diff --git a/roles/accounts/tasks/main.yml b/roles/accounts/tasks/main.yml index 45503a1..7363b37 100644 --- a/roles/accounts/tasks/main.yml +++ b/roles/accounts/tasks/main.yml @@ -1,18 +1,14 @@ --- -- name: "Create {{ evobsd_internal_group }} group" +- name: "Create {{ evobsd_internal_group }}, {{ evobsd_ssh_group }}, {{ evobsd_sudo_group }} group" group: - name: "{{ evobsd_internal_group }}" - system: true - -- name: "Create {{ evobsd_ssh_group }} group" - group: - name: "{{ evobsd_ssh_group }}" - system: true - -- name: "Create {{ evobsd_sudo_group }} group" - group: - name: "{{ evobsd_sudo_group }}" + name: "{{ item }}" system: true + with_items: + - "{{ evobsd_internal_group }}" + - "{{ evobsd_ssh_group }}" + - "{{ evobsd_sudo_group }}" + tags: + - admin - name: Create user accounts include: user.yml @@ -20,6 +16,8 @@ user: "{{ item.value }}" with_dict: "{{ evolix_users }}" when: evolix_users != {} + tags: + - admin - name: verify AllowGroups directive command: "grep -E '^AllowGroups' /etc/ssh/sshd_config" @@ -27,6 +25,8 @@ failed_when: false check_mode: false register: grep_allowgroups_ssh + tags: + - admin - name: verify AllowUsers directive command: "grep -E '^AllowUsers' /etc/ssh/sshd_config" @@ -34,16 +34,22 @@ failed_when: false check_mode: false register: grep_allowusers_ssh + tags: + - admin - name: "Check that AllowUsers and AllowGroup do not override each other" assert: that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)" msg: "We can't deal with AllowUsers and AllowGroups at the same time" + tags: + - admin - name: "If AllowGroups is present then use it" set_fact: ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}" + tags: + - admin - name: "Add AllowGroups sshd directive with '{{ evobsd_ssh_group }}'" lineinfile: @@ -55,6 +61,8 @@ when: - ssh_allowgroups - grep_allowgroups_ssh.rc == 1 + tags: + - admin - name: "Append '{{ evobsd_ssh_group }}' to AllowGroups sshd directive" replace: @@ -66,6 +74,8 @@ when: - ssh_allowgroups - grep_allowgroups_ssh.rc == 0 + tags: + - admin - name: "Security directives for EvoBSD" blockinfile: @@ -81,6 +91,8 @@ notify: reload sshd when: - evolix_trusted_ips != [] + tags: + - admin - name: "Disable root login" replace: @@ -88,3 +100,5 @@ regexp: '^PermitRootLogin (yes|without-password|prohibit-password)' replace: "PermitRootLogin no" notify: reload sshd + tags: + - admin diff --git a/roles/accounts/tasks/user.yml b/roles/accounts/tasks/user.yml index ef27a5b..712f5f0 100644 --- a/roles/accounts/tasks/user.yml +++ b/roles/accounts/tasks/user.yml @@ -4,6 +4,8 @@ state: present name: "{{ user.name }}" gid: "{{ user.uid }}" + tags: + - admin - name: "User '{{ user.name }}' is present" user: @@ -25,6 +27,8 @@ owner: "{{ user.name }}" group: "{{ user.name }}" state: directory + tags: + - admin - name: "SSH public keys for '{{ user.name }}' are present" authorized_key: @@ -38,26 +42,14 @@ tags: - admin -- name: "Add {{ user.name }} to {{ evobsd_internal_group }} group" +- name: "Add {{ user.name }} to {{ evobsd_internal_group }}, {{ evobsd_ssh_group }}, {{ evobsd_sudo_group }} group" user: name: "{{ user.name }}" - groups: "{{ evobsd_internal_group }}" - append: true - tags: - - admin - -- name: "Add {{ user.name }} to {{ evobsd_ssh_group }} group" - user: - name: "{{ user.name }}" - groups: "{{ evobsd_ssh_group }}" - append: true - tags: - - admin - -- name: "Add {{ user.name }} to {{ evobsd_sudo_group }} group" - user: - name: "{{ user.name }}" - groups: "{{ evobsd_sudo_group }}" + groups: "{{ item }}" append: true + with_items: + - "{{ evobsd_internal_group }}" + - "{{ evobsd_ssh_group }}" + - "{{ evobsd_sudo_group }}" tags: - admin