evolix
/
EvoBSD
16
0
Fork 0
Code Issues 2 Pull Requests Releases 3 Wiki Activity
EvoBSD/roles/accounts/tasks/main.yml

82 lines
2.3 KiB
YAML
Raw Blame History

---
- name: "Create {{ evolinux_sudo_group }}"
group:
name: "{{ evolinux_sudo_group }}"
system: true
- name: "Create {{ evolinux_ssh_group }}"
group:
name: "{{ evolinux_ssh_group }}"
system: true
- name: Create user accounts
include: user.yml
vars:
user: "{{ item.value }}"
with_dict: "{{ evolinux_users }}"
when: evolinux_users != {}
- name: verify AllowGroups directive
command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
changed_when: false
failed_when: false
check_mode: false
register: grep_allowgroups_ssh
- name: verify AllowUsers directive
command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
changed_when: false
failed_when: false
check_mode: false
register: grep_allowusers_ssh
- name: "Check that AllowUsers and AllowGroup do not override each other"
assert:
that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)"
msg: "We can't deal with AllowUsers and AllowGroups at the same time"
- name: "If AllowGroups is present then use it"
set_fact:
ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}"
- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
lineinfile:
dest: /etc/ssh/sshd_config
line: "\nAllowGroups {{ evolinux_ssh_group }}"
insertafter: 'Subsystem'
validate: '/usr/sbin/sshd -t -f %s'
notify: reload sshd
when:
- ssh_allowgroups
- grep_allowgroups_ssh.rc == 1
- name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive"
replace:
dest: /etc/ssh/sshd_config
regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$'
replace: '\1 {{ evolinux_ssh_group }}'
validate: '/usr/sbin/sshd -t -f %s'
notify: reload sshd
when:
- ssh_allowgroups
- grep_allowgroups_ssh.rc == 0
- name: "Append '{{ item.name }}' to AllowUsers sshd directive"
replace:
dest: /etc/ssh/sshd_config
regexp: '^(AllowUsers ((?!\b{{ item.name }}\b).)*)$'
replace: '\1 {{ item.name }}'
validate: '/usr/sbin/sshd -t -f %s'
with_dict: "{{ evolinux_users }}"
notify: reload sshd
when:
- not ssh_allowgroups
- grep_allowusers_ssh == 1
- name: disable root login
replace:
dest: /etc/ssh/sshd_config
regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
replace: "PermitRootLogin no"
notify: reload sshd
Reference in New Issue View Git Blame Copy Permalink