EvoBSD/roles/accounts/tasks/main.yml

---
- name: "Create {{ evobsd_internal_group }} group"
  group:
    name: "{{ evobsd_internal_group }}"
    system: true

- name: "Create {{ evobsd_ssh_group }} group"
  group:
    name: "{{ evobsd_ssh_group }}"
    system: true

- name: "Create {{ evobsd_sudo_group }} group"
  group:
    name: "{{ evobsd_sudo_group }}"
    system: true

- name: Create user accounts
  include: user.yml
  vars:
    user: "{{ item.value }}"
  with_dict: "{{ evolix_users }}"
  when: evolix_users != {}

- name: verify AllowGroups directive
  command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
  changed_when: false
  failed_when: false
  check_mode: false
  register: grep_allowgroups_ssh

- name: verify AllowUsers directive
  command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
  changed_when: false
  failed_when: false
  check_mode: false
  register: grep_allowusers_ssh

- name: "Check that AllowUsers and AllowGroup do not override each other"
  assert:
    that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)"
    msg: "We can't deal with AllowUsers and AllowGroups at the same time"

- name: "If AllowGroups is present then use it"
  set_fact:
    ssh_allowgroups:
      "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}"

- name: "Add AllowGroups sshd directive with '{{ evobsd_ssh_group }}'"
  lineinfile:
    dest: /etc/ssh/sshd_config
    line: "\nAllowGroups {{ evobsd_ssh_group }}"
    insertafter: 'Subsystem'
    validate: '/usr/sbin/sshd -t -f %s'
  notify: reload sshd
  when:
    - ssh_allowgroups
    - grep_allowgroups_ssh.rc == 1

- name: "Append '{{ evobsd_ssh_group }}' to AllowGroups sshd directive"
  replace:
    dest: /etc/ssh/sshd_config
    regexp: '^(AllowGroups ((?!\b{{ evobsd_ssh_group }}\b).)*)$'
    replace: '\1 {{ evobsd_ssh_group }}'
    validate: '/usr/sbin/sshd -t -f %s'
  notify: reload sshd
  when:
    - ssh_allowgroups
    - grep_allowgroups_ssh.rc == 0

- name: "Security directives for EvoBSD"
  blockinfile:
    dest: /etc/ssh/sshd_config
    marker: "# {mark} EVOBSD PASSWORD RESTRICTIONS"
    block: |
      Match Address {{ evolix_trusted_ips | join(',') }}
          PasswordAuthentication yes
      Match Group {{ evobsd_internal_group }}
          PasswordAuthentication no
    insertafter: EOF
    validate: '/usr/sbin/sshd -t -f %s'
  notify: reload sshd
  when:
    - evolix_trusted_ips != []

- name: "Disable root login"
  replace:
    dest: /etc/ssh/sshd_config
    regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
    replace: "PermitRootLogin no"
  notify: reload sshd
Add initial project 2018-12-28 11:23:49 +01:00			`---`
accounts: use "evobsd_internal_group" for SSH authentication 2022-01-05 11:16:18 +01:00			`- name: "Create {{ evobsd_internal_group }} group"`
			`group:`
			`name: "{{ evobsd_internal_group }}"`
			`system: true`

Stricter ssh and doas access - two separate groups actually needed Fix #34 again After some discussions, with actually need two separates groups : - One group for ssh access (evobsd_ssh_group) - One group for sudo/doas access (evobsd_sudo_group) We won't need any client group. A client user will be added to the ssh group, so that we won't have to think about what specific group a user need to be added in. 2020-10-15 11:01:52 +02:00			`- name: "Create {{ evobsd_ssh_group }} group"`
Add stricter ssh and doas access 2019-09-19 23:07:01 +02:00			`group:`
Stricter ssh and doas access - two separate groups actually needed Fix #34 again After some discussions, with actually need two separates groups : - One group for ssh access (evobsd_ssh_group) - One group for sudo/doas access (evobsd_sudo_group) We won't need any client group. A client user will be added to the ssh group, so that we won't have to think about what specific group a user need to be added in. 2020-10-15 11:01:52 +02:00			`name: "{{ evobsd_ssh_group }}"`
			`system: true`

