Enhance Ansible playbooks and documentation for Debian and Proxmox management. Add new playbooks for Debian hardening, maintenance, SSH key rotation, and Proxmox cluster setup. Update README.md with quick start instructions for Debian and Proxmox operations. Modify group_vars to include Argo CD application settings, improving deployment flexibility and clarity.

2026-04-01 01:19:50 -04:00
parent 89be30884e
commit c15bf4d708
33 changed files with 682 additions and 5 deletions
--- a/ansible/roles/debian_ssh_key_rotation/tasks/main.yml
+++ b/ansible/roles/debian_ssh_key_rotation/tasks/main.yml
@@ -0,0 +1,50 @@
+---
+- name: Validate SSH key rotation inputs
+  ansible.builtin.assert:
+    that:
+      - item.name is defined
+      - item.home is defined
+      - (item.state | default('present')) in ['present', 'absent']
+      - (item.state | default('present')) == 'absent' or (item.keys is defined and item.keys | length > 0)
+    fail_msg: >-
+      Each entry in debian_ssh_rotation_users must include name, home, and either:
+      state=absent, or keys with at least one SSH public key.
+  loop: "{{ debian_ssh_rotation_users }}"
+  loop_control:
+    label: "{{ item.name | default('unknown') }}"
+
+- name: Ensure ~/.ssh exists for managed users
+  ansible.builtin.file:
+    path: "{{ item.home }}/.ssh"
+    state: directory
+    owner: "{{ item.name }}"
+    group: "{{ item.name }}"
+    mode: "0700"
+  loop: "{{ debian_ssh_rotation_users }}"
+  loop_control:
+    label: "{{ item.name }}"
+  when: (item.state | default('present')) == 'present'
+
+- name: Rotate authorized_keys for managed users
+  ansible.builtin.copy:
+    dest: "{{ item.home }}/.ssh/authorized_keys"
+    owner: "{{ item.name }}"
+    group: "{{ item.name }}"
+    mode: "0600"
+    content: |
+      {% for key in item.keys %}
+      {{ key }}
+      {% endfor %}
+  loop: "{{ debian_ssh_rotation_users }}"
+  loop_control:
+    label: "{{ item.name }}"
+  when: (item.state | default('present')) == 'present'
+
+- name: Remove authorized_keys for users marked absent
+  ansible.builtin.file:
+    path: "{{ item.home }}/.ssh/authorized_keys"
+    state: absent
+  loop: "{{ debian_ssh_rotation_users }}"
+  loop_control:
+    label: "{{ item.name }}"
+  when: (item.state | default('present')) == 'absent'