2016-12-27 14:03:35 +01:00
|
|
|
|
---
|
2023-03-18 18:37:58 +01:00
|
|
|
|
- ansible.builtin.debug:
|
2023-04-07 14:26:09 +02:00
|
|
|
|
msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, some configuration elements won't be set!"
|
2017-08-18 04:13:56 +02:00
|
|
|
|
when: evolinux_ssh_password_auth_addresses == []
|
|
|
|
|
|
2023-08-31 17:09:13 +02:00
|
|
|
|
- name: files under /etc/ssh/sshd_config.d are included
|
|
|
|
|
ansible.builtin.lineinfile:
|
|
|
|
|
path: /etc/ssh/sshd_config
|
|
|
|
|
line: "Include /etc/ssh/sshd_config.d/*.conf"
|
|
|
|
|
insertbefore: BOF
|
|
|
|
|
notify: reload ssh
|
|
|
|
|
|
2023-04-07 14:26:09 +02:00
|
|
|
|
- name: add SSH server configuration template
|
|
|
|
|
ansible.builtin.template:
|
|
|
|
|
src: sshd/defaults.j2
|
|
|
|
|
dest: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
|
2023-08-16 18:21:06 +02:00
|
|
|
|
mode: "0644"
|
2017-06-14 15:53:15 +02:00
|
|
|
|
|
2023-04-07 14:26:09 +02:00
|
|
|
|
- name: "Get current user's group"
|
2023-03-18 18:37:58 +01:00
|
|
|
|
ansible.builtin.command:
|
|
|
|
|
cmd: logname
|
2018-03-01 11:07:43 +01:00
|
|
|
|
changed_when: False
|
2017-10-07 12:59:35 +02:00
|
|
|
|
register: logname
|
|
|
|
|
check_mode: no
|
2021-05-09 23:20:15 +02:00
|
|
|
|
when: evolinux_ssh_allow_current_user | bool
|
2017-10-07 12:59:35 +02:00
|
|
|
|
|
2017-10-07 22:15:51 +02:00
|
|
|
|
- name: verify AllowUsers directive
|
2023-03-18 18:37:58 +01:00
|
|
|
|
ansible.builtin.command:
|
2023-04-07 14:26:09 +02:00
|
|
|
|
cmd: "grep -ER '^AllowUsers' /etc/ssh"
|
2017-10-07 22:15:51 +02:00
|
|
|
|
failed_when: False
|
2018-03-01 11:07:43 +01:00
|
|
|
|
changed_when: False
|
2017-10-07 22:15:51 +02:00
|
|
|
|
register: grep_allowusers_ssh
|
|
|
|
|
check_mode: no
|
2021-05-09 23:20:15 +02:00
|
|
|
|
when: evolinux_ssh_allow_current_user | bool
|
2017-10-07 22:15:51 +02:00
|
|
|
|
|
|
|
|
|
- name: "Add AllowUsers sshd directive for current user"
|
2023-03-18 18:37:58 +01:00
|
|
|
|
ansible.builtin.lineinfile:
|
2023-08-16 18:21:06 +02:00
|
|
|
|
dest: /etc/ssh/sshd_config.d/allow_evolinux_user.conf
|
2023-04-07 14:26:09 +02:00
|
|
|
|
line: "AllowUsers {{ logname.stdout }}"
|
2017-10-07 12:59:35 +02:00
|
|
|
|
insertafter: 'Subsystem'
|
2019-06-17 09:47:22 +02:00
|
|
|
|
validate: '/usr/sbin/sshd -t -f %s'
|
2017-10-07 22:15:51 +02:00
|
|
|
|
notify: reload sshd
|
|
|
|
|
when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc != 0
|
|
|
|
|
|
2023-03-18 18:37:58 +01:00
|
|
|
|
- ansible.builtin.meta: flush_handlers
|
2023-04-07 14:26:09 +02:00
|
|
|
|
|
|
|
|
|
# TODO vérifier présence de Include /etc/ssh/sshd_config.d/*.conf
|
|
|
|
|
# TODO si allowusers et allowgroups, ajouter utilisateur aux deux
|
|
|
|
|
# TODO si allowgroups, ajouter groupe de l’utilisateur
|