--- - name: "Create {{ evolinux_sudo_group }}" group: name: "{{ evolinux_sudo_group }}" system: true - name: "Create {{ evolinux_ssh_group }}" group: name: "{{ evolinux_ssh_group }}" system: true - name: Create user accounts include: user.yml vars: user: "{{ item.value }}" with_dict: "{{ evolinux_users }}" when: evolinux_users != {} - name: verify AllowGroups directive command: "grep -E '^AllowGroups' /etc/ssh/sshd_config" changed_when: false failed_when: false check_mode: false register: grep_allowgroups_ssh - name: verify AllowUsers directive command: "grep -E '^AllowUsers' /etc/ssh/sshd_config" changed_when: false failed_when: false check_mode: false register: grep_allowusers_ssh - name: "Check that AllowUsers and AllowGroup do not override each other" assert: that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)" msg: "We can't deal with AllowUsers and AllowGroups at the same time" - name: "If AllowGroups is present then use it" set_fact: ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}" - name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'" lineinfile: dest: /etc/ssh/sshd_config line: "\nAllowGroups {{ evolinux_ssh_group }}" insertafter: 'Subsystem' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd when: - ssh_allowgroups - grep_allowgroups_ssh.rc == 1 - name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive" replace: dest: /etc/ssh/sshd_config regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$' replace: '\1 {{ evolinux_ssh_group }}' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd when: - ssh_allowgroups - grep_allowgroups_ssh.rc == 0 - name: "Append '{{ item.name }}' to AllowUsers sshd directive" replace: dest: /etc/ssh/sshd_config regexp: '^(AllowUsers ((?!\b{{ item.name }}\b).)*)$' replace: '\1 {{ item.name }}' validate: '/usr/sbin/sshd -t -f %s' with_dict: "{{ evolinux_users }}" notify: reload sshd when: - not ssh_allowgroups - grep_allowusers_ssh == 1 - name: disable root login replace: dest: /etc/ssh/sshd_config regexp: '^PermitRootLogin (yes|without-password|prohibit-password)' replace: "PermitRootLogin no" notify: reload sshd