normalize some arguments positions
This commit is contained in:
parent
42d1cb7906
commit
a94c94018c
|
@ -16,12 +16,12 @@
|
||||||
- name: "Security directives for Evolinux (Debian 10 or later)"
|
- name: "Security directives for Evolinux (Debian 10 or later)"
|
||||||
blockinfile:
|
blockinfile:
|
||||||
dest: /etc/ssh/sshd_config
|
dest: /etc/ssh/sshd_config
|
||||||
|
marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS"
|
||||||
block: |
|
block: |
|
||||||
Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
|
Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
|
||||||
PasswordAuthentication yes
|
PasswordAuthentication yes
|
||||||
Match Group evolix
|
Match Group evolix
|
||||||
PasswordAuthentication no
|
PasswordAuthentication no
|
||||||
marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS"
|
|
||||||
insertafter: EOF
|
insertafter: EOF
|
||||||
validate: '/usr/sbin/sshd -T -f %s'
|
validate: '/usr/sbin/sshd -T -f %s'
|
||||||
notify: reload sshd
|
notify: reload sshd
|
||||||
|
@ -32,10 +32,10 @@
|
||||||
- name: Security directives for Evolinux (Jessie/Stretch)
|
- name: Security directives for Evolinux (Jessie/Stretch)
|
||||||
blockinfile:
|
blockinfile:
|
||||||
dest: /etc/ssh/sshd_config
|
dest: /etc/ssh/sshd_config
|
||||||
|
marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
|
||||||
block: |
|
block: |
|
||||||
Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
|
Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
|
||||||
PasswordAuthentication yes
|
PasswordAuthentication yes
|
||||||
marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
|
|
||||||
insertafter: EOF
|
insertafter: EOF
|
||||||
validate: '/usr/sbin/sshd -T -f %s'
|
validate: '/usr/sbin/sshd -T -f %s'
|
||||||
notify: reload sshd
|
notify: reload sshd
|
||||||
|
|
|
@ -26,9 +26,9 @@
|
||||||
- name: Begin marker for IP addresses
|
- name: Begin marker for IP addresses
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: "{{ minifirewall_main_file }}"
|
dest: "{{ minifirewall_main_file }}"
|
||||||
create: no
|
|
||||||
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS"
|
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS"
|
||||||
insertbefore: '^# Main interface'
|
insertbefore: '^# Main interface'
|
||||||
|
create: no
|
||||||
|
|
||||||
- name: End marker for IP addresses
|
- name: End marker for IP addresses
|
||||||
lineinfile:
|
lineinfile:
|
||||||
|
@ -47,7 +47,6 @@
|
||||||
- name: Configure IP addresses
|
- name: Configure IP addresses
|
||||||
blockinfile:
|
blockinfile:
|
||||||
dest: "{{ minifirewall_main_file }}"
|
dest: "{{ minifirewall_main_file }}"
|
||||||
create: no
|
|
||||||
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS"
|
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS"
|
||||||
content: |
|
content: |
|
||||||
# Main interface
|
# Main interface
|
||||||
|
@ -66,26 +65,26 @@
|
||||||
# Privilegied IPv4 addresses for semi-public services
|
# Privilegied IPv4 addresses for semi-public services
|
||||||
# (no need to add again TRUSTEDIPS)
|
# (no need to add again TRUSTEDIPS)
|
||||||
PRIVILEGIEDIPS='{{ minifirewall_privilegied_ips | join(' ') }}'
|
PRIVILEGIEDIPS='{{ minifirewall_privilegied_ips | join(' ') }}'
|
||||||
|
create: no
|
||||||
register: minifirewall_config_ips
|
register: minifirewall_config_ips
|
||||||
|
|
||||||
- name: Begin marker for ports
|
- name: Begin marker for ports
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: "{{ minifirewall_main_file }}"
|
