From f152ba66cdee44802c58e6470081f9ffc9cbc840 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 1 Mar 2018 18:26:18 +0100 Subject: [PATCH] evolinux-users: regroup tasks 1. create all accounts 2. configure sudo for everyone 3. configure ssh for everyone --- evolinux-users/tasks/account.yml | 57 ----------- evolinux-users/tasks/main.yml | 12 ++- evolinux-users/tasks/profile.yml | 18 ---- evolinux-users/tasks/root_disable_ssh.yml | 17 ---- evolinux-users/tasks/ssh.yml | 76 ++++++++------ evolinux-users/tasks/ssh_allowgroups.yml | 55 ++-------- evolinux-users/tasks/ssh_allowusers.yml | 9 ++ evolinux-users/tasks/sudo.yml | 9 ++ evolinux-users/tasks/user.yml | 118 ++++++++++++++++++++-- 9 files changed, 192 insertions(+), 179 deletions(-) delete mode 100644 evolinux-users/tasks/account.yml delete mode 100644 evolinux-users/tasks/profile.yml delete mode 100644 evolinux-users/tasks/root_disable_ssh.yml create mode 100644 evolinux-users/tasks/sudo.yml diff --git a/evolinux-users/tasks/account.yml b/evolinux-users/tasks/account.yml deleted file mode 100644 index 1ed142f9..00000000 --- a/evolinux-users/tasks/account.yml +++ /dev/null @@ -1,57 +0,0 @@ ---- - -- name: "Test if '{{ user.name }}' exists" - command: 'getent passwd {{ user.name }}' - register: loginisbusy - failed_when: False - changed_when: False - check_mode: no - -- name: "Test if uid exists for '{{ user.name }}'" - command: 'getent passwd {{ user.uid }}' - register: uidisbusy - failed_when: False - changed_when: False - check_mode: no - -- name: "Add Unix account with classical uid for '{{ user.name }}'" - user: - state: present - uid: '{{ user.uid }}' - name: '{{ user.name }}' - comment: '{{ user.fullname }}' - shell: /bin/bash - password: '{{ user.password_hash }}' - update_password: on_create - when: loginisbusy.rc != 0 and uidisbusy.rc != 0 - -- name: "Add Unix account with random uid for '{{ user.name }}'" - user: - state: present - name: '{{ user.name }}' - comment: '{{ user.fullname }}' - shell: /bin/bash - password: '{{ user.password_hash }}' - update_password: on_create - when: loginisbusy.rc != 0 and uidisbusy.rc == 0 - -- name: "Create secondary groups" - group: - name: "{{ group }}" - with_items: "{{ user.groups }}" - loop_control: - loop_var: group - when: user.groups is defined - -- name: "Add user '{{ user.name }}' to secondary groups" - user: - name: '{{ user.name }}' - groups: "{{ user.groups }}" - append: yes - when: user.groups is defined - -- name: "Fix perms on home directory for '{{ user.name }}'" - file: - name: '/home/{{ user.name }}' - mode: "0700" - state: directory diff --git a/evolinux-users/tasks/main.yml b/evolinux-users/tasks/main.yml index ec1400bd..bf9033bc 100644 --- a/evolinux-users/tasks/main.yml +++ b/evolinux-users/tasks/main.yml @@ -16,5 +16,13 @@ with_dict: "{{ evolinux_users }}" when: evolinux_users != {} -- include: root_disable_ssh.yml - when: evolinux_root_disable_ssh +- name: Configure sudo + include: sudo.yml + vars: + user: "{{ item.value }}" + with_dict: "{{ evolinux_users }}" + when: evolinux_users != {} + +- name: Configure SSH + include: ssh.yml + when: evolinux_users != {} diff --git a/evolinux-users/tasks/profile.yml b/evolinux-users/tasks/profile.yml deleted file mode 100644 index 6a046e52..00000000 --- a/evolinux-users/tasks/profile.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- - -- name: search profile for presence of evomaintenance - command: 'grep -q "trap.