From 6335b7735afa67474e21529f8b0109b574e8bca8 Mon Sep 17 00:00:00 2001
From: Jan Beilicke <jotbe@noreply.jotbe.io>
Date: Sat, 27 Mar 2021 13:31:24 +0000
Subject: [PATCH 1/9] Makes installation of Ansible optional (default: no) and
 installs additional python libraries (#2)

Fixed accidental change of default update_hostname behaviour

Makes installation of Ansible optional (default: no) and installs additional python libraries

Co-authored-by: Jan Beilicke <dev@jotbe.io>
---
 README.md         | 6 ++++--
 defaults/main.yml | 6 +++++-
 tasks/main.yml    | 8 +++++++-
 3 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 3ca7ab7..e1d11fe 100644
--- a/README.md
+++ b/README.md
@@ -12,16 +12,18 @@ Role Variables
 Defaults:
 
 ```
-hostname: {{ inventory_hostname }}
-update_hostname: no
+hostname: "{{ inventory_hostname }}"
+update_hostname: yes
 locales_gen:
   - en_US.UTF-8
   - de_DE.UTF-8
 locales_default: de_DE.UTF-8
+x11_keymap: de
 users:
   - vagrant
 sudoers:
   - vagrant
+enable_ansible: no
 # Will install a specific Ansible version on the target host
 ensure_ansible_version: 2.10.3
 # Allow sudo with a password (applied to group sudo)
diff --git a/defaults/main.yml b/defaults/main.yml
index 3b7f2fd..fb6f250 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,6 +1,6 @@
 ---
 # defaults file for common
-hostname: '{{ inventory_hostname }}'
+hostname: "{{ inventory_hostname }}"
 update_hostname: yes
 locales_gen:
   - en_US.UTF-8
@@ -11,6 +11,10 @@ users:
   - vagrant
 sudoers:
   - vagrant
+enable_ansible: no
+# Will install a specific Ansible version on the target host
 ensure_ansible_version: 2.10.3
+# Allow sudo with a password (applied to group sudo)
 enable_sudo: yes
+# Allow passwordless sudo (applied to group wheel)
 enable_passwordless_sudo: yes
\ No newline at end of file
diff --git a/tasks/main.yml b/tasks/main.yml
index cd239a5..14d5ca8 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -32,6 +32,8 @@
   vars:
     packages:
       - python-pip
+      - python-setuptools
+      - python-virtualenv
       - htop
       - tmux
   become: yes
@@ -44,6 +46,9 @@
     #update_cache: yes
   vars:
     packages:
+      - python-pip
+      - python-setuptools
+      - python-virtualenv
       - apt-transport-https
       - htop
       - tmux
@@ -52,4 +57,5 @@
 
 - name: Install Ansible
   pip:
-    name: ansible=={{ ensure_ansible_version }}
\ No newline at end of file
+    name: ansible=={{ ensure_ansible_version }}
+  when: enable_ansible
\ No newline at end of file

From 01d8b7e3dcb77c68dbcd7d93cef06e6058f3860d Mon Sep 17 00:00:00 2001
From: Jan Beilicke <dev@jotbe.io>
Date: Mon, 28 Mar 2022 21:20:13 +0200
Subject: [PATCH 2/9] Python3 for Debian

---
 tasks/main.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tasks/main.yml b/tasks/main.yml
index 7958429..5fda08b 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -46,9 +46,9 @@
     #update_cache: yes
   vars:
     packages:
-      - python-pip
-      - python-setuptools
-      - python-virtualenv
+      - python3-pip
+      - python3-setuptools
+      - python3-virtualenv
       - apt-transport-https
       - htop
       - tmux

From 2f9c04c49f099b74d491d0650d7d159fb50a14ab Mon Sep 17 00:00:00 2001
From: Jan Beilicke <dev@jotbe.io>
Date: Mon, 28 Mar 2022 21:43:19 +0200
Subject: [PATCH 3/9] Adds some meta information

---
 README.md     |  3 ++-
 meta/main.yml | 10 ++++++----
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index e1d11fe..b96285e 100644
--- a/README.md
+++ b/README.md
@@ -41,7 +41,8 @@ Example Playbook
 License
 -------
 
-MIT
+- BSD-3-Clause
+- MIT
 
 Author Information
 ------------------
diff --git a/meta/main.yml b/meta/main.yml
index 3a212a9..9b1bb07 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -1,7 +1,7 @@
 galaxy_info:
-  author: your name
-  description: your description
-  company: your company (optional)
+  author: jotbe
+  description: Common packages and configuration
+  company: ""
 
   # If the issue tracker for your role is not on github, uncomment the
   # next line and provide a value
@@ -14,7 +14,9 @@ galaxy_info:
   # - GPL-3.0-only
   # - Apache-2.0
   # - CC-BY-4.0
-  license: license (GPL-2.0-or-later, MIT, etc)
+  license:
+    - BSD-3-Clause
+    - MIT
 
   min_ansible_version: 2.4
 

From 1cbbba0dea4492e7623f63e0b75bb426ea50f4f5 Mon Sep 17 00:00:00 2001
From: Jan Beilicke <dev@jotbe.io>
Date: Mon, 4 Apr 2022 21:31:45 +0200
Subject: [PATCH 4/9] Allows to skip provisioning of the firewall

---
 README.md         | 2 ++
 defaults/main.yml | 4 +++-
 tasks/main.yml    | 1 +
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index b96285e..34a797a 100644
--- a/README.md
+++ b/README.md
@@ -30,6 +30,8 @@ ensure_ansible_version: 2.10.3
 enable_sudo: yes
 # Allow passwordless sudo (applied to group wheel)
 enable_passwordless_sudo: yes
+# Skip provisioning of the firewall
+skip_firewall: no
 ```
 
