diff --git a/roles/accounts/tasks/main.yml b/roles/accounts/tasks/main.yml index 02d8749..f238bbf 100644 --- a/roles/accounts/tasks/main.yml +++ b/roles/accounts/tasks/main.yml @@ -1,20 +1,15 @@ --- -- name: "Create {{ evolinux_sudo_group }}" +- name: "Create {{ evobsd_group }} group" group: - name: "{{ evolinux_sudo_group }}" - system: true - -- name: "Create {{ evolinux_ssh_group }}" - group: - name: "{{ evolinux_ssh_group }}" + name: "{{ evobsd_group }}" system: true - name: Create user accounts include: user.yml vars: user: "{{ item.value }}" - with_dict: "{{ evolinux_users }}" - when: evolinux_users != {} + with_dict: "{{ evolix_users }}" + when: evolix_users != {} - name: verify AllowGroups directive command: "grep -E '^AllowGroups' /etc/ssh/sshd_config" @@ -40,10 +35,10 @@ ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}" -- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'" +- name: "Add AllowGroups sshd directive with '{{ evobsd_group }}'" lineinfile: dest: /etc/ssh/sshd_config - line: "\nAllowGroups {{ evolinux_ssh_group }}" + line: "\nAllowGroups {{ evobsd_group }}" insertafter: 'Subsystem' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd @@ -51,30 +46,33 @@ - ssh_allowgroups - grep_allowgroups_ssh.rc == 1 -- name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive" +- name: "Append '{{ evobsd_group }}' to AllowGroups sshd directive" replace: dest: /etc/ssh/sshd_config - regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$' - replace: '\1 {{ evolinux_ssh_group }}' + regexp: '^(AllowGroups ((?!\b{{ evobsd_group }}\b).)*)$' + replace: '\1 {{ evobsd_group }}' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd when: - ssh_allowgroups - grep_allowgroups_ssh.rc == 0 -- name: "Append '{{ item.name }}' to AllowUsers sshd directive" - replace: +- name: "Security directives for EvoBSD" + blockinfile: dest: /etc/ssh/sshd_config - regexp: '^(AllowUsers ((?!\b{{ item.name }}\b).)*)$' - replace: '\1 {{ item.name }}' + marker: "# {mark} EVOBSD PASSWORD RESTRICTIONS" + block: | + Match Address {{ evolix_trusted_ips | join(',') }} + PasswordAuthentication yes + Match Group {{ evobsd_group }} + PasswordAuthentication no + insertafter: EOF validate: '/usr/sbin/sshd -t -f %s' - with_dict: "{{ evolinux_users }}" notify: reload sshd when: - - not ssh_allowgroups - - grep_allowusers_ssh == 1 + - evolix_trusted_ips != [] -- name: disable root login +- name: "Disable root login" replace: dest: /etc/ssh/sshd_config regexp: '^PermitRootLogin (yes|without-password|prohibit-password)' diff --git a/roles/accounts/tasks/user.yml b/roles/accounts/tasks/user.yml index 568753b..fbee95c 100644 --- a/roles/accounts/tasks/user.yml +++ b/roles/accounts/tasks/user.yml @@ -1,16 +1,31 @@ --- +- name: "Group '{{ user.name }}' is present" + group: + state: present + name: "{{ user.name }}" + gid: "{{ user.uid }}" + - name: "User '{{ user.name }}' is present" user: state: present name: '{{ user.name }}' uid: '{{ user.uid }}' password: '{{ user.password_hash_openbsd }}' + group: "{{ user.name }}" groups: wheel shell: /bin/ksh append: true tags: - admin +- name: "Home directory for '{{ user.name }}' is only accesible by owner" + file: + name: '/home/{{ user.name }}' + mode: "0700" + owner: "{{ user.name }}" + group: "{{ user.name }}" + state: directory + - name: "SSH public keys for '{{ user.name }}' are present" authorized_key: user: "{{ user.name }}" @@ -23,18 +38,10 @@ tags: - admin -- name: "Add {{ user.name }} to {{ evolinux_sudo_group }} group" +- name: "Add {{ user.name }} to {{ evobsd_group }} group" user: name: "{{ user.name }}" - groups: "{{ evolinux_sudo_group }}" - append: true - tags: - - admin - -- name: "Add {{ user.name }} to {{ evolinux_ssh_group }} group" - user: - name: "{{ user.name }}" - groups: "{{ evolinux_ssh_group }}" + groups: "{{ evobsd_group }}" append: true tags: - admin diff --git a/roles/base/templates/doas.conf.j2 b/roles/base/templates/doas.conf.j2 index 55c246a..e3945ec 100644 --- a/roles/base/templates/doas.conf.j2 +++ b/roles/base/templates/doas.conf.j2 @@ -1,7 +1,7 @@ # {{ ansible_managed }} -permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evolinux_sudo_group }} +permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evobsd_group }} permit nopass root -permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evolinux_sudo_group }} as root cmd /usr/share/scripts/evomaintenance.sh +permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evobsd_group }} as root cmd /usr/share/scripts/evomaintenance.sh permit nopass _collectd as root cmd /usr/sbin/bgpctl permit nopass _nrpe as root cmd /sbin/bioctl args sd2 permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_mailq diff --git a/vars/main.yml b/vars/main.yml index 347a44e..bccc5d4 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -8,9 +8,6 @@ # # general_alert_email: "root@localhost" # general_technical_realm: "example.com" -evolinux_ssh_group: "evolinux-ssh" -evolinux_sudo_group: "evolinux-sudo" -evolinux_root_disable_ssh: true # # evomaintenance_realm: "example.com" # evomaintenance_alert_email: @@ -27,6 +24,8 @@ evolinux_root_disable_ssh: true # evomaintenance_urgency_from: mama.doe@example.com # evomaintenance_urgency_tel: "06.00.00.00.00" # +evobsd_group: "evolix" +# # evolix_users: # foo: # name: foo