2016-11-07 14:00:57 +01:00
---
2024-05-07 15:11:09 +02:00
- name : Fetch SSHd config files
ansible.builtin.command :
cmd : "find /etc/ssh -type f \\( -name 'sshd_config' -o -path '/etc/ssh/sshd_config.d/*.conf' \\)"
changed_when : False
check_mode : no
register : _ssh_config_paths
- ansible.builtin.debug :
var : _ssh_config_paths
verbosity : 1
############################
# AllowUsers or AllowGroups
############################
2018-02-08 15:29:53 +01:00
- name : verify AllowGroups directive
2023-03-20 23:33:19 +01:00
ansible.builtin.command :
2024-05-07 15:11:09 +02:00
cmd : "grep --extended-regexp --recursive --files-with-matches '^AllowGroups' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
2016-12-27 14:04:02 +01:00
changed_when : False
failed_when : False
2017-03-24 14:15:09 +01:00
check_mode : no
2018-03-01 11:07:43 +01:00
register : grep_allowgroups_ssh
2017-03-24 14:15:09 +01:00
2023-03-20 23:33:19 +01:00
- ansible.builtin.debug :
2018-03-01 18:26:18 +01:00
var : grep_allowgroups_ssh
verbosity : 1
2018-03-01 15:57:17 +01:00
- name : verify AllowUsers directive
2023-03-20 23:33:19 +01:00
ansible.builtin.command :
2024-05-07 15:11:09 +02:00
cmd : "grep --extended-regexp --recursive --files-with-matches '^AllowUsers' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
2018-03-01 15:57:17 +01:00
changed_when : False
failed_when : False
check_mode : no
register : grep_allowusers_ssh
2023-03-20 23:33:19 +01:00
- ansible.builtin.debug :
2018-03-01 18:26:18 +01:00
var : grep_allowusers_ssh
verbosity : 1
2023-03-20 23:33:19 +01:00
- ansible.builtin.assert :
2018-04-18 18:20:23 +02:00
that : "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)"
msg : "We can't deal with AllowUsers and AllowGroups at the same time"
2023-03-20 23:33:19 +01:00
- ansible.builtin.set_fact :
2018-04-20 10:25:06 +02:00
# If "AllowGroups is present" or "AllowUsers is absent and Debian 10+",
2020-02-25 10:45:35 +01:00
ssh_allowgroups : "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and (ansible_distribution_major_version is version('10', '>='))) }}"
2018-04-20 10:25:06 +02:00
# If "AllowGroups is absent" and "AllowUsers is absent or Debian <10"
2020-02-25 10:45:35 +01:00
ssh_allowusers : "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution_major_version is version('10', '<'))) }}"
2018-03-01 18:26:18 +01:00
2023-03-20 23:33:19 +01:00
- ansible.builtin.debug :
2018-03-01 18:26:18 +01:00
var : ssh_allowgroups
verbosity : 1
2023-03-20 23:33:19 +01:00
- ansible.builtin.debug :
2018-03-01 18:26:18 +01:00
var : ssh_allowusers
verbosity : 1
2024-05-07 15:11:09 +02:00
- name : Configure SSH in AllowGroups mode
ansible.builtin.include : ssh_allowgroups.yml
2018-03-01 18:26:18 +01:00
when :
2018-04-15 16:59:00 +02:00
- ssh_allowgroups
- not ssh_allowusers
2016-11-07 14:00:57 +01:00
2024-05-07 15:11:09 +02:00
- name : Configure SSH in AllowUsers mode
ansible.builtin.include : ssh_allowusers.yml
2018-03-01 18:26:18 +01:00
vars :
user : "{{ item.value }}"
2021-05-04 14:20:53 +02:00
loop : "{{ evolinux_users | dict2items }}"
2018-03-01 18:26:18 +01:00
when :
2022-08-24 15:05:29 +02:00
- user.create == evolinux_users_create
2018-04-15 16:59:00 +02:00
- ssh_allowusers
- not ssh_allowgroups
2018-03-01 18:26:18 +01:00
2024-05-07 15:11:09 +02:00
