evolinux-users: prepare SSH configuration for Debian 12 (wip)
This commit is contained in:
parent
87711ef00c
commit
fc8105e84e
|
@ -66,15 +66,31 @@
|
||||||
- evolinux_root_disable_ssh | bool
|
- evolinux_root_disable_ssh | bool
|
||||||
- ansible_distribution_major_version is version('11', '<=')
|
- ansible_distribution_major_version is version('11', '<=')
|
||||||
|
|
||||||
|
- name: verify PermitRootLogin directive
|
||||||
|
ansible.builtin.command:
|
||||||
|
cmd: "grep -Er '^PermitRootLogin' /etc/ssh"
|
||||||
|
changed_when: False
|
||||||
|
failed_when: False
|
||||||
|
check_mode: no
|
||||||
|
register: grep_permitrootlogin_ssh
|
||||||
|
when:
|
||||||
|
- ansible_distribution_major_version is version('12', '>=')
|
||||||
|
|
||||||
|
# TODO avertir lorsque PermitRootLogin est déjà configuré?
|
||||||
|
- ansible.builtin.debug:
|
||||||
|
var: grep_permitrootlogin_ssh
|
||||||
|
verbosity: 1
|
||||||
|
|
||||||
- name: disable root login (Debian <= 12)
|
- name: disable root login (Debian <= 12)
|
||||||
ansible.builtin.replace:
|
ansible.builtin.replace:
|
||||||
path: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
|
path: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
|
||||||
line: "PermitRootLogin no"
|
line: "PermitRootLogin no"
|
||||||
create: yes
|
create: yes
|
||||||
validate: '/usr/sbin/sshd -t -f %s'
|
validate: '/usr/sbin/sshd -t -f /etc/ssh/sshd_config.d/z-evolinux-defaults.conf'
|
||||||
notify: reload sshd
|
notify: reload sshd
|
||||||
when:
|
when:
|
||||||
- evolinux_root_disable_ssh | bool
|
- evolinux_root_disable_ssh | bool
|
||||||
- ansible_distribution_major_version is version('12', '>=')
|
- ansible_distribution_major_version is version('12', '>=')
|
||||||
|
- grep_permitrootlogin_ssh.rc != 1
|
||||||
|
|
||||||
- ansible.builtin.meta: flush_handlers
|
- ansible.builtin.meta: flush_handlers
|
||||||
|
|
|
@ -4,11 +4,13 @@
|
||||||
# even if it's been done before
|
# even if it's been done before
|
||||||
- name: verify AllowGroups directive
|
- name: verify AllowGroups directive
|
||||||
ansible.builtin.command:
|
ansible.builtin.command:
|
||||||
cmd: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
|
cmd: "grep -E '^AllowGroups' /etc/ssh"
|
||||||
changed_when: False
|
changed_when: False
|
||||||
failed_when: False
|
failed_when: False
|
||||||
check_mode: no
|
check_mode: no
|
||||||
register: grep_allowgroups_ssh
|
register: grep_allowgroups_ssh
|
||||||
|
when:
|
||||||
|
- ansible_distribution_major_version is version('11', '<=')
|
||||||
|
|
||||||
- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
|
- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
|
@ -17,7 +19,9 @@
|
||||||
insertafter: 'Subsystem'
|
insertafter: 'Subsystem'
|
||||||
validate: '/usr/sbin/sshd -t -f %s'
|
validate: '/usr/sbin/sshd -t -f %s'
|
||||||
notify: reload sshd
|
notify: reload sshd
|
||||||
when: grep_allowgroups_ssh.rc != 0
|
when:
|
||||||
|
- grep_allowgroups_ssh.rc != 0
|
||||||
|
- ansible_distribution_major_version is version('11', '<=')
|
||||||
|
|
||||||
- name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive"
|
- name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive"
|
||||||
ansible.builtin.replace:
|
ansible.builtin.replace:
|
||||||
|
@ -26,4 +30,15 @@
|
||||||
replace: '\1 {{ evolinux_ssh_group }}'
|
replace: '\1 {{ evolinux_ssh_group }}'
|
||||||
validate: '/usr/sbin/sshd -t -f %s'
|
validate: '/usr/sbin/sshd -t -f %s'
|
||||||
notify: reload sshd
|
notify: reload sshd
|
||||||
when: grep_allowgroups_ssh.rc == 0
|
when:
|
||||||
|
- grep_allowgroups_ssh.rc == 0
|
||||||
|
- ansible_distribution_major_version is version('11', '<=')
|
||||||
|
|
||||||
|
- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
|
||||||
|
ansible.builtin.lineinfile:
|
||||||
|
path: /etc/ssh/sshd_config.d/z-evolinux-users
|
||||||
|
line: "AllowGroups {{ evolinux_ssh_group }}"
|
||||||
|
create: yes
|
||||||
|
validate: '/usr/sbin/sshd -t -f /etc/ssh/sshd_config.d/z-evolinux-users'
|
||||||
|
when:
|
||||||
|
- ansible_distribution_major_version is version('12', '>=')
|
||||||
|
|
Loading…
Reference in a new issue