evolix/ansible-roles
22
2
Fork 2
Code Issues 61 Pull requests 18 Releases 32 Wiki Activity

Adds a bunch of checks for ubuntu to evolinux-base and evolinux-users
Some checks reported errors
continuous-integration/drone/push Build encountered an error
Details
continuous-integration/drone/pr Build encountered an error
Details

Browse source 
This feels a bit hacky, but it's the best I could come up with on
short order
This commit is contained in:
Patrick Marchand 2019-07-04 20:06:22 -04:00
parent 9d8d0776d7
commit c45ac84334
6 changed files with 20 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
evolinux-base/tasks/ssh.yml
View file

@ -13,7 +13,7 @@
# We want to allow any user from a list of IP addresses to login with password,
# but users of the "evolix" group can't login with password from other IP addresses
- name: "Security directives for Evolinux (Debian 10 or later)"
- name: "Security directives for Evolinux (Debian 10 and Ubuntu 18.04 or later)"
blockinfile:
dest: /etc/ssh/sshd_config
marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS"
@ -27,7 +27,7 @@
notify: reload sshd
when:
- evolinux_ssh_password_auth_addresses != []
- ansible_distribution_major_version | version_compare('10', '>=')
- (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('10', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
- name: Security directives for Evolinux (Jessie/Stretch)
blockinfile:

4
evolinux-base/tasks/system.yml
View file

@ -125,7 +125,7 @@
mode: "0755"
when:
- evolinux_system_alert5_init
- ansible_lsb.codename == "jessie" or ansible_lsb.codename == "stretch"
- ansible_lsb.codename == "jessie" or ansible_lsb.codename == "stretch" or ansible_distribution == "Ubuntu"
- name: Enable alert5 init script (jessie/stretch)
service:
@ -134,7 +134,7 @@
when:
- evolinux_system_alert5_init
- evolinux_system_alert5_enable
- ansible_lsb.codename == "jessie" or ansible_lsb.codename == "stretch"
- ansible_lsb.codename == "jessie" or ansible_lsb.codename == "stretch" or ansible_distribution == "Ubuntu"

6
evolinux-users/tasks/main.yml
View file

@ -3,9 +3,9 @@
- name: "System compatibility checks"
assert:
that:
- ansible_distribution == "Debian"
- ansible_distribution_major_version | version_compare('8', '>=')
msg: only compatible with Debian >= 8
- (ansible_distribution == "Debian") or (ansible_distribution == "Ubuntu")
- (ansible_distribution_major_version | version_compare('8', '>=')) or (ansible_distribution_major_version | version_compare('18', '>='))
msg: only compatible with Debian >= 8 AND Ubuntu >= 18.04
- debug:
msg: "Warning: empty 'evolinux_users' variable, tasks will be skipped!"

4
evolinux-users/tasks/ssh.yml
View file

@ -28,9 +28,9 @@
- set_fact:
# If "AllowGroups is present" or "AllowUsers is absent and Debian 10+",
ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('10', '>='))) }}"
ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and ((ansible_distribution == 'Debian' and ansible_distribution_major_version | version_compare('10', '>=')) or (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version | version_compare('18', '>=')))) }}"
# If "AllowGroups is absent" and "AllowUsers is absent or Debian <10"
ssh_allowusers: "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('10', '<'))) }}"
ssh_allowusers: "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution == 'Debian' and ansible_distribution_major_version | version_compare('10', '<'))) }}"
- debug:
var: ssh_allowgroups

2
evolinux-users/tasks/sudo.yml
View file

@ -4,6 +4,6 @@
when: ansible_lsb.codename == "jessie"
- include: sudo_stretch.yml
when: ansible_distribution_major_version | version_compare('9', '>=')
when: (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('9', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
- meta: flush_handlers

18
evolinux-users/tasks/user.yml
View file

@ -59,31 +59,32 @@
## Group for SSH authorizations
- name: "Unix group '{{ evolinux_ssh_group }}' is present (Debian 10 or later)"
- name: "Unix group '{{ evolinux_ssh_group }}' is present (Debian 10 and Ubuntu 18 or later)"
group:
name: "{{ evolinux_ssh_group }}"
state: present
when: ansible_distribution_major_version | version_compare('10', '>=')
when: (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('10', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}' (Debian 10 or later)"
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}' (Debian 10 and Ubuntu 18 or later)"
user:
name: '{{ user.name }}'
groups: "{{ evolinux_ssh_group }}"
append: yes
when: ansible_distribution_major_version | version_compare('10', '>=')
when: (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('10', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
## Optional group for all evolinux users
- name: "Unix group '{{ evolinux_internal_group }}' is present (Debian 9 or later)"
- name: "Unix group '{{ evolinux_internal_group }}' is present (Debian 9 and Ubuntu 18 or later)"
group:
name: "{{ evolinux_internal_group }}"
state: present
when:
- evolinux_internal_group is defined
- evolinux_internal_group != ""
- ansible_distribution_major_version | version_compare('9', '>=')
- (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('9', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_internal_group }}' (Debian 9 or later)"
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_internal_group }}' (Debian 9 and Ubuntu 18 or later)"
user:
name: '{{ user.name }}'
groups: "{{ evolinux_internal_group }}"
@ -91,7 +92,8 @@
when:
- evolinux_internal_group is defined
- evolinux_internal_group != ""
- ansible_distribution_major_version | version_compare('9', '>=')
- (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('9', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
## Optional secondary groups, defined per user