			`- name: "Create {{ evobsd_sudo_group }} group"`
			`group:`
			`name: "{{ evobsd_sudo_group }}"`
Correction of the stricter ssh access commit evolinux_ssh_group was missing 2020-04-21 11:27:43 +02:00			`system: true`

Fixed problem with ssh keys ssh key variable is a list of keys, not a single key. Use a loop and the authorized keys module to fix this. 2019-01-18 15:30:42 +01:00			`- name: Create user accounts`
			`include: user.yml`
			`vars:`
			`user: "{{ item.value }}"`
Stricter ssh and doas access - better version Fix #34 We now use a unique evobsd_group (evolix by default). Each user has 2 groups : evobsd_group and user.name. Only evobsd_group can ssh to server and use doas. I also added a password restrictions block for IPs/group. And we make sure the home folder is only readable by owner. 2020-10-13 16:03:54 +02:00			`with_dict: "{{ evolix_users }}"`
			`when: evolix_users != {}`
Add stricter ssh and doas access 2019-09-19 23:07:01 +02:00
			`- name: verify AllowGroups directive`
			`command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"`
			`changed_when: false`
			`failed_when: false`
			`check_mode: false`
			`register: grep_allowgroups_ssh`

			`- name: verify AllowUsers directive`
			`command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"`
			`changed_when: false`
			`failed_when: false`
			`check_mode: false`
			`register: grep_allowusers_ssh`

Ansible-lint and yamllint Does not fix all warnings, but gets rid of the purely cosmetic ones. (roles/accounts/tasks/main.yml) 2020-05-22 17:49:18 +02:00			`- name: "Check that AllowUsers and AllowGroup do not override each other"`
			`assert:`
Add stricter ssh and doas access 2019-09-19 23:07:01 +02:00			`that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)"`
			`msg: "We can't deal with AllowUsers and AllowGroups at the same time"`

Ansible-lint and yamllint Does not fix all warnings, but gets rid of the purely cosmetic ones. (roles/accounts/tasks/main.yml) 2020-05-22 17:49:18 +02:00			`- name: "If AllowGroups is present then use it"`
			`set_fact:`
Fix yaml lint lines too long In some cases I used block scalars: https://yaml-multiline.info/ In other cases I added newlines In rare cases I just ignored the rule: https://yamllint.readthedocs.io/en/stable/disable_with_comments.html 2020-06-04 18:51:53 +02:00			`ssh_allowgroups:`
			`"{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}"`
Add stricter ssh and doas access 2019-09-19 23:07:01 +02:00
Stricter ssh and doas access - two separate groups actually needed Fix #34 again After some discussions, with actually need two separates groups : - One group for ssh access (evobsd_ssh_group) - One group for sudo/doas access (evobsd_sudo_group) We won't need any client group. A client user will be added to the ssh group, so that we won't have to think about what specific group a user need to be added in. 2020-10-15 11:01:52 +02:00			`- name: "Add AllowGroups sshd directive with '{{ evobsd_ssh_group }}'"`
Add stricter ssh and doas access 2019-09-19 23:07:01 +02:00			`lineinfile:`
			`dest: /etc/ssh/sshd_config`
Stricter ssh and doas access - two separate groups actually needed Fix #34 again After some discussions, with actually need two separates groups : - One group for ssh access (evobsd_ssh_group) - One group for sudo/doas access (evobsd_sudo_group) We won't need any client group. A client user will be added to the ssh group, so that we won't have to think about what specific group a user need to be added in. 2020-10-15 11:01:52 +02:00			`line: "\nAllowGroups {{ evobsd_ssh_group }}"`
Add stricter ssh and doas access 2019-09-19 23:07:01 +02:00			`insertafter: 'Subsystem'`
			`validate: '/usr/sbin/sshd -t -f %s'`
			`notify: reload sshd`
			`when:`
			`- ssh_allowgroups`
			`- grep_allowgroups_ssh.rc == 1`

