initial commit

roles/baseline/tasks/rootuser.yml

@@ -0,0 +1,27 @@
+- name: Set root password
+  ansible.builtin.user:
+    name: root
+    password: "{{ root_password }}"
+
+- name: Ensure ssh directory for root
+  ansible.builtin.file:
+    state: directory
+    path: /root/.ssh
+    owner: root
+    group: root
+    mode: "0700"
+
+- name: Set authorized keys for root
+  ansible.builtin.copy:
+    content: "{{ root_sshkeys | join('\n') }}"
+    dest: /root/.ssh/authorized_keys
+    owner: root
+    group: root
+    mode: "0600"
+
+- name: Only allow root ssh
+  ansible.builtin.lineinfile:
+    dest: /etc/ssh/sshd_config
+    line: "PermitRootLogin prohibit-password"
+    regexp: "^PermitRootLogin "
+  notify: Restart sshd