forked from evolix/ansible-roles
174 lines
5.1 KiB
YAML
174 lines
5.1 KiB
YAML
---
|
|
|
|
- name: Fetch SSHd config files
|
|
ansible.builtin.command:
|
|
cmd: "find /etc/ssh -type f \\( -name 'sshd_config' -o -path '/etc/ssh/sshd_config.d/*.conf' \\)"
|
|
changed_when: False
|
|
check_mode: no
|
|
register: _ssh_config_paths
|
|
|
|
- ansible.builtin.debug:
|
|
var: _ssh_config_paths
|
|
verbosity: 1
|
|
|
|
############################
|
|
# AllowUsers or AllowGroups
|
|
############################
|
|
|
|
- name: verify AllowGroups directive
|
|
ansible.builtin.command:
|
|
cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowGroups' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
|
|
changed_when: False
|
|
failed_when: False
|
|
check_mode: no
|
|
register: grep_allowgroups_ssh
|
|
|
|
- ansible.builtin.debug:
|
|
var: grep_allowgroups_ssh
|
|
verbosity: 1
|
|
|
|
- name: verify AllowUsers directive
|
|
ansible.builtin.command:
|
|
cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowUsers' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
|
|
changed_when: False
|
|
failed_when: False
|
|
check_mode: no
|
|
register: grep_allowusers_ssh
|
|
|
|
- ansible.builtin.debug:
|
|
var: grep_allowusers_ssh
|
|
verbosity: 1
|
|
|
|
- ansible.builtin.assert:
|
|
that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)"
|
|
msg: "We can't deal with AllowUsers and AllowGroups at the same time"
|
|
|
|
- ansible.builtin.set_fact:
|
|
# If "AllowGroups is present" or "AllowUsers is absent and Debian 10+",
|
|
ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and (ansible_distribution_major_version is version('10', '>='))) }}"
|
|
# If "AllowGroups is absent" and "AllowUsers is absent or Debian <10"
|
|
ssh_allowusers: "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution_major_version is version('10', '<'))) }}"
|
|
|
|
- ansible.builtin.debug:
|
|
var: ssh_allowgroups
|
|
verbosity: 1
|
|
|
|
- ansible.builtin.debug:
|
|
var: ssh_allowusers
|
|
verbosity: 1
|
|
|
|
- name: Configure SSH in AllowGroups mode
|
|
ansible.builtin.include: ssh_allowgroups.yml
|
|
when:
|
|
- ssh_allowgroups
|
|
- not ssh_allowusers
|
|
|
|
- name: Configure SSH in AllowUsers mode
|
|
ansible.builtin.include: ssh_allowusers.yml
|
|
vars:
|
|
user: "{{ item.value }}"
|
|
loop: "{{ evolinux_users | dict2items }}"
|
|
when:
|
|
- user.create == evolinux_users_create
|
|
- ssh_allowusers
|
|
- not ssh_allowgroups
|
|
|
|
# Do this again, to update the value
|
|
|
|
- name: Fetch SSHd config files
|
|
ansible.builtin.command:
|
|
cmd: "find /etc/ssh -type f \\( -name 'sshd_config' -o -path '/etc/ssh/sshd_config.d/*.conf' \\)"
|
|
changed_when: False
|
|
check_mode: no
|
|
register: _ssh_config_paths
|
|
|
|
##################
|
|
# PermitRootLogin
|
|
##################
|
|
|
|
### For Debian < 12
|
|
# if there is a commented value for PermitRootLogin
|
|
# we replace it with a "no"
|
|
|
|
- name: Root login is disabled (Debian < 12)
|
|
ansible.builtin.replace:
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)'
|
|
replace: "PermitRootLogin no"
|
|
notify: reload sshd
|
|
when:
|
|
- evolinux_root_disable_ssh | bool
|
|
- ansible_distribution_major_version is version('12', '<')
|
|
|
|
### For Debian >= 12
|
|
# if there is no value for PermitRootLogin (anywhere)
|
|
# we add a "no" in z-evolinux-users.conf
|
|
|
|
- name: verify PermitRootLogin directive (Debian >= 12)
|
|
ansible.builtin.command:
|
|
cmd: "grep --extended-regexp --recursive --files-with-matches '^PermitRootLogin' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
|
|
changed_when: False
|
|
failed_when: False
|
|
check_mode: no
|
|
register: grep_permitrootlogin_ssh
|
|
when:
|
|
- ansible_distribution_major_version is version('12', '>=')
|
|
|
|
- name: Root login is disabled (Debian >= 12)
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config.d/z-evolinux-users.conf
|
|
line: "PermitRootLogin no"
|
|
create: yes
|
|
mode: "0644"
|
|
validate: '/usr/sbin/sshd -t -f %s'
|
|
insertbefore: "BOF"
|
|
notify: reload sshd
|
|
when:
|
|
- evolinux_root_disable_ssh | bool
|
|
- ansible_distribution_major_version is version('12', '>=')
|
|
- grep_permitrootlogin_ssh.rc != 0
|
|
|
|
#####################
|
|
# Allow current user
|
|
#####################
|
|
|
|
- name: Allow current user
|
|
block:
|
|
- name: Check if evolinux ssh group is used
|
|
ansible.builtin.command:
|
|
cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowGroups.+{{ evolinux_ssh_group }}' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
|
|
changed_when: False
|
|
failed_when: False
|
|
check_mode: no
|
|
register: grep_evolinux_group_ssh
|
|
|
|
- debug:
|
|
var: grep_evolinux_group_ssh
|
|
|
|
- name: "Get current user's login"
|
|
ansible.builtin.command:
|
|
cmd: logname
|
|
changed_when: False
|
|
register: _logname
|
|
check_mode: no
|
|
|
|
- debug:
|
|
var: evolinux_ssh_group
|
|
|
|
- debug:
|
|
var: evolinux_ssh_allow_current_user
|
|
|
|
- name: "Add current user ({{ _logname.stdout }}) to {{ evolinux_ssh_group }} group"
|
|
ansible.builtin.user:
|
|
name: "{{ _logname.stdout }}"
|
|
groups: "{{ evolinux_ssh_group }}"
|
|
append: yes
|
|
when:
|
|
- grep_evolinux_group_ssh.rc == 0
|
|
when:
|
|
- evolinux_ssh_group is defined
|
|
- evolinux_ssh_group | length > 0
|
|
- evolinux_ssh_allow_current_user | bool
|
|
|
|
- ansible.builtin.meta: flush_handlers
|