forked from evolix/ansible-roles
Compare commits
9 commits
stable
...
simplify-e
Author | SHA1 | Date | |
---|---|---|---|
cf9ea7415a | |||
6ac874cbc6 | |||
331ad978f1 | |||
255023b91e | |||
f73667ea3c | |||
e79455efae | |||
Patrick Marchand | 75aad3e5d7 | ||
Patrick Marchand | 3feb0cc3b4 | ||
Patrick Marchand | 9049a97792 |
|
@ -20,9 +20,6 @@
|
|||
|
||||
- name: Configure sudo
|
||||
include: sudo.yml
|
||||
vars:
|
||||
user: "{{ item.value }}"
|
||||
with_dict: "{{ evolinux_users }}"
|
||||
when: evolinux_users != {}
|
||||
|
||||
- name: Configure SSH
|
||||
|
|
|
@ -29,28 +29,69 @@
|
|||
- set_fact:
|
||||
# If "AllowGroups is present" or "AllowUsers is absent and Debian 10+",
|
||||
ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('10', '>='))) }}"
|
||||
# If "AllowGroups is absent" and "AllowUsers is absent or Debian <10"
|
||||
ssh_allowusers: "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('10', '<'))) }}"
|
||||
|
||||
- debug:
|
||||
var: ssh_allowgroups
|
||||
verbosity: 1
|
||||
|
||||
- debug:
|
||||
var: ssh_allowusers
|
||||
verbosity: 1
|
||||
|
||||
- include: ssh_allowgroups.yml
|
||||
vars:
|
||||
- allow_groups_present: "{{ grep_allowgroups_ssh.rc == 0 }}"
|
||||
when:
|
||||
- ssh_allowgroups
|
||||
- not ssh_allowusers
|
||||
|
||||
- include: ssh_allowusers.yml
|
||||
vars:
|
||||
user: "{{ item.value }}"
|
||||
with_dict: "{{ evolinux_users }}"
|
||||
- name: "Add AllowUsers sshd directive with all users"
|
||||
lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
line: "\nAllowUsers {{ evolinux_users|map(attribute='name')|join(',') }}"
|
||||
insertafter: 'Subsystem'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when:
|
||||
- ssh_allowusers
|
||||
- grep_allowusers_ssh.rc != 0
|
||||
- not ssh_allowgroups
|
||||
|
||||
- name: "Append '{{ item.name }}' to AllowUsers sshd directive"
|
||||
replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^(AllowUsers ((?!\b{{ item.name }}\b).)*)$'
|
||||
replace: '\1 {{ item.name }}'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
with_dict: "{{ evolinux_users }}"
|
||||
notify: reload sshd
|
||||
when:
|
||||
- grep_allowusers_ssh.rc == 0
|
||||
- not ssh_allowgroups
|
||||
|
||||
- name: "verify Match User directive"
|
||||
command: "grep -E '^Match User' /etc/ssh/sshd_config"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
register: grep_matchuser_ssh
|
||||
when: not ssh_allowgroups
|
||||
|
||||
- name: "Add Match User sshd directive with all users"
|
||||
lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
line: "\nMatch User {{ evolinux_users|map(attribute='name')|join(',') }}\n PasswordAuthentication no"
|
||||
insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when:
|
||||
- grep_matchuser_ssh != 0
|
||||
- not ssh_allowgroups
|
||||
|
||||
- name: "Append '{{ item.name }}' to Match User's sshd directive"
|
||||
replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^(Match User ((?!{{ item.name }}).)*)$'
|
||||
replace: '\1,{{ item.name }}'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
with_dict: "{{ evolinux_users }}"
|
||||
notify: reload sshd
|
||||
when:
|
||||
- grep_matchuser_ssh.rc == 0
|
||||
- not ssh_allowgroups
|
||||
|
||||
- name: disable root login
|
||||
|
|
|
@ -1,14 +1,5 @@
|
|||
---
|
||||
|
||||
# this check must be repeated for each user
|
||||
# even if it's been done before
|
||||
- name: verify AllowGroups directive
|
||||
command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
register: grep_allowgroups_ssh
|
||||
|
||||
- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
|
||||
lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
|
@ -16,7 +7,7 @@
|
|||
insertafter: 'Subsystem'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: grep_allowgroups_ssh.rc != 0
|
||||
when: not allow_groups_present
|
||||
|
||||
- name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive"
|
||||
replace:
|
||||
|
@ -25,4 +16,4 @@
|
|||
replace: '\1 {{ evolinux_ssh_group }}'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: grep_allowgroups_ssh.rc == 0
|
||||
when: allow_groups_present
|
||||
|
|
|
@ -1,53 +0,0 @@
|
|||
---
|
||||
|
||||
# this check must be repeated for each user
|
||||
# even if it's been done before
|
||||
- name: verify AllowUsers directive
|
||||
