Improve syntax of accounts role and fix missing tags
This commit is contained in:
parent
f0ecc79696
commit
4506c835c5
|
@ -1,18 +1,14 @@
|
||||||
---
|
---
|
||||||
- name: "Create {{ evobsd_internal_group }} group"
|
- name: "Create {{ evobsd_internal_group }}, {{ evobsd_ssh_group }}, {{ evobsd_sudo_group }} group"
|
||||||
group:
|
group:
|
||||||
name: "{{ evobsd_internal_group }}"
|
name: "{{ item }}"
|
||||||
system: true
|
|
||||||
|
|
||||||
- name: "Create {{ evobsd_ssh_group }} group"
|
|
||||||
group:
|
|
||||||
name: "{{ evobsd_ssh_group }}"
|
|
||||||
system: true
|
|
||||||
|
|
||||||
- name: "Create {{ evobsd_sudo_group }} group"
|
|
||||||
group:
|
|
||||||
name: "{{ evobsd_sudo_group }}"
|
|
||||||
system: true
|
system: true
|
||||||
|
with_items:
|
||||||
|
- "{{ evobsd_internal_group }}"
|
||||||
|
- "{{ evobsd_ssh_group }}"
|
||||||
|
- "{{ evobsd_sudo_group }}"
|
||||||
|
tags:
|
||||||
|
- admin
|
||||||
|
|
||||||
- name: Create user accounts
|
- name: Create user accounts
|
||||||
include: user.yml
|
include: user.yml
|
||||||
|
@ -20,6 +16,8 @@
|
||||||
user: "{{ item.value }}"
|
user: "{{ item.value }}"
|
||||||
with_dict: "{{ evolix_users }}"
|
with_dict: "{{ evolix_users }}"
|
||||||
when: evolix_users != {}
|
when: evolix_users != {}
|
||||||
|
tags:
|
||||||
|
- admin
|
||||||
|
|
||||||
- name: verify AllowGroups directive
|
- name: verify AllowGroups directive
|
||||||
command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
|
command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
|
||||||
|
@ -27,6 +25,8 @@
|
||||||
failed_when: false
|
failed_when: false
|
||||||
check_mode: false
|
check_mode: false
|
||||||
register: grep_allowgroups_ssh
|
register: grep_allowgroups_ssh
|
||||||
|
tags:
|
||||||
|
- admin
|
||||||
|
|
||||||
- name: verify AllowUsers directive
|
- name: verify AllowUsers directive
|
||||||
command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
||||||
|
@ -34,16 +34,22 @@
|
||||||
failed_when: false
|
failed_when: false
|
||||||
check_mode: false
|
check_mode: false
|
||||||
register: grep_allowusers_ssh
|
register: grep_allowusers_ssh
|
||||||
|
tags:
|
||||||
|
- admin
|
||||||
|
|
||||||
- name: "Check that AllowUsers and AllowGroup do not override each other"
|
- name: "Check that AllowUsers and AllowGroup do not override each other"
|
||||||
assert:
|
assert:
|
||||||
that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)"
|
that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)"
|
||||||
msg: "We can't deal with AllowUsers and AllowGroups at the same time"
|
msg: "We can't deal with AllowUsers and AllowGroups at the same time"
|
||||||
|
tags:
|
||||||
|
- admin
|
||||||
|
|
||||||
- name: "If AllowGroups is present then use it"
|
- name: "If AllowGroups is present then use it"
|
||||||
set_fact:
|
set_fact:
|
||||||
ssh_allowgroups:
|
ssh_allowgroups:
|
||||||
"{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}"
|
"{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}"
|
||||||
|
tags:
|
||||||
|
- admin
|
||||||
|
|
||||||
- name: "Add AllowGroups sshd directive with '{{ evobsd_ssh_group }}'"
|
- name: "Add AllowGroups sshd directive with '{{ evobsd_ssh_group }}'"
|
||||||
lineinfile:
|
lineinfile:
|
||||||
|
@ -55,6 +61,8 @@
|
||||||
when:
|
