diff --git a/evolinux-users/tasks/main.yml b/evolinux-users/tasks/main.yml index e5872a91..6ee9c512 100644 --- a/evolinux-users/tasks/main.yml +++ b/evolinux-users/tasks/main.yml @@ -20,9 +20,6 @@ - name: Configure sudo include: sudo.yml - vars: - user: "{{ item.value }}" - with_dict: "{{ evolinux_users }}" when: evolinux_users != {} - name: Configure SSH diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml index 70570c63..3acb78a4 100644 --- a/evolinux-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -29,28 +29,69 @@ - set_fact: # If "AllowGroups is present" or "AllowUsers is absent and Debian 10+", ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('10', '>='))) }}" - # If "AllowGroups is absent" and "AllowUsers is absent or Debian <10" - ssh_allowusers: "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('10', '<'))) }}" - debug: var: ssh_allowgroups verbosity: 1 -- debug: - var: ssh_allowusers - verbosity: 1 - - include: ssh_allowgroups.yml + vars: + - allow_groups_present: "{{ grep_allowgroups_ssh.rc == 0 }}" when: - ssh_allowgroups - - not ssh_allowusers -- include: ssh_allowusers.yml - vars: - user: "{{ item.value }}" - with_dict: "{{ evolinux_users }}" +- name: "Add AllowUsers sshd directive with all users" + lineinfile: + dest: /etc/ssh/sshd_config + line: "\nAllowUsers {{ evolinux_users|map(attribute='name')|join(',') }}" + insertafter: 'Subsystem' + validate: '/usr/sbin/sshd -t -f %s' + notify: reload sshd when: - - ssh_allowusers + - grep_allowusers_ssh.rc != 0 + - not ssh_allowgroups + +- name: "Append '{{ item.name }}' to AllowUsers sshd directive" + replace: + dest: /etc/ssh/sshd_config + regexp: '^(AllowUsers ((?!\b{{ item.name }}\b).)*)$' + replace: '\1 {{ item.name }}' + validate: '/usr/sbin/sshd -t -f %s' + with_dict: "{{ evolinux_users }}" + notify: reload sshd + when: + - grep_allowusers_ssh.rc == 0 + - not ssh_allowgroups + +- name: "verify Match User directive" + command: "grep -E '^Match User' /etc/ssh/sshd_config" + changed_when: False + failed_when: False + check_mode: no + register: grep_matchuser_ssh + when: not ssh_allowgroups + +- name: "Add Match User sshd directive with all users" + lineinfile: + dest: /etc/ssh/sshd_config + line: "\nMatch User {{ evolinux_users|map(attribute='name')|join(',') }}\n PasswordAuthentication no" + insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" + validate: '/usr/sbin/sshd -t -f %s' + notify: reload sshd + when: + - grep_matchuser_ssh != 0 + - not ssh_allowgroups + +- name: "Append '{{ item.name }}' to Match User's sshd directive" + replace: + dest: /etc/ssh/sshd_config + regexp: '^(Match User ((?!{{ item.name }}).)*)$' + replace: '\1,{{ item.name }}' + validate: '/usr/sbin/sshd -t -f %s' + with_dict: "{{ evolinux_users }}" + notify: reload sshd + when: + - grep_matchuser_ssh.rc == 0 - not ssh_allowgroups - name: disable root login diff --git a/evolinux-users/tasks/ssh_allowgroups.yml b/evolinux-users/tasks/ssh_allowgroups.yml index a4e4ee54..bef0a393 100644 --- a/evolinux-users/tasks/ssh_allowgroups.yml +++ b/evolinux-users/tasks/ssh_allowgroups.yml @@ -1,14 +1,5 @@ --- -# this check must be repeated for each user -# even if it's been done before -- name: verify AllowGroups directive - command: "grep -E '^AllowGroups' /etc/ssh/sshd_config" - changed_when: False - failed_when: False - check_mode: no - register: grep_allowgroups_ssh - - name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'" lineinfile: dest: /etc/ssh/sshd_config @@ -16,7 +7,7 @@ insertafter: 'Subsystem' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: grep_allowgroups_ssh.rc != 0 + when: