Improve syntax of accounts role and fix missing tags

This commit is contained in:
Jérémy Dubois 2022-01-06 12:01:22 +01:00
parent f0ecc79696
commit 4506c835c5
2 changed files with 36 additions and 30 deletions

View File

@ -1,18 +1,14 @@
---
- name: "Create {{ evobsd_internal_group }} group"
- name: "Create {{ evobsd_internal_group }}, {{ evobsd_ssh_group }}, {{ evobsd_sudo_group }} group"
group:
name: "{{ evobsd_internal_group }}"
system: true
- name: "Create {{ evobsd_ssh_group }} group"
group:
name: "{{ evobsd_ssh_group }}"
system: true
- name: "Create {{ evobsd_sudo_group }} group"
group:
name: "{{ evobsd_sudo_group }}"
name: "{{ item }}"
system: true
with_items:
- "{{ evobsd_internal_group }}"
- "{{ evobsd_ssh_group }}"
- "{{ evobsd_sudo_group }}"
tags:
- admin
- name: Create user accounts
include: user.yml
@ -20,6 +16,8 @@
user: "{{ item.value }}"
with_dict: "{{ evolix_users }}"
when: evolix_users != {}
tags:
- admin
- name: verify AllowGroups directive
command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
@ -27,6 +25,8 @@
failed_when: false
check_mode: false
register: grep_allowgroups_ssh
tags:
- admin
- name: verify AllowUsers directive
command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
@ -34,16 +34,22 @@
failed_when: false
check_mode: false
register: grep_allowusers_ssh
tags:
- admin
- name: "Check that AllowUsers and AllowGroup do not override each other"
assert:
that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)"
msg: "We can't deal with AllowUsers and AllowGroups at the same time"
tags:
- admin
- name: "If AllowGroups is present then use it"
set_fact:
ssh_allowgroups:
"{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}"
tags:
- admin
- name: "Add AllowGroups sshd directive with '{{ evobsd_ssh_group }}'"
lineinfile:
@ -55,6 +61,8 @@
when:
- ssh_allowgroups
- grep_allowgroups_ssh.rc == 1
tags:
- admin
- name: "Append '{{ evobsd_ssh_group }}' to AllowGroups sshd directive"
replace:
@ -66,6 +74,8 @@
when:
- ssh_allowgroups
- grep_allowgroups_ssh.rc == 0
tags:
- admin
- name: "Security directives for EvoBSD"
blockinfile:
@ -81,6 +91,8 @@
notify: reload sshd
when:
- evolix_trusted_ips != []
tags:
- admin
- name: "Disable root login"
replace:
@ -88,3 +100,5 @@
regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
replace: "PermitRootLogin no"
notify: reload sshd
tags:
- admin

View File

@ -4,6 +4,8 @@
state: present
name: "{{ user.name }}"
gid: "{{ user.uid }}"
tags:
- admin
- name: "User '{{ user.name }}' is present"
user:
@ -25,6 +27,8 @@
owner: "{{ user.name }}"
group: "{{ user.name }}"
state: directory
tags:
- admin
- name: "SSH public keys for '{{ user.name }}' are present"
authorized_key:
@ -38,26 +42,14 @@
tags:
- admin
- name: "Add {{ user.name }} to {{ evobsd_internal_group }} group"
- name: "Add {{ user.name }} to {{ evobsd_internal_group }}, {{ evobsd_ssh_group }}, {{ evobsd_sudo_group }} group"
user:
name: "{{ user.name }}"
groups: "{{ evobsd_internal_group }}"
append: true
tags:
- admin
- name: "Add {{ user.name }} to {{ evobsd_ssh_group }} group"
user:
name: "{{ user.name }}"
groups: "{{ evobsd_ssh_group }}"
append: true
tags:
- admin
- name: "Add {{ user.name }} to {{ evobsd_sudo_group }} group"
user:
name: "{{ user.name }}"
groups: "{{ evobsd_sudo_group }}"
groups: "{{ item }}"
append: true
with_items:
- "{{ evobsd_internal_group }}"
- "{{ evobsd_ssh_group }}"
- "{{ evobsd_sudo_group }}"
tags:
- admin