forked from evolix/ansible-roles
Adds a bunch of checks for ubuntu to evolinux-base and evolinux-users
This feels a bit hacky, but it's the best I could come up with on short order
This commit is contained in:
parent
9d8d0776d7
commit
c45ac84334
|
@ -13,7 +13,7 @@
|
|||
# We want to allow any user from a list of IP addresses to login with password,
|
||||
# but users of the "evolix" group can't login with password from other IP addresses
|
||||
|
||||
- name: "Security directives for Evolinux (Debian 10 or later)"
|
||||
- name: "Security directives for Evolinux (Debian 10 and Ubuntu 18.04 or later)"
|
||||
blockinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS"
|
||||
|
@ -27,7 +27,7 @@
|
|||
notify: reload sshd
|
||||
when:
|
||||
- evolinux_ssh_password_auth_addresses != []
|
||||
- ansible_distribution_major_version | version_compare('10', '>=')
|
||||
- (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('10', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
|
||||
|
||||
- name: Security directives for Evolinux (Jessie/Stretch)
|
||||
blockinfile:
|
||||
|
|
|
@ -125,7 +125,7 @@
|
|||
mode: "0755"
|
||||
when:
|
||||
- evolinux_system_alert5_init
|
||||
- ansible_lsb.codename == "jessie" or ansible_lsb.codename == "stretch"
|
||||
- ansible_lsb.codename == "jessie" or ansible_lsb.codename == "stretch" or ansible_distribution == "Ubuntu"
|
||||
|
||||
- name: Enable alert5 init script (jessie/stretch)
|
||||
service:
|
||||
|
@ -134,7 +134,7 @@
|
|||
when:
|
||||
- evolinux_system_alert5_init
|
||||
- evolinux_system_alert5_enable
|
||||
- ansible_lsb.codename == "jessie" or ansible_lsb.codename == "stretch"
|
||||
- ansible_lsb.codename == "jessie" or ansible_lsb.codename == "stretch" or ansible_distribution == "Ubuntu"
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -3,9 +3,9 @@
|
|||
- name: "System compatibility checks"
|
||||
assert:
|
||||
that:
|
||||
- ansible_distribution == "Debian"
|
||||
- ansible_distribution_major_version | version_compare('8', '>=')
|
||||
msg: only compatible with Debian >= 8
|
||||
- (ansible_distribution == "Debian") or (ansible_distribution == "Ubuntu")
|
||||
- (ansible_distribution_major_version | version_compare('8', '>=')) or (ansible_distribution_major_version | version_compare('18', '>='))
|
||||
msg: only compatible with Debian >= 8 AND Ubuntu >= 18.04
|
||||
|
||||
- debug:
|
||||
msg: "Warning: empty 'evolinux_users' variable, tasks will be skipped!"
|
||||
|
|
|
@ -28,9 +28,9 @@
|
|||
|
||||
- set_fact:
|
||||
# If "AllowGroups is present" or "AllowUsers is absent and Debian 10+",
|
||||
ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('10', '>='))) }}"
|
||||
ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and ((ansible_distribution == 'Debian' and ansible_distribution_major_version | version_compare('10', '>=')) or (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version | version_compare('18', '>=')))) }}"
|
||||
# If "AllowGroups is absent" and "AllowUsers is absent or Debian <10"
|
||||
ssh_allowusers: "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('10', '<'))) }}"
|
||||
ssh_allowusers: "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution == 'Debian' and ansible_distribution_major_version | version_compare('10', '<'))) }}"
|
||||
|
||||
- debug:
|
||||
var: ssh_allowgroups
|
||||
|
|
|
@ -4,6 +4,6 @@
|
|||
when: ansible_lsb.codename == "jessie"
|
||||
|
||||
- include: sudo_stretch.yml
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
when: (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('9', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
|
||||
|
||||
- meta: flush_handlers
|
||||
|
|
|
@ -59,31 +59,32 @@
|
|||
|
||||
## Group for SSH authorizations
|
||||
|
||||
- name: "Unix group '{{ evolinux_ssh_group }}' is present (Debian 10 or later)"
|
||||
- name: "Unix group '{{ evolinux_ssh_group }}' is present (Debian 10 and Ubuntu 18 or later)"
|
||||
group:
|
||||
name: "{{ evolinux_ssh_group }}"
|
||||
state: present
|
||||
when: ansible_distribution_major_version | version_compare('10', '>=')
|
||||
when: (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('10', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
|
||||
|
||||
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}' (Debian 10 or later)"
|
||||
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}' (Debian 10 and Ubuntu 18 or later)"
|
||||
user:
|
||||
name: '{{ user.name }}'
|
||||
groups: "{{ evolinux_ssh_group }}"
|
||||
append: yes
|
||||
when: ansible_distribution_major_version | version_compare('10', '>=')
|
||||
when: (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('10', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
|
||||
|
||||
## Optional group for all evolinux users
|
||||
|
||||
- name: "Unix group '{{ evolinux_internal_group }}' is present (Debian 9 or later)"
|
||||
- name: "Unix group '{{ evolinux_internal_group }}' is present (Debian 9 and Ubuntu 18 or later)"
|
||||
group:
|
||||
name: "{{ evolinux_internal_group }}"
|
||||
state: present
|
||||
when:
|
||||
- evolinux_internal_group is defined
|
||||
- evolinux_internal_group != ""
|
||||
- ansible_distribution_major_version | version_compare('9', '>=')
|
||||
- (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('9', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
|
||||
|
||||
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_internal_group }}' (Debian 9 or later)"
|
||||
|
||||
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_internal_group }}' (Debian 9 and Ubuntu 18 or later)"
|
||||
user:
|
||||
name: '{{ user.name }}'
|
||||
groups: "{{ evolinux_internal_group }}"
|
||||
|
@ -91,7 +92,8 @@
|
|||
when:
|
||||
- evolinux_internal_group is defined
|
||||
- evolinux_internal_group != ""
|
||||
- ansible_distribution_major_version | version_compare('9', '>=')
|
||||
- (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('9', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
|
||||
|
||||
|
||||
## Optional secondary groups, defined per user
|
||||
|
||||
|
|
Loading…
Reference in a new issue