dest: "{{ minifirewall_main_file }}"
|
||||||
create: no
|
|
||||||
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS"
|
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS"
|
||||||
insertbefore: '^# Protected services'
|
insertbefore: '^# Protected services'
|
||||||
|
create: no
|
||||||
|
|
||||||
- name: End marker for ports
|
- name: End marker for ports
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: "{{ minifirewall_main_file }}"
|
dest: "{{ minifirewall_main_file }}"
|
||||||
create: no
|
|
||||||
line: "# END ANSIBLE MANAGED BLOCK FOR PORTS"
|
line: "# END ANSIBLE MANAGED BLOCK FOR PORTS"
|
||||||
insertafter: '^SERVICESUDP3='
|
insertafter: '^SERVICESUDP3='
|
||||||
|
create: no
|
||||||
|
|
||||||
- name: Configure ports
|
- name: Configure ports
|
||||||
blockinfile:
|
blockinfile:
|
||||||
dest: "{{ minifirewall_main_file }}"
|
dest: "{{ minifirewall_main_file }}"
|
||||||
create: no
|
|
||||||
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS"
|
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS"
|
||||||
content: |
|
content: |
|
||||||
# Protected services
|
# Protected services
|
||||||
|
@ -104,70 +103,71 @@
|
||||||
# Private services (IPv4)
|
# Private services (IPv4)
|
||||||
SERVICESTCP3='{{ minifirewall_private_ports_tcp | join(' ') }}'
|
SERVICESTCP3='{{ minifirewall_private_ports_tcp | join(' ') }}'
|
||||||
SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}'
|
SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}'
|
||||||
|
create: no
|
||||||
register: minifirewall_config_ports
|
register: minifirewall_config_ports
|
||||||
|
|
||||||
- name: Configure DNSSERVEURS
|
- name: Configure DNSSERVEURS
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: "{{ minifirewall_main_file }}"
|
dest: "{{ minifirewall_main_file }}"
|
||||||
create: no
|
|
||||||
line: "DNSSERVEURS='{{ minifirewall_dns_servers | join(' ') }}'"
|
line: "DNSSERVEURS='{{ minifirewall_dns_servers | join(' ') }}'"
|
||||||
regexp: "DNSSERVEURS='.*'"
|
regexp: "DNSSERVEURS='.*'"
|
||||||
|
create: no
|
||||||
when: minifirewall_dns_servers is not none
|
when: minifirewall_dns_servers is not none
|
||||||
|
|
||||||
- name: Configure HTTPSITES
|
- name: Configure HTTPSITES
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: "{{ minifirewall_main_file }}"
|
dest: "{{ minifirewall_main_file }}"
|
||||||
create: no
|
|
||||||
line: "HTTPSITES='{{ minifirewall_http_sites | join(' ') }}'"
|
line: "HTTPSITES='{{ minifirewall_http_sites | join(' ') }}'"
|
||||||
regexp: "HTTPSITES='.*'"
|
regexp: "HTTPSITES='.*'"
|
||||||
|
create: no
|
||||||
when: minifirewall_http_sites is not none
|
when: minifirewall_http_sites is not none
|
||||||
|
|
||||||
- name: Configure HTTPSSITES
|
- name: Configure HTTPSSITES
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: "{{ minifirewall_main_file }}"
|
dest: "{{ minifirewall_main_file }}"
|
||||||
create: no
|
|
||||||
line: "HTTPSSITES='{{ minifirewall_https_sites | join(' ') }}'"
|
line: "HTTPSSITES='{{ minifirewall_https_sites | join(' ') }}'"
|
||||||
regexp: "HTTPSSITES='.*'"
|
regexp: "HTTPSSITES='.*'"
|
||||||
|
create: no
|
||||||
when: minifirewall_https_sites is not none
|
when: minifirewall_https_sites is not none
|
||||||
|
|
||||||
- name: Configure FTPSITES
|
- name: Configure FTPSITES
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: "{{ minifirewall_main_file }}"
|
dest: "{{ minifirewall_main_file }}"
|
||||||
create: no
|
|
||||||
line: "FTPSITES='{{ minifirewall_ftp_sites | join(' ') }}'"
