fix: add bootstrap for new hosts

README.md

@@ -73,18 +73,34 @@ ansible-playbook -i inventory/hosts.yml playbook.yml \
 --ask-become-pass
 ```
 
-## Target configuration
+## Bootstrapping a new host
 
-Requirements:
+For fresh hosts (only `root` available, no admin user yet):
-
-- sshd up and running
-- public key copied:
 
 ```sh
-ssh-copy-id -i ~/.ssh/id_rsa.pub username@remote_host
+ansible-playbook playbooks/bootstrap.yml -l <hostname> --ask-pass
 ```
 
-- python3 installed (`pacman -Syu python3`)
+This installs Python and sudo, creates `{{ ansible_user }}` with sudo rights, and copies your local `~/.ssh/id_ed25519.pub`. Supports Arch Linux and Debian/Ubuntu.
+
+To use a different SSH key:
+
+```sh
+ansible-playbook playbooks/bootstrap.yml -l <hostname> --ask-pass \
+  --extra-vars 'bootstrap_ssh_public_key="ssh-ed25519 AAAA..."'
+```
+
+Then set a password for the new user (required for sudo `--ask-become-pass`):
+
+```sh
+ssh root@<hostname> passwd jambon
+```
+
+After that, run the host playbook normally:
+
+```sh
+ansible-playbook playbooks/<hostname>.yml --ask-become-pass
+```
 
 ## Developping
 

playbooks/bootstrap.yml

@@ -0,0 +1,73 @@
+---
+# Bootstrap a fresh host: create the admin user with sudo and SSH access.
+# Run this before any other playbook, when only root access is available:
+#
+#   ansible-playbook playbooks/bootstrap.yml -l somehost
+#
+# After this, run other playbooks normally.
+
+- name: Bootstrap admin user
+  hosts: "{{ target | default('all') }}"
+  gather_facts: false
+  vars:
+    ansible_user: root
+    ansible_become: false
+    # bootstrap_user: jambon
+    # bootstrap_ssh_public_key: "ssh-ed25519 AAAA..."
+  tasks:
+    - name: Detect OS and install python3 + sudo
+      ansible.builtin.raw: |
+        if command -v pacman > /dev/null 2>&1; then
+          pacman -Sy --noconfirm python sudo
+        elif command -v apt-get > /dev/null 2>&1; then
+          apt-get update -qq && apt-get install -y python3 sudo
+        else
+          echo "Unsupported OS" && exit 1
+        fi
+      changed_when: true
+
+    - name: Gather facts
+      ansible.builtin.setup:
+
+    - name: Create admin user
+      ansible.builtin.user:
+        name: "{{ bootstrap_user }}"
+        groups: "{{ 'wheel' if ansible_facts['os_family'] == 'Archlinux' else 'sudo' }}"
+        append: true
+        shell: /bin/bash
+        create_home: true
+        state: present
+
+    - name: Allow sudo group to use sudo (Debian)
+      ansible.builtin.copy:
+        content: "%sudo ALL=(ALL:ALL) ALL\n"
+        dest: /etc/sudoers.d/sudo
+        owner: root
+        group: root
+        mode: "0440"
+        validate: visudo -cf %s
+      when: ansible_facts['os_family'] == 'Debian'
+
+    - name: Allow wheel group to use sudo (Arch)
+      ansible.builtin.copy:
+        content: "%wheel ALL=(ALL:ALL) ALL\n"
+        dest: /etc/sudoers.d/wheel
+        owner: root
+        group: root
+        mode: "0440"
+        validate: visudo -cf %s
+      when: ansible_facts['os_family'] == 'Archlinux'
+
+    - name: Create .ssh directory
+      ansible.builtin.file:
+        path: "/home/{{ bootstrap_user }}/.ssh"
+        state: directory
+        owner: "{{ bootstrap_user }}"
+        group: "{{ bootstrap_user }}"
+        mode: "0700"
+
+    - name: Add SSH authorized key
+      ansible.posix.authorized_key:
+        user: "{{ bootstrap_user }}"
+        key: "{{ bootstrap_ssh_public_key | default(lookup('file', '~/.ssh/id_ed25519.pub')) }}"
+        state: present