Release of EvoBSD 6.8.0 #37
6
roles/accounts/handlers/main.yml
Normal file
6
roles/accounts/handlers/main.yml
Normal file
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
|
||||
- name: reload sshd
|
||||
service:
|
||||
name: sshd
|
||||
state: reloaded
|
|
@ -1,7 +1,75 @@
|
|||
---
|
||||
- name: "Create {{ evolinux_sudo_group }}"
|
||||
group:
|
||||
name: "{{ evolinux_sudo_group }}"
|
||||
system: true
|
||||
|
||||
- name: Create user accounts
|
||||
include: user.yml
|
||||
vars:
|
||||
user: "{{ item.value }}"
|
||||
with_dict: "{{ evolinux_users }}"
|
||||
when: evolinux_users != {}
|
||||
|
||||
- name: verify AllowGroups directive
|
||||
command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
check_mode: false
|
||||
register: grep_allowgroups_ssh
|
||||
|
||||
- name: verify AllowUsers directive
|
||||
command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
check_mode: false
|
||||
register: grep_allowusers_ssh
|
||||
|
||||
- assert:
|
||||
that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)"
|
||||
msg: "We can't deal with AllowUsers and AllowGroups at the same time"
|
||||
|
||||
- set_fact:
|
||||
# If "AllowGroups is present"
|
||||
ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}"
|
||||
|
||||
- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
|
||||
lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
line: "\nAllowGroups {{ evolinux_ssh_group }}"
|
||||
insertafter: 'Subsystem'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when:
|
||||
- ssh_allowgroups
|
||||
- grep_allowgroups_ssh.rc == 1
|
||||
|
||||
- name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive"
|
||||
replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$'
|
||||
replace: '\1 {{ evolinux_ssh_group }}'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when:
|
||||
- ssh_allowgroups
|
||||
- grep_allowgroups_ssh.rc == 0
|
||||
|
||||
- name: "Append '{{ item.name }}' to AllowUsers sshd directive"
|
||||
replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^(AllowUsers ((?!\b{{ item.name }}\b).)*)$'
|
||||
replace: '\1 {{ item.name }}'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
with_dict: "{{ evolinux_users }}"
|
||||
notify: reload sshd
|
||||
when:
|
||||
- not ssh_allowgroups
|
||||
- grep_allowusers_ssh == 1
|
||||
|
||||
- name: disable root login
|
||||
replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
|
||||
replace: "PermitRootLogin no"
|
||||
notify: reload sshd
|
||||
|
|
|
@ -7,7 +7,7 @@
|
|||
password: '{{ user.password_hash_openbsd }}'
|
||||
groups: wheel
|
||||
shell: /bin/ksh
|
||||
append: yes
|
||||
append: true
|
||||
tags:
|
||||
- admin
|
||||
|
||||
|
@ -22,3 +22,11 @@
|
|||
when: user.ssh_keys is defined
|
||||
tags:
|
||||
- admin
|
||||
|
||||
- name: "Add {{ user.name }} to {{ evolinux_sudo_group }} group"
|
||||
user:
|
||||
name: "{{ user.name }}"
|
||||
groups: "{{ evolinux_sudo_group }}"
|
||||
append: true
|
||||
tags:
|
||||
- admin
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# {{ ansible_managed }}
|
||||
permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :wheel
|
||||
permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evolinux_sudo_group }}
|
||||
permit nopass root
|
||||
permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :wheel as root cmd /usr/share/scripts/evomaintenance.sh
|
||||
permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evolinux_sudo_group }} as root cmd /usr/share/scripts/evomaintenance.sh
|
||||
permit nopass _nrpe cmd /usr/local/libexec/nagios/check_ipsecctl.sh
|
||||
permit nopass _nrpe as root cmd /sbin/bioctl args sd2
|
||||
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_openbgpd
|
||||
|
|
|
@ -8,6 +8,9 @@
|
|||
#
|
||||
#general_alert_email: "root@localhost"
|
||||
#general_technical_realm: "example.com"
|
||||
evolinux_ssh_group: "evolinux-ssh"
|
||||
evolinux_sudo_group: "evolinux-sudo"
|
||||
evolinux_root_disable_ssh: true
|
||||
#
|
||||
#evomaintenance_realm: "example.com"
|
||||
#evomaintenance_alert_email: "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}"
|
||||
|
|
Loading…
Reference in a new issue