2016-11-07 14:00:57 +01:00
---
2018-02-08 15:29:53 +01:00
- name : verify AllowGroups directive
2023-03-20 23:33:19 +01:00
ansible.builtin.command :
2023-03-13 17:58:57 +01:00
cmd : "grep -Er '^AllowGroups' /etc/ssh"
2016-12-27 14:04:02 +01:00
changed_when : False
failed_when : False
2017-03-24 14:15:09 +01:00
check_mode : no
2018-03-01 11:07:43 +01:00
register : grep_allowgroups_ssh
2017-03-24 14:15:09 +01:00
2023-03-20 23:33:19 +01:00
- ansible.builtin.debug :
2018-03-01 18:26:18 +01:00
var : grep_allowgroups_ssh
verbosity : 1
2018-03-01 15:57:17 +01:00
- name : verify AllowUsers directive
2023-03-20 23:33:19 +01:00
ansible.builtin.command :
2023-03-13 17:58:57 +01:00
cmd : "grep -Er '^AllowUsers' /etc/ssh"
2018-03-01 15:57:17 +01:00
changed_when : False
failed_when : False
check_mode : no
register : grep_allowusers_ssh
2023-03-20 23:33:19 +01:00
- ansible.builtin.debug :
2018-03-01 18:26:18 +01:00
var : grep_allowusers_ssh
verbosity : 1
2023-03-20 23:33:19 +01:00
- ansible.builtin.assert :
2018-04-18 18:20:23 +02:00
that : "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)"
msg : "We can't deal with AllowUsers and AllowGroups at the same time"
2023-03-20 23:33:19 +01:00
- ansible.builtin.set_fact :
2018-04-20 10:25:06 +02:00
# If "AllowGroups is present" or "AllowUsers is absent and Debian 10+",
2020-02-25 10:45:35 +01:00
ssh_allowgroups : "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and (ansible_distribution_major_version is version('10', '>='))) }}"
2018-04-20 10:25:06 +02:00
# If "AllowGroups is absent" and "AllowUsers is absent or Debian <10"
2020-02-25 10:45:35 +01:00
ssh_allowusers : "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution_major_version is version('10', '<'))) }}"
2018-03-01 18:26:18 +01:00
2023-03-20 23:33:19 +01:00
- ansible.builtin.debug :
2018-03-01 18:26:18 +01:00
var : ssh_allowgroups
verbosity : 1
2023-03-20 23:33:19 +01:00
- ansible.builtin.debug :
2018-03-01 18:26:18 +01:00
var : ssh_allowusers
verbosity : 1
2023-03-20 23:33:19 +01:00
- ansible.builtin.include : ssh_allowgroups.yml
2018-03-01 18:26:18 +01:00
when :
2018-04-15 16:59:00 +02:00
- ssh_allowgroups
- not ssh_allowusers
2016-11-07 14:00:57 +01:00
2023-03-20 23:33:19 +01:00
- ansible.builtin.include : ssh_allowusers.yml
2018-03-01 18:26:18 +01:00
vars :
user : "{{ item.value }}"
2021-05-04 14:20:53 +02:00
loop : "{{ evolinux_users | dict2items }}"
2018-03-01 18:26:18 +01:00
when :
2022-08-24 15:05:29 +02:00
- user.create == evolinux_users_create
2018-04-15 16:59:00 +02:00
- ssh_allowusers
- not ssh_allowgroups
2018-03-01 18:26:18 +01:00
- name : disable root login
2023-03-20 23:33:19 +01:00
ansible.builtin.replace :
2018-03-01 18:26:18 +01:00
dest : /etc/ssh/sshd_config
2022-06-21 15:13:33 +02:00
regexp : '^#PermitRootLogin (yes|without-password|prohibit-password)'
2018-03-01 18:26:18 +01:00
replace : "PermitRootLogin no"
notify : reload sshd
2023-03-13 17:58:57 +01:00
when :
- evolinux_root_disable_ssh | bool
- ansible_distribution_major_version is version('11', '<=')
2023-06-20 11:58:18 +02:00
- name : verify PermitRootLogin directive (Debian >= 12)
2023-04-17 18:03:19 +02:00
ansible.builtin.command :
cmd : "grep -Er '^PermitRootLogin' /etc/ssh"
changed_when : False
failed_when : False
check_mode : no
register : grep_permitrootlogin_ssh
when :
- ansible_distribution_major_version is version('12', '>=')
# TODO avertir lorsque PermitRootLogin est déjà configuré?
- ansible.builtin.debug :
var : grep_permitrootlogin_ssh
verbosity : 1
2023-06-20 11:58:18 +02:00
- name : disable root login (Debian >= 12)
ansible.builtin.lineinfile :
2023-07-21 11:49:35 +02:00
path : /etc/ssh/sshd_config.d/z-evolinux-users.conf
2023-03-13 17:58:57 +01:00
line : "PermitRootLogin no"
create : yes
2023-08-16 18:21:06 +02:00
mode : "0644"
2023-06-20 11:58:18 +02:00
validate : '/usr/sbin/sshd -t -f %s'
2023-07-21 11:49:35 +02:00
insertbefore : "BOF"
2023-03-13 17:58:57 +01:00
notify : reload sshd
when :
- evolinux_root_disable_ssh | bool
- ansible_distribution_major_version is version('12', '>=')
2023-07-21 12:58:08 +02:00
- grep_permitrootlogin_ssh.rc == 1
2018-03-01 18:26:18 +01:00
2023-03-20 23:33:19 +01:00
- ansible.builtin.meta : flush_handlers