Stricter ssh and doas access - two separate groups actually needed Fix #34 again After some discussions, with actually need two separates groups : - One group for ssh access (evobsd_ssh_group) - One group for sudo/doas access (evobsd_sudo_group) We won't need any client group. A client user will be added to the ssh group, so that we won't have to think about what specific group a user need to be added in. 2020-10-15 11:01:52 +02:00			`- name: "Append '{{ evobsd_ssh_group }}' to AllowGroups sshd directive"`
Add stricter ssh and doas access 2019-09-19 23:07:01 +02:00			`replace:`
			`dest: /etc/ssh/sshd_config`
Stricter ssh and doas access - two separate groups actually needed Fix #34 again After some discussions, with actually need two separates groups : - One group for ssh access (evobsd_ssh_group) - One group for sudo/doas access (evobsd_sudo_group) We won't need any client group. A client user will be added to the ssh group, so that we won't have to think about what specific group a user need to be added in. 2020-10-15 11:01:52 +02:00			`regexp: '^(AllowGroups ((?!\b{{ evobsd_ssh_group }}\b).)*)$'`
			`replace: '\1 {{ evobsd_ssh_group }}'`
Add stricter ssh and doas access 2019-09-19 23:07:01 +02:00			`validate: '/usr/sbin/sshd -t -f %s'`
			`notify: reload sshd`
			`when:`
			`- ssh_allowgroups`
			`- grep_allowgroups_ssh.rc == 0`

Stricter ssh and doas access - better version Fix #34 We now use a unique evobsd_group (evolix by default). Each user has 2 groups : evobsd_group and user.name. Only evobsd_group can ssh to server and use doas. I also added a password restrictions block for IPs/group. And we make sure the home folder is only readable by owner. 2020-10-13 16:03:54 +02:00			`- name: "Security directives for EvoBSD"`
			`blockinfile:`
Add stricter ssh and doas access 2019-09-19 23:07:01 +02:00			`dest: /etc/ssh/sshd_config`
Stricter ssh and doas access - better version Fix #34 We now use a unique evobsd_group (evolix by default). Each user has 2 groups : evobsd_group and user.name. Only evobsd_group can ssh to server and use doas. I also added a password restrictions block for IPs/group. And we make sure the home folder is only readable by owner. 2020-10-13 16:03:54 +02:00			`marker: "# {mark} EVOBSD PASSWORD RESTRICTIONS"`
			`block: \|`
			`Match Address {{ evolix_trusted_ips \| join(',') }}`
			`PasswordAuthentication yes`
accounts: use "evobsd_internal_group" for SSH authentication 2022-01-05 11:16:18 +01:00			`Match Group {{ evobsd_internal_group }}`
Stricter ssh and doas access - better version Fix #34 We now use a unique evobsd_group (evolix by default). Each user has 2 groups : evobsd_group and user.name. Only evobsd_group can ssh to server and use doas. I also added a password restrictions block for IPs/group. And we make sure the home folder is only readable by owner. 2020-10-13 16:03:54 +02:00			`PasswordAuthentication no`
			`insertafter: EOF`
Add stricter ssh and doas access 2019-09-19 23:07:01 +02:00			`validate: '/usr/sbin/sshd -t -f %s'`
			`notify: reload sshd`
			`when:`
Stricter ssh and doas access - better version Fix #34 We now use a unique evobsd_group (evolix by default). Each user has 2 groups : evobsd_group and user.name. Only evobsd_group can ssh to server and use doas. I also added a password restrictions block for IPs/group. And we make sure the home folder is only readable by owner. 2020-10-13 16:03:54 +02:00			`- evolix_trusted_ips != []`
Add stricter ssh and doas access 2019-09-19 23:07:01 +02:00
Stricter ssh and doas access - better version Fix #34 We now use a unique evobsd_group (evolix by default). Each user has 2 groups : evobsd_group and user.name. Only evobsd_group can ssh to server and use doas. I also added a password restrictions block for IPs/group. And we make sure the home folder is only readable by owner. 2020-10-13 16:03:54 +02:00			`- name: "Disable root login"`
Add stricter ssh and doas access 2019-09-19 23:07:01 +02:00			`replace:`
			`dest: /etc/ssh/sshd_config`
			`regexp: '^PermitRootLogin (yes\|without-password\|prohibit-password)'`
			`replace: "PermitRootLogin no"`
			`notify: reload sshd`