Adds a bunch of checks for ubuntu to evolinux-base and evolinux-users
This feels a bit hacky, but it's the best I could come up with on short order
This commit is contained in:
parent
9d8d0776d7
commit
c45ac84334
|
@ -13,7 +13,7 @@
|
||||||
# We want to allow any user from a list of IP addresses to login with password,
|
# We want to allow any user from a list of IP addresses to login with password,
|
||||||
# but users of the "evolix" group can't login with password from other IP addresses
|
# but users of the "evolix" group can't login with password from other IP addresses
|
||||||
|
|
||||||
- name: "Security directives for Evolinux (Debian 10 or later)"
|
- name: "Security directives for Evolinux (Debian 10 and Ubuntu 18.04 or later)"
|
||||||
blockinfile:
|
blockinfile:
|
||||||
dest: /etc/ssh/sshd_config
|
dest: /etc/ssh/sshd_config
|
||||||
marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS"
|
marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS"
|
||||||
|
@ -27,7 +27,7 @@
|
||||||
notify: reload sshd
|
notify: reload sshd
|
||||||
when:
|
when:
|
||||||
- evolinux_ssh_password_auth_addresses != []
|
- evolinux_ssh_password_auth_addresses != []
|
||||||
- ansible_distribution_major_version | version_compare('10', '>=')
|
- (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('10', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
|
||||||
|
|
||||||
- name: Security directives for Evolinux (Jessie/Stretch)
|
- name: Security directives for Evolinux (Jessie/Stretch)
|
||||||
blockinfile:
|
blockinfile:
|
||||||
|
|
|
@ -125,7 +125,7 @@
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
when:
|
when:
|
||||||
- evolinux_system_alert5_init
|
- evolinux_system_alert5_init
|
||||||
- ansible_lsb.codename == "jessie" or ansible_lsb.codename == "stretch"
|
- ansible_lsb.codename == "jessie" or ansible_lsb.codename == "stretch" or ansible_distribution == "Ubuntu"
|
||||||
|
|
||||||
- name: Enable alert5 init script (jessie/stretch)
|
- name: Enable alert5 init script (jessie/stretch)
|
||||||
service:
|
service:
|
||||||
|
@ -134,7 +134,7 @@
|
||||||
when:
|
when:
|
||||||
- evolinux_system_alert5_init
|
- evolinux_system_alert5_init
|
||||||
- evolinux_system_alert5_enable
|
- evolinux_system_alert5_enable
|
||||||
- ansible_lsb.codename == "jessie" or ansible_lsb.codename == "stretch"
|
- ansible_lsb.codename == "jessie" or ansible_lsb.codename == "stretch" or ansible_distribution == "Ubuntu"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -3,9 +3,9 @@
|
||||||
- name: "System compatibility checks"
|
- name: "System compatibility checks"
|
||||||
assert:
|
assert:
|
||||||
that:
|
that:
|
||||||
- ansible_distribution == "Debian"
|
- (ansible_distribution == "Debian") or (ansible_distribution == "Ubuntu")
|
||||||
- ansible_distribution_major_version | version_compare('8', '>=')
|
- (ansible_distribution_major_version | version_compare('8', '>=')) or (ansible_distribution_major_version | version_compare('18', '>='))
|
||||||
msg: only compatible with Debian >= 8
|
msg: only compatible with Debian >= 8 AND Ubuntu >= 18.04
|
||||||
|
|
||||||
- debug:
|
- debug:
|
||||||
msg: "Warning: empty 'evolinux_users' variable, tasks will be skipped!"
|
msg: "Warning: empty 'evolinux_users' variable, tasks will be skipped!"
