Reorganize provision playbook

Split server-specific configs out into server role

Add symlink to roles for playbook directory

roles/server/files/wheel-group-no-sudo-password

@@ -0,0 +1 @@
+%wheel ALL=(ALL) NOPASSWD: ALL

roles/server/handlers/main.yaml

@@ -0,0 +1,6 @@
+---
+- name: restart-sshd
+  become: true
+  ansible.builtin.systemd:
+    name: sshd
+    state: restarted

roles/server/tasks/main.yaml

@@ -0,0 +1,6 @@
+---
+- name: Configure sudoers file
+  ansible.builtin.import_tasks: sudoers.yaml
+
+- name: Configure SSH server
+  ansible.builtin.import_tasks: sshd.yaml

roles/server/tasks/sshd.yaml

@@ -0,0 +1,44 @@
+---
+- name: Configure SSH authentication settings
+  become: true
+  ansible.builtin.replace:
+    path: /etc/ssh/sshd_config
+    regexp: "{{ item.regex }}"
+    replace: "{{ item.value }}"
+  notify: [restart-sshd]
+  loop:
+    - name: disable root login
+      regex: "^.*PermitRootLogin (yes|no).*$"
+      value: PermitRootLogin no
+    - name: disable password auth
+      regex: "^.*PasswordAuthentication (yes|no).*$"
+      value: PasswordAuthentication no
+    - name: disable challenge response auth
+      regex: "^.*ChallengeResponseAuthentication (yes|no).*$"
+      value: ChallengeResponseAuthentication no
+    - name: disable GSSAPI auth
+      regex: "^.*GSSAPIAuthentication (yes|no).*$"
+      value: GSSAPIAuthentication no
+  loop_control:
+    label: "{{ item.name }}"
+
+- name: Disable dynamic MOTD on debian systems
+  when: ansible_os_family == "Debian"
+  ansible.builtin.replace:
+    path: /etc/pam.d/sshd
+    regexp: "^session    optional     pam_motd.so  motd=/run/motd.dynamic"
+    replace: "#session    optional     pam_motd.so  motd=/run/motd.dynamic"
+
+- name: Disable Cockpit activation message on Rocky
+  when: ansible_distribution == "Rocky"
+  become: true
+  ansible.builtin.file:
+    path: /etc/motd.d/cockpit
+    state: absent
+
+- name: Copy MOTD to remote
+  become: true
+  ansible.builtin.template:
+    src: motd.j2
+    dest: /etc/motd
+    mode: 0644

roles/server/tasks/sudoers.yaml

@@ -0,0 +1,30 @@
+---
+- name: Disable sudo password for WHEEL group
+  when: ansible_distribution == "Rocky" or ansible_distribution == "CentOS"
+  become: true
+  ansible.builtin.copy:
+    src: wheel-group-no-sudo-password
+    dest: /etc/sudoers.d/30-wheel
+    owner: root
+    group: "{{ ansible_user }}"
+    mode: 0644
+
+# Note that the cleanup tasks need to be after the new installation tasks
+# since one or more files being cleaned up might be being relied on to
+# allow ansible access
+- name: Fetch content of sudoers config directory
+  become: true
+  changed_when: false
+  ansible.builtin.command:
+    cmd: /usr/bin/ls /etc/sudoers.d/
+  register: _sudoers_files_raw
+
+- name: Remove legacy sudoers config files
+  when: item.strip() not in ["30-wheel"]
+  become: true
+  ansible.builtin.file:
+    path: /etc/sudoers.d/{{ item.strip() }}
+    state: absent
+  loop: "{{ _sudoers_files_raw.stdout.split(' ') }}"
+  loop_control:
+    label: "/etc/sudoers.d/{{ item.strip() }}"

roles/server/templates/motd.j2

@@ -0,0 +1,11 @@
+
+      ////////  ///   ///  ///  ///   ///   ///////   //////
+    ///        ///   ///  ///  ///   ///  ///   ///  ///  ///
+   ///        ////////   ///////    ///  /////////  ///////
+   ///////   ///   ///   ///       ///  ///   ///  ///  ///
+       ///  ///    ///   /////    ///  ///   ///  ///////
+      ///  *******************   ///  ********************
+ //////                         /////////
+
+ > {{ skylab_description }} @{{ skylab_location }}
+ {{ '' }}