|
line: "FTPSITES='{{ minifirewall_ftp_sites | join(' ') }}'"
|
||||||
regexp: "FTPSITES='.*'"
|
regexp: "FTPSITES='.*'"
|
||||||
|
create: no
|
||||||
when: minifirewall_ftp_sites is not none
|
when: minifirewall_ftp_sites is not none
|
||||||
|
|
||||||
- name: Configure SSHOK
|
- name: Configure SSHOK
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: "{{ minifirewall_main_file }}"
|
dest: "{{ minifirewall_main_file }}"
|
||||||
create: no
|
|
||||||
line: "SSHOK='{{ minifirewall_ssh_ok | join(' ') }}'"
|
line: "SSHOK='{{ minifirewall_ssh_ok | join(' ') }}'"
|
||||||
regexp: "SSHOK='.*'"
|
regexp: "SSHOK='.*'"
|
||||||
|
create: no
|
||||||
when: minifirewall_ssh_ok is not none
|
when: minifirewall_ssh_ok is not none
|
||||||
|
|
||||||
- name: Configure SMTPOK
|
- name: Configure SMTPOK
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: "{{ minifirewall_main_file }}"
|
dest: "{{ minifirewall_main_file }}"
|
||||||
create: no
|
|
||||||
line: "SMTPOK='{{ minifirewall_smtp_ok | join(' ') }}'"
|
line: "SMTPOK='{{ minifirewall_smtp_ok | join(' ') }}'"
|
||||||
regexp: "SMTPOK='.*'"
|
regexp: "SMTPOK='.*'"
|
||||||
|
create: no
|
||||||
when: minifirewall_smtp_ok is not none
|
when: minifirewall_smtp_ok is not none
|
||||||
|
|
||||||
- name: Configure SMTPSECUREOK
|
- name: Configure SMTPSECUREOK
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: "{{ minifirewall_main_file }}"
|
dest: "{{ minifirewall_main_file }}"
|
||||||
create: no
|
|
||||||
line: "SMTPSECUREOK='{{ minifirewall_smtp_secure_ok | join(' ') }}'"
|
line: "SMTPSECUREOK='{{ minifirewall_smtp_secure_ok | join(' ') }}'"
|
||||||
regexp: "SMTPSECUREOK='.*'"
|
regexp: "SMTPSECUREOK='.*'"
|
||||||
|
create: no
|
||||||
when: minifirewall_smtp_secure_ok is not none
|
when: minifirewall_smtp_secure_ok is not none
|
||||||
|
|
||||||
- name: Configure NTPOK
|
- name: Configure NTPOK
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: "{{ minifirewall_main_file }}"
|
dest: "{{ minifirewall_main_file }}"
|
||||||
create: no
|
|
||||||
line: "NTPOK='{{ minifirewall_ntp_ok | join(' ') }}'"
|
line: "NTPOK='{{ minifirewall_ntp_ok | join(' ') }}'"
|
||||||
regexp: "NTPOK='.*'"
|
regexp: "NTPOK='.*'"
|
||||||
|
create: no
|
||||||
when: minifirewall_ntp_ok is not none
|
when: minifirewall_ntp_ok is not none
|
||||||
|
|
||||||
- name: evomaintenance
|
- name: evomaintenance
|
||||||
|
|
|
@ -77,6 +77,7 @@
|
||||||
- name: adjustments for grsec kernel
|
- name: adjustments for grsec kernel
|
||||||
blockinfile:
|
blockinfile:
|
||||||
dest: /etc/munin/plugin-conf.d/munin-node
|
dest: /etc/munin/plugin-conf.d/munin-node
|
||||||
|
marker: "# {mark} GRSECURITY CUSTOMIZATIONS"
|
||||||
block: |
|
block: |
|
||||||
|
|
||||||
[processes]
|
[processes]
|
||||||
|
|
|
@ -78,10 +78,10 @@
|
||||||
- name: "Rbenv is initialized in profile for {{ username }}"
|
- name: "Rbenv is initialized in profile for {{ username }}"
|
||||||
blockinfile:
|
blockinfile:
|
||||||
dest: '~{{ username }}/.profile'
|
dest: '~{{ username }}/.profile'
|
||||||
|
marker: "# {mark} ANSIBLE MANAGED RBENV INIT"
|
||||||
block: |
|
block: |
|
||||||
export PATH="{{ rbenv_root }}/bin:$PATH"
|
export PATH="{{ rbenv_root }}/bin:$PATH"
|
||||||
eval "$(rbenv init -)"
|
eval "$(rbenv init -)"
|
||||||
marker: "# {mark} ANSIBLE MANAGED RBENV INIT"
|
|
||||||
become_user: "{{ username }}"
|
become_user: "{{ username }}"
|
||||||
become: yes
|
become: yes
|
||||||
tags:
|
tags:
|
||||||
|
|
Loading…
Reference in a new issue