|
||||||
|
|
|
@ -28,9 +28,9 @@
|
||||||
|
|
||||||
- set_fact:
|
- set_fact:
|
||||||
# If "AllowGroups is present" or "AllowUsers is absent and Debian 10+",
|
# If "AllowGroups is present" or "AllowUsers is absent and Debian 10+",
|
||||||
ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('10', '>='))) }}"
|
ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and ((ansible_distribution == 'Debian' and ansible_distribution_major_version | version_compare('10', '>=')) or (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version | version_compare('18', '>=')))) }}"
|
||||||
# If "AllowGroups is absent" and "AllowUsers is absent or Debian <10"
|
# If "AllowGroups is absent" and "AllowUsers is absent or Debian <10"
|
||||||
ssh_allowusers: "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('10', '<'))) }}"
|
ssh_allowusers: "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution == 'Debian' and ansible_distribution_major_version | version_compare('10', '<'))) }}"
|
||||||
|
|
||||||
- debug:
|
- debug:
|
||||||
var: ssh_allowgroups
|
var: ssh_allowgroups
|
||||||
|
|
|
@ -4,6 +4,6 @@
|
||||||
when: ansible_lsb.codename == "jessie"
|
when: ansible_lsb.codename == "jessie"
|
||||||
|
|
||||||
- include: sudo_stretch.yml
|
- include: sudo_stretch.yml
|
||||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
when: (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('9', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
|
||||||
|
|
||||||
- meta: flush_handlers
|
- meta: flush_handlers
|
||||||
|
|
|
@ -59,31 +59,32 @@
|
||||||
|
|
||||||
## Group for SSH authorizations
|
## Group for SSH authorizations
|
||||||
|
|
||||||
- name: "Unix group '{{ evolinux_ssh_group }}' is present (Debian 10 or later)"
|
- name: "Unix group '{{ evolinux_ssh_group }}' is present (Debian 10 and Ubuntu 18 or later)"
|
||||||
group:
|
group:
|
||||||
name: "{{ evolinux_ssh_group }}"
|
name: "{{ evolinux_ssh_group }}"
|
||||||
state: present
|
state: present
|
||||||
when: ansible_distribution_major_version | version_compare('10', '>=')
|
when: (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('10', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
|
||||||
|
|
||||||
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}' (Debian 10 or later)"
|
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}' (Debian 10 and Ubuntu 18 or later)"
|
||||||
user:
|
user:
|
||||||
name: '{{ user.name }}'
|
name: '{{ user.name }}'
|
||||||
groups: "{{ evolinux_ssh_group }}"
|
groups: "{{ evolinux_ssh_group }}"
|
||||||
append: yes
|
append: yes
|
||||||
when: ansible_distribution_major_version | version_compare('10', '>=')
|
when: (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('10', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
|
||||||
|
|
||||||
## Optional group for all evolinux users
|
## Optional group for all evolinux users
|
||||||
|
|
||||||
- name: "Unix group '{{ evolinux_internal_group }}' is present (Debian 9 or later)"
|
- name: "Unix group '{{ evolinux_internal_group }}' is present (Debian 9 and Ubuntu 18 or later)"
|
||||||
group:
|
group:
|
||||||
name: "{{ evolinux_internal_group }}"
|
name: "{{ evolinux_internal_group }}"
|
||||||
state: present
|
state: present
|
||||||
when:
|
when:
|
||||||
- evolinux_internal_group is defined
|
- evolinux_internal_group is defined
|
||||||
- evolinux_internal_group != ""
|
- evolinux_internal_group != ""
|
||||||
- ansible_distribution_major_version | version_compare('9', '>=')
|
- (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('9', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
|
||||||
|
|
||||||
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_internal_group }}' (Debian 9 or later)"
|
|
||||||
|
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_internal_group }}' (Debian 9 and Ubuntu 18 or later)"
|
||||||
user:
|
user:
|
||||||
name: '{{ user.name }}'
|
name: '{{ user.name }}'
|
||||||
groups: "{{ evolinux_internal_group }}"
|
groups: "{{ evolinux_internal_group }}"
|
||||||
|
@ -91,7 +92,8 @@
|
||||||
when:
|
when:
|
||||||
- evolinux_internal_group is defined
|
- evolinux_internal_group is defined
|
||||||
- evolinux_internal_group != ""
|
- evolinux_internal_group != ""
|
||||||
- ansible_distribution_major_version | version_compare('9', '>=')
|
- (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('9', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
|
||||||
|
|
||||||
|
|
||||||
## Optional secondary groups, defined per user
|
## Optional secondary groups, defined per user
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue