Jérémy Dubois
70ab0c80de
So that new users are not created and customized password are not reset based on vars files when executing evolixisation.yml again
119 lines
3.1 KiB
YAML
119 lines
3.1 KiB
YAML
# yamllint disable rule:line-length
|
|
---
|
|
- name: "Create {{ evobsd_internal_group }}, {{ evobsd_ssh_group }}, {{ evobsd_sudo_group }} group"
|
|
ansible.builtin.group:
|
|
name: "{{ item }}"
|
|
system: true
|
|
with_items:
|
|
- "{{ evobsd_internal_group }}"
|
|
- "{{ evobsd_ssh_group }}"
|
|
- "{{ evobsd_sudo_group }}"
|
|
tags:
|
|
- accounts
|
|
- admin
|
|
|
|
- name: "Create user accounts"
|
|
include: user.yml
|
|
vars:
|
|
user: "{{ item.value }}"
|
|
with_dict: "{{ evolix_users }}"
|
|
when:
|
|
- user.create == evobsd_users_create
|
|
- evolix_users != {}
|
|
tags:
|
|
- accounts
|
|
- admin
|
|
- users
|
|
|
|
- name: "Verify AllowGroups directive"
|
|
ansible.builtin.command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
|
|
changed_when: false
|
|
failed_when: false
|
|
check_mode: false
|
|
register: grep_allowgroups_ssh
|
|
tags:
|
|
- accounts
|
|
- admin
|
|
|
|
- name: "Verify AllowUsers directive"
|
|
ansible.builtin.command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
|
changed_when: false
|
|
failed_when: false
|
|
check_mode: false
|
|
register: grep_allowusers_ssh
|
|
tags:
|
|
- accounts
|
|
- admin
|
|
|
|
- name: "Check that AllowUsers and AllowGroup do not override each other"
|
|
ansible.builtin.assert:
|
|
that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)"
|
|
msg: "We can't deal with AllowUsers and AllowGroups at the same time"
|
|
tags:
|
|
- accounts
|
|
- admin
|
|
|
|
- name: "If AllowGroups is present then use it"
|
|
ansible.builtin.set_fact:
|
|
ssh_allowgroups:
|
|
"{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}"
|
|
tags:
|
|
- accounts
|
|
- admin
|
|
|
|
- name: "Add AllowGroups sshd directive with '{{ evobsd_ssh_group }}'"
|
|
ansible.builtin.lineinfile:
|
|
dest: /etc/ssh/sshd_config
|
|
line: "\nAllowGroups {{ evobsd_ssh_group }}"
|
|
insertafter: 'Subsystem'
|
|
validate: '/usr/sbin/sshd -t -f %s'
|
|
notify: reload sshd
|
|
when:
|
|
- ssh_allowgroups
|
|
- grep_allowgroups_ssh.rc == 1
|
|
tags:
|
|
- accounts
|
|
- admin
|
|
|
|
- name: "Append '{{ evobsd_ssh_group }}' to AllowGroups sshd directive"
|
|
ansible.builtin.replace:
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^(AllowGroups ((?!\b{{ evobsd_ssh_group }}\b).)*)$'
|
|
replace: '\1 {{ evobsd_ssh_group }}'
|
|
validate: '/usr/sbin/sshd -t -f %s'
|
|
notify: reload sshd
|
|
when:
|
|
- ssh_allowgroups
|
|
- grep_allowgroups_ssh.rc == 0
|
|
tags:
|
|
- accounts
|
|
- admin
|
|
|
|
- name: "Security directives for EvoBSD"
|
|
ansible.builtin.blockinfile:
|
|
dest: /etc/ssh/sshd_config
|
|
marker: "# {mark} EVOBSD PASSWORD RESTRICTIONS"
|
|
block: |
|
|
Match Address {{ evolix_trusted_ips | join(',') }}
|
|
PasswordAuthentication yes
|
|
Match Group {{ evobsd_internal_group }}
|
|
PasswordAuthentication no
|
|
insertafter: EOF
|
|
validate: '/usr/sbin/sshd -t -f %s'
|
|
notify: reload sshd
|
|
when:
|
|
- evolix_trusted_ips != []
|
|
tags:
|
|
- accounts
|
|
- admin
|
|
|
|
- name: "Disable root login"
|
|
ansible.builtin.replace:
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^PermitRootLogin\s+(yes|without-password|prohibit-password)'
|
|
replace: "PermitRootLogin {{ evobsd_root_login }}"
|
|
notify: reload sshd
|
|
tags:
|
|
- accounts
|
|
- admin
|