command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
register: grep_allowusers_ssh
|
||||
|
||||
- name: "Add AllowUsers sshd directive with '{{ user.name }}'"
|
||||
lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
line: "\nAllowUsers {{ user.name }}"
|
||||
insertafter: 'Subsystem'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: grep_allowusers_ssh.rc != 0
|
||||
|
||||
- name: "Append '{{ user.name }}' to AllowUsers sshd directive"
|
||||
replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^(AllowUsers ((?!\b{{ user.name }}\b).)*)$'
|
||||
replace: '\1 {{ user.name }}'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: grep_allowusers_ssh.rc == 0
|
||||
|
||||
- name: "verify Match User directive"
|
||||
command: "grep -E '^Match User' /etc/ssh/sshd_config"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
register: grep_matchuser_ssh
|
||||
|
||||
- name: "Add Match User sshd directive with '{{ user.name }}'"
|
||||
lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
line: "\nMatch User {{ user.name }}\n PasswordAuthentication no"
|
||||
insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: grep_matchuser_ssh.rc != 0
|
||||
|
||||
- name: "Append '{{ user.name }}' to Match User's sshd directive"
|
||||
replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^(Match User ((?!{{ user.name }}).)*)$'
|
||||
replace: '\1,{{ user.name }}'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: grep_matchuser_ssh.rc == 0
|
|
@ -1,9 +1,45 @@
|
|||
---
|
||||
|
||||
- include: sudo_jessie.yml
|
||||
- name: "Verify 'evolinux' sudoers file presence for debian jessie"
|
||||
template:
|
||||
src: "sudoers_jessie.j2"
|
||||
dest: /etc/sudoers.d/evolinux
|
||||
force: no
|
||||
mode: "0440"
|
||||
validate: '/usr/sbin/visudo -cf %s'
|
||||
register: copy_sudoers_evolinux
|
||||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
- name: "Verify 'evolinux' sudoers file presence for debian 9 or bigger"
|
||||
template:
|
||||
src: "sudoers_stretch.j2"
|
||||
dest: /etc/sudoers.d/evolinux
|
||||
force: no
|
||||
mode: "0440"
|
||||
validate: '/usr/sbin/visudo -cf %s'
|
||||
register: copy_sudoers_evolinux
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- name: "Add user in sudoers file for '{{ item.name }}' (jessie)"
|
||||
replace:
|
||||
dest: /etc/sudoers.d/evolinux
|
||||
regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ item.name }}).)*)$'
|
||||
replace: '\1,{{ item.name }}'
|
||||
validate: '/usr/sbin/visudo -cf %s'
|
||||
with_dict: "{{ evolinux_users }}"
|
||||
when:
|
||||
- not copy_sudoers_evolinux.changed
|
||||
- ansible_distribution_release == "jessie"
|
||||
|
||||
- name: "Create '{{ evolinux_sudo_group }}' group (Debian 9 or later)"
|
||||
group:
|
||||
name: "{{ evolinux_sudo_group }}"
|
||||
system: yes
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- include: sudo_stretch.yml
|
||||
vars:
|
||||
user: "{{ item.value }}"
|
||||
with_dict: "{{ evolinux_users }}"
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- meta: flush_handlers
|
||||
|
|
|
@ -1,18 +0,0 @@
|
|||
---
|
||||
|
||||
- name: "Verify Evolinux sudoers file presence (jessie)"
|
||||
template:
|
||||
src: sudoers_jessie.j2
|
||||
dest: /etc/sudoers.d/evolinux
|
||||
force: no
|
||||
mode: "0440"
|
||||
validate: '/usr/sbin/visudo -cf %s'
|
||||
register: copy_sudoers_evolinux
|
||||
|
||||
- name: "Add user in sudoers file for '{{ user.name }}' (jessie)"
|
||||
replace:
|
||||
dest: /etc/sudoers.d/evolinux
|
||||
regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$'
|
||||
replace: '\1,{{ user.name }}'
|
||||
validate: '/usr/sbin/visudo -cf %s'
|
||||
when: not copy_sudoers_evolinux.changed
|
|
@ -1,19 +1,5 @@
|
|||
---
|
||||
|
||||
- name: "Verify 'evolinux' sudoers file presence (Debian 9 or later)"
|
||||
template:
|
||||
src: sudoers_stretch.j2
|
||||
dest: /etc/sudoers.d/evolinux
|
||||
force: no
|
||||
mode: "0440"
|
||||
validate: '/usr/sbin/visudo -cf %s'
|
||||
register: copy_sudoers_evolinux
|
||||
|
||||
- name: "Create '{{ evolinux_sudo_group }}' group (Debian 9 or later)"
|
||||
group:
|
||||
name: "{{ evolinux_sudo_group }}"
|
||||
system: yes
|
||||
|
||||
- name: "Add user to '{{ evolinux_sudo_group }}' group (Debian 9 or later)"
|
||||
user:
|
||||
name: '{{ user.name }}'
|
||||
|
|
Loading…
Reference in a new issue