Release of EvoBSD 6.8.0 #37
|
@ -1,20 +1,15 @@
|
|||
---
|
||||
- name: "Create {{ evolinux_sudo_group }}"
|
||||
- name: "Create {{ evobsd_group }} group"
|
||||
group:
|
||||
name: "{{ evolinux_sudo_group }}"
|
||||
system: true
|
||||
|
||||
- name: "Create {{ evolinux_ssh_group }}"
|
||||
group:
|
||||
name: "{{ evolinux_ssh_group }}"
|
||||
name: "{{ evobsd_group }}"
|
||||
system: true
|
||||
|
||||
- name: Create user accounts
|
||||
include: user.yml
|
||||
vars:
|
||||
user: "{{ item.value }}"
|
||||
with_dict: "{{ evolinux_users }}"
|
||||
when: evolinux_users != {}
|
||||
with_dict: "{{ evolix_users }}"
|
||||
when: evolix_users != {}
|
||||
|
||||
- name: verify AllowGroups directive
|
||||
command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
|
||||
|
@ -40,10 +35,10 @@
|
|||
ssh_allowgroups:
|
||||
"{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}"
|
||||
|
||||
- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
|
||||
- name: "Add AllowGroups sshd directive with '{{ evobsd_group }}'"
|
||||
lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
line: "\nAllowGroups {{ evolinux_ssh_group }}"
|
||||
line: "\nAllowGroups {{ evobsd_group }}"
|
||||
insertafter: 'Subsystem'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
|
@ -51,30 +46,33 @@
|
|||
- ssh_allowgroups
|
||||
- grep_allowgroups_ssh.rc == 1
|
||||
|
||||
- name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive"
|
||||
- name: "Append '{{ evobsd_group }}' to AllowGroups sshd directive"
|
||||
replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$'
|
||||
replace: '\1 {{ evolinux_ssh_group }}'
|
||||
regexp: '^(AllowGroups ((?!\b{{ evobsd_group }}\b).)*)$'
|
||||
replace: '\1 {{ evobsd_group }}'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when:
|
||||
- ssh_allowgroups
|
||||
- grep_allowgroups_ssh.rc == 0
|
||||
|
||||
- name: "Append '{{ item.name }}' to AllowUsers sshd directive"
|
||||
replace:
|
||||
- name: "Security directives for EvoBSD"
|
||||
blockinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^(AllowUsers ((?!\b{{ item.name }}\b).)*)$'
|
||||
replace: '\1 {{ item.name }}'
|
||||
marker: "# {mark} EVOBSD PASSWORD RESTRICTIONS"
|
||||
block: |
|
||||
Match Address {{ evolix_trusted_ips | join(',') }}
|
||||
PasswordAuthentication yes
|
||||
Match Group {{ evobsd_group }}
|
||||
PasswordAuthentication no
|
||||
insertafter: EOF
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
with_dict: "{{ evolinux_users }}"
|
||||
notify: reload sshd
|
||||
when:
|
||||
- not ssh_allowgroups
|
||||
- grep_allowusers_ssh == 1
|
||||
- evolix_trusted_ips != []
|
||||
|
||||
- name: disable root login
|
||||
- name: "Disable root login"
|
||||
replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
|
||||
|
|
|
@ -1,16 +1,31 @@
|
|||
---
|
||||
- name: "Group '{{ user.name }}' is present"
|
||||
group:
|
||||
state: present
|
||||
name: "{{ user.name }}"
|
||||
gid: "{{ user.uid }}"
|
||||
|
||||
- name: "User '{{ user.name }}' is present"
|
||||
user:
|
||||
state: present
|
||||
name: '{{ user.name }}'
|
||||
uid: '{{ user.uid }}'
|
||||
password: '{{ user.password_hash_openbsd }}'
|
||||
group: "{{ user.name }}"
|
||||
groups: wheel
|
||||
shell: /bin/ksh
|
||||
append: true
|
||||
tags:
|
||||
- admin
|
||||
|
||||
- name: "Home directory for '{{ user.name }}' is only accesible by owner"
|
||||
file:
|
||||
name: '/home/{{ user.name }}'
|
||||
mode: "0700"
|
||||
owner: "{{ user.name }}"
|
||||
group: "{{ user.name }}"
|
||||
state: directory
|
||||
|
||||
- name: "SSH public keys for '{{ user.name }}' are present"
|
||||
authorized_key:
|
||||
user: "{{ user.name }}"
|
||||
|
@ -23,18 +38,10 @@
|
|||
tags:
|
||||
- admin
|
||||
|
||||
- name: "Add {{ user.name }} to {{ evolinux_sudo_group }} group"
|
||||
- name: "Add {{ user.name }} to {{ evobsd_group }} group"
|
||||
user:
|
||||
name: "{{ user.name }}"
|
||||
groups: "{{ evolinux_sudo_group }}"
|
||||
append: true
|
||||
tags:
|
||||
- admin
|
||||
|
||||
- name: "Add {{ user.name }} to {{ evolinux_ssh_group }} group"
|
||||
user:
|
||||
name: "{{ user.name }}"
|
||||
groups: "{{ evolinux_ssh_group }}"
|
||||
groups: "{{ evobsd_group }}"
|
||||
append: true
|
||||
tags:
|
||||
- admin
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# {{ ansible_managed }}
|
||||
permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evolinux_sudo_group }}
|
||||
permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evobsd_group }}
|
||||
permit nopass root
|
||||
permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evolinux_sudo_group }} as root cmd /usr/share/scripts/evomaintenance.sh
|
||||
permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evobsd_group }} as root cmd /usr/share/scripts/evomaintenance.sh
|
||||
permit nopass _collectd as root cmd /usr/sbin/bgpctl
|
||||
permit nopass _nrpe as root cmd /sbin/bioctl args sd2
|
||||
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_mailq
|
||||
|
|
|
@ -8,9 +8,6 @@
|
|||
#
|
||||
# general_alert_email: "root@localhost"
|
||||
# general_technical_realm: "example.com"
|
||||
evolinux_ssh_group: "evolinux-ssh"
|
||||
evolinux_sudo_group: "evolinux-sudo"
|
||||
evolinux_root_disable_ssh: true
|
||||
#
|
||||
# evomaintenance_realm: "example.com"
|
||||
# evomaintenance_alert_email:
|
||||
|
@ -27,6 +24,8 @@ evolinux_root_disable_ssh: true
|
|||
# evomaintenance_urgency_from: mama.doe@example.com
|
||||
# evomaintenance_urgency_tel: "06.00.00.00.00"
|
||||
#
|
||||
evobsd_group: "evolix"
|
||||
#
|
||||
# evolix_users:
|
||||
# foo:
|
||||
# name: foo
|
||||
|
|
Loading…
Reference in a new issue