 Dependencies
diff --git a/defaults/main.yml b/defaults/main.yml
index fb6f250..f2478f4 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -17,4 +17,6 @@ ensure_ansible_version: 2.10.3
 # Allow sudo with a password (applied to group sudo)
 enable_sudo: yes
 # Allow passwordless sudo (applied to group wheel)
-enable_passwordless_sudo: yes
\ No newline at end of file
+enable_passwordless_sudo: yes
+# Skip provisioning of the firewall
+skip_firewall: no
\ No newline at end of file
diff --git a/tasks/main.yml b/tasks/main.yml
index 5fda08b..4cd7e7a 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -12,6 +12,7 @@
   import_role:
     name: geerlingguy.firewall
   tags: firewall
+  when: not skip_firewall
 
 - include: locales-debian.yml
   become: true

From 0eb60eb1874783d4f3e1066e795755a8fb03c0f3 Mon Sep 17 00:00:00 2001
From: Jan Beilicke <dev@jotbe.io>
Date: Mon, 4 Apr 2022 22:05:35 +0200
Subject: [PATCH 5/9] Do not set locales if in chroot environment (localectl
 not supported in chroot)

---
 tasks/main.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/tasks/main.yml b/tasks/main.yml
index 4cd7e7a..8935201 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -16,7 +16,9 @@
 
 - include: locales-debian.yml
   become: true
-  when: ansible_facts['os_family'] == 'Debian'
+  when:
+    - ansible_facts['os_family'] == 'Debian'
+    - not ansible_is_chroot
 
 - include: users.yml
   become: true

From 0a845c7097da023a9296fec098d4f10778cba5d5 Mon Sep 17 00:00:00 2001
From: Jan Beilicke <dev@jotbe.io>
Date: Sun, 10 Dec 2023 15:30:14 +0100
Subject: [PATCH 6/9] Fixes merge conflicts

---
 defaults/main.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index f2478f4..d8197fa 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -19,4 +19,5 @@ enable_sudo: yes
 # Allow passwordless sudo (applied to group wheel)
 enable_passwordless_sudo: yes
 # Skip provisioning of the firewall
-skip_firewall: no
\ No newline at end of file
+skip_firewall: no
+authorized_keys_are_exclusive: false # Be careful, this will delete non-Ansible-managed authorized keys from the target!

From ef9cfb8ced51987b316204d1e3909ae69c05cd03 Mon Sep 17 00:00:00 2001
From: Jan Beilicke <dev@jotbe.io>
Date: Sun, 10 Dec 2023 15:25:53 +0100
Subject: [PATCH 7/9] Adds option to make authorized_keys exclusive (default:
 false)

---
 tasks/users.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tasks/users.yml b/tasks/users.yml
index 3789a05..8dfd11a 100644
--- a/tasks/users.yml
+++ b/tasks/users.yml
@@ -44,8 +44,9 @@
     user: "{{ item }}"
     state: present
     key: "{{ lookup('file', 'public_keys/id_{{ item }}.pub') }}"
+    exclusive: "{{ authorized_keys_are_exclusive | bool }}"
   with_items: "{{ users }}"
-  ignore_errors: yes
+  ignore_errors: true
 
