6 files changed, 124 insertions, 0 deletions

diff --git a/rpi-base/defaults/main.yaml b/rpi-base/defaults/main.yaml
new file mode 100644
index 0000000..737798b
--- /dev/null
+++ b/rpi-base/defaults/main.yaml
@@ -0,0 +1,17 @@
+---
+
+rpi_base_enable_wifi: True
+rpi_base_timezone: "America/Chicago"
+rpi_base_log_size: "100M"
+rpi_base_apt_packages:
+  - "avahi-daemon"
+  - "log2ram"
+  - "fail2ban"
+  - "unattended-upgrades"
+  - "emacs-nox"
+  - "htop"
+  - "jq"
+  - "tree"
+  - "iperf3"
+  - "python3-pip"
+  - "unzip"
diff --git a/rpi-base/files/jail.local b/rpi-base/files/jail.local
new file mode 100644
index 0000000..a5cabc4
--- /dev/null
+++ b/rpi-base/files/jail.local
@@ -0,0 +1,10 @@
+[ssh]
+
+enabled = true
+port = ssh
+filter = sshd
+logpath = /var/log/auth.log
+bantime = 900
+banaction = iptables-allports
+findtime = 900
+maxretry = 3
diff --git a/rpi-base/handlers/main.yaml b/rpi-base/handlers/main.yaml
new file mode 100644
index 0000000..7d9c45e
--- /dev/null
+++ b/rpi-base/handlers/main.yaml
@@ -0,0 +1,5 @@
+---
+
+- name: restart log2ram service
+  systemd: name="log2ram" state="restarted" daemon_reload="yes"
+  become: yes
diff --git a/rpi-base/tasks/main.yml b/rpi-base/tasks/main.yml
new file mode 100644
index 0000000..185e55b
--- /dev/null
+++ b/rpi-base/tasks/main.yml
@@ -0,0 +1,77 @@
+---
+
+- name: turn swap off
+  become: yes
+  command: "swapoff -a"
+  changed_when: false
+
+- name: remove swap apt package
+  become: yes
+  apt: state="absent" name="dphys-swapfile"
+
+- name: add log2ram apt key
+  become: yes
+  apt_key: url="https://azlux.fr/repo.gpg.key"
+
+- name: add log2ram apt repo
+  become: yes
+  apt_repository: repo="deb http://packages.azlux.fr/debian/ buster main"
+
+- name: set timezone
+  become: yes
+  timezone: name="{{rpi_base_timezone}}"
+
+- name: setup wifi
+  become: yes
+  template: src="wpa_supplicant.conf.j2" dest="/etc/wpa_supplicant/wpa_supplicant.conf" mode="0600"
+
+- name: update apt package cache
+  become: yes
+  apt: upgrade="dist" autoremove="yes" autoclean="yes" update_cache="yes" cache_valid_time="3600"
+
+- name: install extra apt packages
+  become: yes
+  apt: name="{{rpi_base_apt_packages}}" state="latest"
+
+- name: configure log2ram disk size
+  become: yes
+  lineinfile:
+    path: "/etc/log2ram.conf"
+    regexp: "^SIZE="
+    line: "SIZE={{rpi_base_log_size}}"
+  notify: restart log2ram service
+
+- name: configure fail2ban
+  become: yes
+  copy: src="jail.local" dest="/etc/fail2ban/jail.local"
+
+- name: add users
+  become: yes
+  user:
+    name: "{{admin_user_name}}"
+    password: "{{admin_user_password}}"
+    groups: "sudo,users"
+    shell: "/bin/bash"
+    append: yes
+
+- name: authorize admin ssh keys
+  become: yes
+  authorized_key: user="{{admin_user_name}}" key="https://github.com/{{github_user}}.keys"
+
+- name: authorize ssh keys
+  become: yes
+  authorized_key: user="{{ansible_user}}" key="https://github.com/{{github_user}}.keys"
+
+- name: nopasswd sudo for admin user
+  become: yes
+  template:
+    src: "010_admin-nopasswd"
+    dest: "/etc/sudoers.d/010_admin-nopasswd"
+
+- name: disable ssh password login
+  become: yes
+  lineinfile:
+    path: "/etc/ssh/sshd_config"
+    regexp: "^PasswordAuthentication"
+    insertafter: "^#PasswordAuthentication"
+    line: "PasswordAuthentication no"
diff --git a/rpi-base/templates/010_admin-nopasswd b/rpi-base/templates/010_admin-nopasswd
new file mode 100644
index 0000000..5b76b5d
--- /dev/null
+++ b/rpi-base/templates/010_admin-nopasswd
@@ -0,0 +1 @@
+{{admin_user_name}} ALL=(ALL) NOPASSWD: ALL
diff --git a/rpi-base/templates/wpa_supplicant.conf.j2 b/rpi-base/templates/wpa_supplicant.conf.j2
new file mode 100644
index 0000000..c1312d0
--- /dev/null
+++ b/rpi-base/templates/wpa_supplicant.conf.j2
@@ -0,0 +1,14 @@
+# {{ansible_managed}}
+
+country=US
+ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
+update_config=1
+{% for network in wpa_networks %}
+
+network={
+    ssid="{{network.ssid}}"
+    psk="{{network.psk}}"
+    disabled={% if rpi_base_enable_wifi %}0{% else %}1{% endif %}
+
+}
+{% endfor %}