# Do this again, to update the value
- name : Fetch SSHd config files
ansible.builtin.command :
cmd : "find /etc/ssh -type f \\( -name 'sshd_config' -o -path '/etc/ssh/sshd_config.d/*.conf' \\)"
changed_when : False
check_mode : no
register : _ssh_config_paths
##################
# PermitRootLogin
##################
### For Debian < 12
# if there is a commented value for PermitRootLogin
# we replace it with a "no"
- name : Root login is disabled (Debian < 12)
2023-03-20 23:33:19 +01:00
ansible.builtin.replace :
2018-03-01 18:26:18 +01:00
dest : /etc/ssh/sshd_config
2022-06-21 15:13:33 +02:00
regexp : '^#PermitRootLogin (yes|without-password|prohibit-password)'
2018-03-01 18:26:18 +01:00
replace : "PermitRootLogin no"
notify : reload sshd
2023-03-13 17:58:57 +01:00
when :
- evolinux_root_disable_ssh | bool
2024-05-07 15:11:09 +02:00
- ansible_distribution_major_version is version('12', '<')
### For Debian >= 12
# if there is no value for PermitRootLogin (anywhere)
# we add a "no" in z-evolinux-users.conf
2023-03-13 17:58:57 +01:00
2023-06-20 11:58:18 +02:00
- name : verify PermitRootLogin directive (Debian >= 12)
2023-04-17 18:03:19 +02:00
ansible.builtin.command :
2024-05-07 15:11:09 +02:00
cmd : "grep --extended-regexp --recursive --files-with-matches '^PermitRootLogin' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
2023-04-17 18:03:19 +02:00
changed_when : False
failed_when : False
check_mode : no
register : grep_permitrootlogin_ssh
when :
- ansible_distribution_major_version is version('12', '>=')
2024-05-07 15:11:09 +02:00
- name : Root login is disabled (Debian >= 12)
2023-06-20 11:58:18 +02:00
ansible.builtin.lineinfile :
2023-07-21 11:49:35 +02:00
path : /etc/ssh/sshd_config.d/z-evolinux-users.conf
2023-03-13 17:58:57 +01:00
line : "PermitRootLogin no"
create : yes
2023-08-16 18:21:06 +02:00
mode : "0644"
2023-06-20 11:58:18 +02:00
validate : '/usr/sbin/sshd -t -f %s'
2023-07-21 11:49:35 +02:00
insertbefore : "BOF"
2023-03-13 17:58:57 +01:00
notify : reload sshd
when :
- evolinux_root_disable_ssh | bool
- ansible_distribution_major_version is version('12', '>=')
2024-05-07 15:11:09 +02:00
- grep_permitrootlogin_ssh.rc != 0
#####################
# Allow current user
#####################
- name : Allow current user
block :
- name : Check if evolinux ssh group is used
ansible.builtin.command :
cmd : "grep --extended-regexp --recursive --files-with-matches '^AllowGroups.+{{ evolinux_ssh_group }}' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
changed_when : False
failed_when : False
check_mode : no
register : grep_evolinux_group_ssh
- debug :
var : grep_evolinux_group_ssh
- name : "Get current user's login"
ansible.builtin.command :
cmd : logname
changed_when : False
register : _logname
check_mode : no
- debug :
var : evolinux_ssh_group
- debug :
var : evolinux_ssh_allow_current_user
- name : "Add current user ({{ _logname.stdout }}) to {{ evolinux_ssh_group }} group"
ansible.builtin.user :
name : "{{ _logname.stdout }}"
groups : "{{ evolinux_ssh_group }}"
append : yes
when :
- grep_evolinux_group_ssh.rc == 0
when :
- evolinux_ssh_group is defined
- evolinux_ssh_group | length > 0
- evolinux_ssh_allow_current_user | bool
2018-03-01 18:26:18 +01:00
2023-03-20 23:33:19 +01:00
- ansible.builtin.meta : flush_handlers