*sudo.*evomaintenance.sh"' - changed_when: False - failed_when: False - check_mode: no - register: grep_profile_evomaintenance - -# Don't add the trap if it is present or commented -- name: "Add evomaintenance trap for '{{ user.name }}'" - lineinfile: - state: present - dest: '/home/{{ user.name }}/.profile' - insertafter: EOF - line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0' - create: yes - when: grep_profile_evomaintenance.rc != 0 diff --git a/evolinux-users/tasks/root_disable_ssh.yml b/evolinux-users/tasks/root_disable_ssh.yml deleted file mode 100644 index 7906307f..00000000 --- a/evolinux-users/tasks/root_disable_ssh.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- - -- name: disable root login - replace: - dest: /etc/ssh/sshd_config - regexp: '^PermitRootLogin (yes|without-password|prohibit-password)' - replace: "PermitRootLogin no" - notify: reload sshd - -### Disabled : it seems useless and too dangerous for now -# - name: remove root from AllowUsers directive -# replace: -# dest: /etc/ssh/sshd_config -# regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$' -# replace: '\1\4' -# validate: '/usr/sbin/sshd -T -f %s' -# notify: reload sshd diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml index aeaeb8de..bf316ab8 100644 --- a/evolinux-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -1,30 +1,5 @@ --- -- name: "Create .ssh directory for '{{ user.name }}'" - file: - dest: '/home/{{ user.name }}/.ssh/' - state: directory - mode: "0700" - owner: '{{ user.name }}' - group: '{{ user.name }}' - -- name: "Add user's SSH public key for '{{ user.name }}'" - authorized_key: - user: "{{ user.name }}" - key: "{{ user.ssh_key }}" - state: present - when: user.ssh_key is defined - -- name: "Add user's SSH public keys for '{{ user.name }}'" - authorized_key: - user: "{{ user.name }}" - key: "{{ ssk_key }}" - state: present - with_items: "{{ user.ssh_keys }}" - loop_control: - loop_var: ssk_key - when: user.ssh_keys is defined - - name: verify AllowGroups directive command: "grep -E '^AllowGroups' /etc/ssh/sshd_config" changed_when: False @@ -32,18 +7,55 @@ check_mode: no register: grep_allowgroups_ssh +- debug: + var: grep_allowgroups_ssh + verbosity: 1 + - name: verify AllowUsers directive - shell: "grep -E '^AllowUsers' /etc/ssh/sshd_config" + command: "grep -E '^AllowUsers' /etc/ssh/sshd_config" changed_when: False failed_when: False check_mode: no register: grep_allowusers_ssh -# If AllowGroups is present or -# if AllowUsers is absent and Debian 9+, use AllowGroups mode -- include: ssh_allowgroups.yml - when: grep_allowgroups_ssh.rc == 0 or (grep_allowusers_ssh.rc != 0 and ansible_distribution_major_version | version_compare('9', '>=')) +- debug: + var: grep_allowusers_ssh + verbosity: 1 + +- set_fact: + # If "AllowGroups is present" or "AllowUsers is absent and Debian 9+", + ssh_allowgroups: "{{ grep_allowgroups_ssh.rc == 0 or (grep_allowusers_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('9', '>='))) }}" + # If "AllowGroups is absent" + ssh_allowusers: "{{ grep_allowgroups_ssh.rc != 0 }}" + +- debug: + var: ssh_allowgroups + verbosity: 1 + +- debug: + var: ssh_allowusers + verbosity: 1 + +- include: ssh_allowgroups.yml + when: + - ssh_allowgroups + - not ssh_allowusers -# If AllowGroups is absent, use AllowUsers mode - include: ssh_allowusers.yml - when: grep_allowgroups_ssh.rc != 0 + vars: + user: "{{ item.value }}" + with_dict: "{{ evolinux_users }}" + when: + - ssh_allowusers + - not ssh_allowgroups + + +- name: disable root login + replace: + dest: /etc/ssh/sshd_config + regexp: '^PermitRootLogin (yes|without-password|prohibit-password)' + replace: "PermitRootLogin no" + notify: reload sshd + when: evolinux_root_disable_ssh + +- meta: flush_handlers diff --git a/evolinux-users/tasks/ssh_allowgroups.yml b/evolinux-users/tasks/ssh_allowgroups.yml index 7e8f8211..c4d946a2 100644 --- a/evolinux-users/tasks/ssh_allowgroups.yml +++ b/evolinux-users/tasks/ssh_allowgroups.yml @@ -1,15 +1,13 @@ --- -- name: "Unix group '{{ evolinux_ssh_group }}' is present" - group: - name: "{{ evolinux_ssh_group }}" - state: present - -- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}'" - user: - name: '{{ user.name }}' - groups: "{{ evolinux_ssh_group }}" - append: yes +# this check must be repeated for each user +# even if it's been done before +- name: verify AllowGroups directive + shell: "grep -E '^AllowGroups' /etc/ssh/sshd_config" + changed_when: False + failed_when: False + check_mode: no + register: grep_allowgroups_ssh - name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'" lineinfile: @@ -24,42 +22,7 @@ replace: dest: /etc/ssh/sshd_config regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$' - replace: '\1 {{ user.name }}' + replace: '\1 {{ evolinux_ssh_group }}' validate: '/usr/sbin/sshd -T -f %s' notify: reload sshd when: grep_allowgroups_ssh.rc == 0 - -# - name: disable AllowUsers directive if present -# replace: -# dest: /etc/ssh/sshd_config -# regexp: '^(AllowUsers)' -# replace: '# \1' -# validate: '/usr/sbin/sshd -T -f %s' -# notify: reload sshd - -- name: "verify Match Group directive" - command: "grep 'Match Group' /etc/ssh/sshd_config" - changed_when: False - failed_when: False - check_mode: no - register: grep_matchgroup_ssh - -- name: "Add Match Group sshd directive with '{{ evolinux_ssh_group }}'" - lineinfile: - dest: /etc/ssh/sshd_config - line: "\nMatch Group {{ evolinux_ssh_group }}\n PasswordAuthentication no" - insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" - validate: '/usr/sbin/sshd -T -f %s' - notify: reload sshd - when: - - grep_matchgroup_ssh.rc != 0 - -- name: "Append '{{ evolinux_ssh_group }}' to Match Group's sshd directive" - replace: - dest: /etc/ssh/sshd_config - regexp: '^(Match Group ((?!{{ evolinux_ssh_group }}).)*)$' - replace: '\1,{{ evolinux_ssh_group }}' - validate: '/usr/sbin/sshd -T -f %s' - notify: reload sshd - when: - - grep_matchgroup_ssh.rc == 0 diff --git a/evolinux-users/tasks/ssh_allowusers.yml b/evolinux-users/tasks/ssh_allowusers.yml index 3676c418..1e561415 100644 --- a/evolinux-users/tasks/ssh_allowusers.yml +++ b/evolinux-users/tasks/ssh_allowusers.yml @@ -1,5 +1,14 @@ --- +# this check must be repeated for each user +# even if it's been done before +- name: verify AllowUsers directive + shell: "grep -E '^AllowUsers' /etc/ssh/sshd_config" + changed_when: False + failed_when: False + check_mode: no + register: grep_allowusers_ssh + - name: "Add AllowUsers sshd directive with '{{ user.name }}'" lineinfile: dest: /etc/ssh/sshd_config diff --git a/evolinux-users/tasks/sudo.yml b/evolinux-users/tasks/sudo.yml new file mode 100644 index 00000000..ed696b43 --- /dev/null +++ b/evolinux-users/tasks/sudo.yml @@ -0,0 +1,9 @@ +--- + +- include: sudo_jessie.yml + when: ansible_distribution_release == "jessie" + +- include: sudo_stretch.yml + when: ansible_distribution_major_version | version_compare('9', '>=') + +- meta: flush_handlers diff --git a/evolinux-users/tasks/user.yml b/evolinux-users/tasks/user.yml index 73fea728..bad260f5 100644 --- a/evolinux-users/tasks/user.yml +++ b/evolinux-users/tasks/user.yml @@ -1,15 +1,119 @@ --- -- include: account.yml +# Unix account -- include: profile.yml +- name: "Test if '{{ user.name }}' exists" + command: 'getent passwd {{ user.name }}' + register: loginisbusy + failed_when: False + changed_when: False + check_mode: no -- include: ssh.yml +- name: "Test if uid exists for '{{ user.name }}'" + command: 'getent passwd {{ user.uid }}' + register: uidisbusy + failed_when: False + changed_when: False + check_mode: no -- include: sudo_jessie.yml - when: ansible_distribution_release == "jessie" +- name: "Add Unix account with classical uid for '{{ user.name }}'" + user: + state: present + uid: '{{ user.uid }}' + name: '{{ user.name }}' + comment: '{{ user.fullname }}' + shell: /bin/bash + password: '{{ user.password_hash }}' + update_password: on_create + when: loginisbusy.rc != 0 and uidisbusy.rc != 0 -- include: sudo_stretch.yml - when: ansible_distribution_major_version | version_compare('9', '>=') +- name: "Add Unix account with random uid for '{{ user.name }}'" + user: + state: present + name: '{{ user.name }}' + comment: '{{ user.fullname }}' + shell: /bin/bash + password: '{{ user.password_hash }}' + update_password: on_create + when: loginisbusy.rc != 0 and uidisbusy.rc == 0 + +# Unix groups + +- name: "Unix group '{{ evolinux_ssh_group }}' is present" + group: + name: "{{ evolinux_ssh_group }}" + state: present + +- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}'" + user: + name: '{{ user.name }}' + groups: "{{ evolinux_ssh_group }}" + append: yes + +- name: "Create secondary groups" + group: + name: "{{ group }}" + with_items: "{{ user.groups }}" + loop_control: + loop_var: group + when: user.groups is defined + +- name: "Add user '{{ user.name }}' to secondary groups" + user: + name: '{{ user.name }}' + groups: "{{ user.groups }}" + append: yes + when: user.groups is defined + +- name: "Fix perms on home directory for '{{ user.name }}'" + file: + name: '/home/{{ user.name }}' + mode: "0700" + state: directory + + # Evomaintenance + +- name: search profile for presence of evomaintenance + command: 'grep -q "trap.*sudo.*evomaintenance.sh"' + changed_when: False + failed_when: False + check_mode: no + register: grep_profile_evomaintenance + +# Don't add the trap if it is present or commented +- name: "Add evomaintenance trap for '{{ user.name }}'" + lineinfile: + state: present + dest: '/home/{{ user.name }}/.profile' + insertafter: EOF + line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0' + when: grep_profile_evomaintenance.rc != 0 + +# SSH keys + +- name: "Create .ssh directory for '{{ user.name }}'" + file: + dest: '/home/{{ user.name }}/.ssh/' + state: directory + mode: "0700" + owner: '{{ user.name }}' + group: '{{ user.name }}' + +- name: "Add user's SSH public key for '{{ user.name }}'" + authorized_key: + user: "{{ user.name }}" + key: "{{ user.ssh_key }}" + state: present + when: user.ssh_key is defined + +- name: "Add user's SSH public keys for '{{ user.name }}'" + authorized_key: + user: "{{ user.name }}" + key: "{{ ssk_key }}" + state: present + with_items: "{{ user.ssh_keys }}" + loop_control: + loop_var: ssk_key + when: user.ssh_keys is defined - meta: flush_handlers