login over SSH
	lineinfile:
	path: "/etc/ssh/sshd_config"
	regexp: "^PermitRootLogin"
	line: "PermitRootLogin no"
	state: "present"
	validate: 'sshd -t -f %s'

	- name: Disable password login over SSH
	lineinfile:
	path: "/etc/ssh/sshd_config"
	regexp: "^PasswordAuthentication"
	line: "PasswordAuthentication no"
	state: "present"
	validate: 'sshd -t -f %s'
	notify:
	- restart ssh

	handlers:
	- name: restart ssh
	service:
	name: ssh
	state: restarted