 - block:
     - name: 'Ensure that wheel group is existing'

From 177ba579e9fd4d321a1708181d8999849610a625 Mon Sep 17 00:00:00 2001
From: Jan Beilicke <dev@jotbe.io>
Date: Mon, 11 Dec 2023 18:36:27 +0100
Subject: [PATCH 8/9] Disables SSH access for root on demand

---
 defaults/main.yml |  6 +++++-
 handlers/main.yml |  7 ++++++-
 tasks/users.yml   | 34 +++++++++++++++++++++++++++++++++-
 3 files changed, 44 insertions(+), 3 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index d8197fa..9f87a85 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -18,6 +18,10 @@ ensure_ansible_version: 2.10.3
 enable_sudo: yes
 # Allow passwordless sudo (applied to group wheel)
 enable_passwordless_sudo: yes
+# Allow root to connect through SSH
+enable_ssh_for_root: yes
+# Allow root to connect only using public key authentication, no password
+enable_ssh_for_root_prohibit_password: no
 # Skip provisioning of the firewall
 skip_firewall: no
-authorized_keys_are_exclusive: false # Be careful, this will delete non-Ansible-managed authorized keys from the target!
+authorized_keys_are_exclusive: false # Be careful, this will delete non-Ansible-managed authorized keys from the target!
\ No newline at end of file
diff --git a/handlers/main.yml b/handlers/main.yml
index c6a8f0c..d4fec81 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -1,2 +1,7 @@
 ---
-# handlers file for common
\ No newline at end of file
+# handlers file for common
+- name: Restart SSH
+  ansible.builtin.service:
+    name: ssh
+    state: restarted
+  become: true
\ No newline at end of file
diff --git a/tasks/users.yml b/tasks/users.yml
index 8dfd11a..854c96c 100644
--- a/tasks/users.yml
+++ b/tasks/users.yml
@@ -72,6 +72,38 @@
         files:
           - /etc/sudoers
           - /usr/local/etc/sudoers # e.g. FreeBSD
+
+    - name: 'Disable SSH for root'
+      lineinfile:
+        dest: "/etc/ssh/sshd_config"
+        state: present
+        regexp: '^#?\s*PermitRootLogin'
+        line: 'PermitRootLogin No'
+      notify: Restart SSH
+      when:
+        - enable_ssh_for_root | bool == false
+    
+    - name: 'Enable SSH for root through password or key'
+      lineinfile:
+        dest: "/etc/ssh/sshd_config"
+        state: present
+        regexp: '^#?\s*PermitRootLogin'
+        line: 'PermitRootLogin Yes'
+      notify: Restart SSH
+      when:
+        - enable_ssh_for_root | bool == true
+        - enable_ssh_for_root_prohibit_password | bool == false
+    
+    - name: 'Enable SSH for root through key only'
+      lineinfile:
+        dest: "/etc/ssh/sshd_config"
+        state: present
+        regexp: '^#?\s*PermitRootLogin'
+        line: 'PermitRootLogin prohibit-password'
+      notify: Restart SSH
+      when:
+        - enable_ssh_for_root | bool == true
+        - enable_ssh_for_root_prohibit_password | bool == true
   when:
     - enable_sudo
     - enable_passwordless_sudo
@@ -83,4 +115,4 @@
     mode: 0644
     owner: "{{ item }}"
     group: "{{ item }}"
-  with_items: "{{ users }}"
\ No newline at end of file
+  with_items: "{{ users }}"

From 3bbc6bb2cf5c142ee63579e5dc8361788117a79b Mon Sep 17 00:00:00 2001
From: Jan Beilicke <dev@jotbe.io>
Date: Mon, 11 Dec 2023 19:13:31 +0100
Subject: [PATCH 9/9] Adds user list in variable docker_users to docker group

---
 tasks/users.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/tasks/users.yml b/tasks/users.yml
index 854c96c..ef846f0 100644
--- a/tasks/users.yml
+++ b/tasks/users.yml
@@ -11,6 +11,14 @@
     groups: users
   with_items: "{{ users }}"
 
+- name: 'Add docker users'
+  user:
+    name: "{{ item }}"
+    groups: docker
+    append: yes
+  with_items: "{{ docker_users }}"
+  when: docker_users | count
+
 - block:
     - name: 'Ensure that sudo group is existing'
       group: