2022-06-23 16:17:42 +02:00
|
|
|
# yamllint disable rule:line-length
|
2018-12-28 11:23:49 +01:00
|
|
|
---
|
2022-01-06 12:01:22 +01:00
|
|
|
- name: "Create {{ evobsd_internal_group }}, {{ evobsd_ssh_group }}, {{ evobsd_sudo_group }} group"
|
2022-01-05 11:16:18 +01:00
|
|
|
group:
|
2022-01-06 12:01:22 +01:00
|
|
|
name: "{{ item }}"
|
2020-04-21 11:27:43 +02:00
|
|
|
system: true
|
2022-01-06 12:01:22 +01:00
|
|
|
with_items:
|
|
|
|
- "{{ evobsd_internal_group }}"
|
|
|
|
- "{{ evobsd_ssh_group }}"
|
|
|
|
- "{{ evobsd_sudo_group }}"
|
|
|
|
tags:
|
2022-06-23 18:35:39 +02:00
|
|
|
- accounts
|
2022-01-06 12:01:22 +01:00
|
|
|
- admin
|
2020-04-21 11:27:43 +02:00
|
|
|
|
2022-06-23 16:17:42 +02:00
|
|
|
- name: "Create user accounts"
|
2019-01-18 15:30:42 +01:00
|
|
|
include: user.yml
|
|
|
|
vars:
|
|
|
|
user: "{{ item.value }}"
|
2020-10-13 16:03:54 +02:00
|
|
|
with_dict: "{{ evolix_users }}"
|
|
|
|
when: evolix_users != {}
|
2022-01-06 12:01:22 +01:00
|
|
|
tags:
|
2022-06-23 18:35:39 +02:00
|
|
|
- accounts
|
2022-01-06 12:01:22 +01:00
|
|
|
- admin
|
2019-09-19 23:07:01 +02:00
|
|
|
|
2022-06-23 16:17:42 +02:00
|
|
|
- name: "Verify AllowGroups directive"
|
2019-09-19 23:07:01 +02:00
|
|
|
command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
|
|
|
|
changed_when: false
|
|
|
|
failed_when: false
|
|
|
|
check_mode: false
|
|
|
|
register: grep_allowgroups_ssh
|
2022-01-06 12:01:22 +01:00
|
|
|
tags:
|
2022-06-23 18:35:39 +02:00
|
|
|
- accounts
|
2022-01-06 12:01:22 +01:00
|
|
|
- admin
|
2019-09-19 23:07:01 +02:00
|
|
|
|
2022-06-23 16:17:42 +02:00
|
|
|
- name: "Verify AllowUsers directive"
|
2019-09-19 23:07:01 +02:00
|
|
|
command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
|
|
|
changed_when: false
|
|
|
|
failed_when: false
|
|
|
|
check_mode: false
|
|
|
|
register: grep_allowusers_ssh
|
2022-01-06 12:01:22 +01:00
|
|
|
tags:
|
2022-06-23 18:35:39 +02:00
|
|
|
- accounts
|
2022-01-06 12:01:22 +01:00
|
|
|
- admin
|
2019-09-19 23:07:01 +02:00
|
|
|
|
2020-05-22 17:49:18 +02:00
|
|
|
- name: "Check that AllowUsers and AllowGroup do not override each other"
|
|
|
|
assert:
|
2019-09-19 23:07:01 +02:00
|
|
|
that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)"
|
|
|
|
msg: "We can't deal with AllowUsers and AllowGroups at the same time"
|
2022-01-06 12:01:22 +01:00
|
|
|
tags:
|
2022-06-23 18:35:39 +02:00
|
|
|
- accounts
|
2022-01-06 12:01:22 +01:00
|
|
|
- admin
|
2019-09-19 23:07:01 +02:00
|
|
|
|
2020-05-22 17:49:18 +02:00
|
|
|
- name: "If AllowGroups is present then use it"
|
|
|
|
set_fact:
|
2020-06-04 18:51:53 +02:00
|
|
|
ssh_allowgroups:
|
|
|
|
"{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}"
|
2022-01-06 12:01:22 +01:00
|
|
|
tags:
|
2022-06-23 18:35:39 +02:00
|
|
|
- accounts
|
2022-01-06 12:01:22 +01:00
|
|
|
- admin
|
2019-09-19 23:07:01 +02:00
|
|
|
|
2020-10-15 11:01:52 +02:00
|
|
|
- name: "Add AllowGroups sshd directive with '{{ evobsd_ssh_group }}'"
|
2019-09-19 23:07:01 +02:00
|
|
|
lineinfile:
|
|
|
|
dest: /etc/ssh/sshd_config
|
2020-10-15 11:01:52 +02:00
|
|
|
line: "\nAllowGroups {{ evobsd_ssh_group }}"
|
2019-09-19 23:07:01 +02:00
|
|
|
insertafter: 'Subsystem'
|
|
|
|
validate: '/usr/sbin/sshd -t -f %s'
|
|
|
|
notify: reload sshd
|
|
|
|
when:
|
|
|
|
- ssh_allowgroups
|
|
|
|
- grep_allowgroups_ssh.rc == 1
|
2022-01-06 12:01:22 +01:00
|
|
|
tags:
|
2022-06-23 18:35:39 +02:00
|
|
|
- accounts
|
2022-01-06 12:01:22 +01:00
|
|
|
- admin
|
2019-09-19 23:07:01 +02:00
|
|
|
|
2020-10-15 11:01:52 +02:00
|
|
|
- name: "Append '{{ evobsd_ssh_group }}' to AllowGroups sshd directive"
|
2019-09-19 23:07:01 +02:00
|
|
|
replace:
|
|
|
|
dest: /etc/ssh/sshd_config
|
2020-10-15 11:01:52 +02:00
|
|
|
regexp: '^(AllowGroups ((?!\b{{ evobsd_ssh_group }}\b).)*)$'
|
|
|
|
replace: '\1 {{ evobsd_ssh_group }}'
|
2019-09-19 23:07:01 +02:00
|
|
|
validate: '/usr/sbin/sshd -t -f %s'
|
|
|
|
notify: reload sshd
|
|
|
|
when:
|
|
|
|
- ssh_allowgroups
|
|
|
|
- grep_allowgroups_ssh.rc == 0
|
2022-01-06 12:01:22 +01:00
|
|
|
tags:
|
2022-06-23 18:35:39 +02:00
|
|
|
- accounts
|
2022-01-06 12:01:22 +01:00
|
|
|
- admin
|
2019-09-19 23:07:01 +02:00
|
|
|
|
2020-10-13 16:03:54 +02:00
|
|
|
- name: "Security directives for EvoBSD"
|
|
|
|
blockinfile:
|
2019-09-19 23:07:01 +02:00
|
|
|
dest: /etc/ssh/sshd_config
|
2020-10-13 16:03:54 +02:00
|
|
|
marker: "# {mark} EVOBSD PASSWORD RESTRICTIONS"
|
|
|
|
block: |
|
|
|
|
Match Address {{ evolix_trusted_ips | join(',') }}
|
|
|
|
PasswordAuthentication yes
|
2022-01-05 11:16:18 +01:00
|
|
|
Match Group {{ evobsd_internal_group }}
|
2020-10-13 16:03:54 +02:00
|
|
|
PasswordAuthentication no
|
|
|
|
insertafter: EOF
|
2019-09-19 23:07:01 +02:00
|
|
|
validate: '/usr/sbin/sshd -t -f %s'
|
|
|
|
notify: reload sshd
|
|
|
|
when:
|
2020-10-13 16:03:54 +02:00
|
|
|
- evolix_trusted_ips != []
|
2022-01-06 12:01:22 +01:00
|
|
|
tags:
|
2022-06-23 18:35:39 +02:00
|
|
|
- accounts
|
2022-01-06 12:01:22 +01:00
|
|
|
- admin
|
2019-09-19 23:07:01 +02:00
|
|
|
|
2020-10-13 16:03:54 +02:00
|
|
|
- name: "Disable root login"
|
2019-09-19 23:07:01 +02:00
|
|
|
replace:
|
|
|
|
dest: /etc/ssh/sshd_config
|
2022-09-02 17:16:30 +02:00
|
|
|
regexp: '^PermitRootLogin\s+(yes|without-password|prohibit-password)'
|
|
|
|
replace: "PermitRootLogin {{ evobsd_root_login }}"
|
2019-09-19 23:07:01 +02:00
|
|
|
notify: reload sshd
|
2022-01-06 12:01:22 +01:00
|
|
|
tags:
|
2022-06-23 18:35:39 +02:00
|
|
|
- accounts
|
2022-01-06 12:01:22 +01:00
|
|
|
- admin
|