when:
|
||||||
- ssh_allowgroups
|
- ssh_allowgroups
|
||||||
- grep_allowgroups_ssh.rc == 1
|
- grep_allowgroups_ssh.rc == 1
|
||||||
|
tags:
|
||||||
|
- admin
|
||||||
|
|
||||||
- name: "Append '{{ evobsd_ssh_group }}' to AllowGroups sshd directive"
|
- name: "Append '{{ evobsd_ssh_group }}' to AllowGroups sshd directive"
|
||||||
replace:
|
replace:
|
||||||
|
@ -66,6 +74,8 @@
|
||||||
when:
|
when:
|
||||||
- ssh_allowgroups
|
- ssh_allowgroups
|
||||||
- grep_allowgroups_ssh.rc == 0
|
- grep_allowgroups_ssh.rc == 0
|
||||||
|
tags:
|
||||||
|
- admin
|
||||||
|
|
||||||
- name: "Security directives for EvoBSD"
|
- name: "Security directives for EvoBSD"
|
||||||
blockinfile:
|
blockinfile:
|
||||||
|
@ -81,6 +91,8 @@
|
||||||
notify: reload sshd
|
notify: reload sshd
|
||||||
when:
|
when:
|
||||||
- evolix_trusted_ips != []
|
- evolix_trusted_ips != []
|
||||||
|
tags:
|
||||||
|
- admin
|
||||||
|
|
||||||
- name: "Disable root login"
|
- name: "Disable root login"
|
||||||
replace:
|
replace:
|
||||||
|
@ -88,3 +100,5 @@
|
||||||
regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
|
regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
|
||||||
replace: "PermitRootLogin no"
|
replace: "PermitRootLogin no"
|
||||||
notify: reload sshd
|
notify: reload sshd
|
||||||
|
tags:
|
||||||
|
- admin
|
||||||
|
|
|
@ -4,6 +4,8 @@
|
||||||
state: present
|
state: present
|
||||||
name: "{{ user.name }}"
|
name: "{{ user.name }}"
|
||||||
gid: "{{ user.uid }}"
|
gid: "{{ user.uid }}"
|
||||||
|
tags:
|
||||||
|
- admin
|
||||||
|
|
||||||
- name: "User '{{ user.name }}' is present"
|
- name: "User '{{ user.name }}' is present"
|
||||||
user:
|
user:
|
||||||
|
@ -25,6 +27,8 @@
|
||||||
owner: "{{ user.name }}"
|
owner: "{{ user.name }}"
|
||||||
group: "{{ user.name }}"
|
group: "{{ user.name }}"
|
||||||
state: directory
|
state: directory
|
||||||
|
tags:
|
||||||
|
- admin
|
||||||
|
|
||||||
- name: "SSH public keys for '{{ user.name }}' are present"
|
- name: "SSH public keys for '{{ user.name }}' are present"
|
||||||
authorized_key:
|
authorized_key:
|
||||||
|
@ -38,26 +42,14 @@
|
||||||
tags:
|
tags:
|
||||||
- admin
|
- admin
|
||||||
|
|
||||||
- name: "Add {{ user.name }} to {{ evobsd_internal_group }} group"
|
- name: "Add {{ user.name }} to {{ evobsd_internal_group }}, {{ evobsd_ssh_group }}, {{ evobsd_sudo_group }} group"
|
||||||
user:
|
user:
|
||||||
name: "{{ user.name }}"
|
name: "{{ user.name }}"
|
||||||
groups: "{{ evobsd_internal_group }}"
|
groups: "{{ item }}"
|
||||||
append: true
|
|
||||||
tags:
|
|
||||||
- admin
|
|
||||||
|
|
||||||
- name: "Add {{ user.name }} to {{ evobsd_ssh_group }} group"
|
|
||||||
user:
|
|
||||||
name: "{{ user.name }}"
|
|
||||||
groups: "{{ evobsd_ssh_group }}"
|
|
||||||
append: true
|
|
||||||
tags:
|
|
||||||
- admin
|
|
||||||
|
|
||||||
- name: "Add {{ user.name }} to {{ evobsd_sudo_group }} group"
|
|
||||||
user:
|
|
||||||
name: "{{ user.name }}"
|
|
||||||
groups: "{{ evobsd_sudo_group }}"
|
|
||||||
append: true
|
append: true
|
||||||
|
with_items:
|
||||||
|
- "{{ evobsd_internal_group }}"
|
||||||
|
- "{{ evobsd_ssh_group }}"
|
||||||
|
- "{{ evobsd_sudo_group }}"
|
||||||
tags:
|
tags:
|
||||||
- admin
|
- admin
|
||||||
|
|
Loading…
Reference in a new issue