not allow_groups_present - name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive" replace: @@ -25,4 +16,4 @@ replace: '\1 {{ evolinux_ssh_group }}' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: grep_allowgroups_ssh.rc == 0 + when: allow_groups_present diff --git a/evolinux-users/tasks/ssh_allowusers.yml b/evolinux-users/tasks/ssh_allowusers.yml deleted file mode 100644 index 1aa31f3c..00000000 --- a/evolinux-users/tasks/ssh_allowusers.yml +++ /dev/null @@ -1,53 +0,0 @@ ---- - -# this check must be repeated for each user -# even if it's been done before -- name: verify AllowUsers directive - command: "grep -E '^AllowUsers' /etc/ssh/sshd_config" - changed_when: False - failed_when: False - check_mode: no - register: grep_allowusers_ssh - -- name: "Add AllowUsers sshd directive with '{{ user.name }}'" - lineinfile: - dest: /etc/ssh/sshd_config - line: "\nAllowUsers {{ user.name }}" - insertafter: 'Subsystem' - validate: '/usr/sbin/sshd -t -f %s' - notify: reload sshd - when: grep_allowusers_ssh.rc != 0 - -- name: "Append '{{ user.name }}' to AllowUsers sshd directive" - replace: - dest: /etc/ssh/sshd_config - regexp: '^(AllowUsers ((?!\b{{ user.name }}\b).)*)$' - replace: '\1 {{ user.name }}' - validate: '/usr/sbin/sshd -t -f %s' - notify: reload sshd - when: grep_allowusers_ssh.rc == 0 - -- name: "verify Match User directive" - command: "grep -E '^Match User' /etc/ssh/sshd_config" - changed_when: False - failed_when: False - check_mode: no - register: grep_matchuser_ssh - -- name: "Add Match User sshd directive with '{{ user.name }}'" - lineinfile: - dest: /etc/ssh/sshd_config - line: "\nMatch User {{ user.name }}\n PasswordAuthentication no" - insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" - validate: '/usr/sbin/sshd -t -f %s' - notify: reload sshd - when: grep_matchuser_ssh.rc != 0 - -- name: "Append '{{ user.name }}' to Match User's sshd directive" - replace: - dest: /etc/ssh/sshd_config - regexp: '^(Match User ((?!{{ user.name }}).)*)$' - replace: '\1,{{ user.name }}' - validate: '/usr/sbin/sshd -t -f %s' - notify: reload sshd - when: grep_matchuser_ssh.rc == 0 diff --git a/evolinux-users/tasks/sudo.yml b/evolinux-users/tasks/sudo.yml index ed696b43..48d4422e 100644 --- a/evolinux-users/tasks/sudo.yml +++ b/evolinux-users/tasks/sudo.yml @@ -1,9 +1,45 @@ --- - -- include: sudo_jessie.yml +- name: "Verify 'evolinux' sudoers file presence for debian jessie" + template: + src: "sudoers_jessie.j2" + dest: /etc/sudoers.d/evolinux + force: no + mode: "0440" + validate: '/usr/sbin/visudo -cf %s' + register: copy_sudoers_evolinux when: ansible_distribution_release == "jessie" +- name: "Verify 'evolinux' sudoers file presence for debian 9 or bigger" + template: + src: "sudoers_stretch.j2" + dest: /etc/sudoers.d/evolinux + force: no + mode: "0440" + validate: '/usr/sbin/visudo -cf %s' + register: copy_sudoers_evolinux + when: ansible_distribution_major_version | version_compare('9', '>=') + +- name: "Add user in sudoers file for '{{ item.name }}' (jessie)" + replace: + dest: /etc/sudoers.d/evolinux + regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ item.name }}).)*)$' + replace: '\1,{{ item.name }}' + validate: '/usr/sbin/visudo -cf %s' + with_dict: "{{ evolinux_users }}" + when: + - not copy_sudoers_evolinux.changed + - ansible_distribution_release == "jessie" + +- name: "Create '{{ evolinux_sudo_group }}' group (Debian 9 or later)" + group: + name: "{{ evolinux_sudo_group }}" + system: yes + when: ansible_distribution_major_version | version_compare('9', '>=') + - include: sudo_stretch.yml + vars: + user: "{{ item.value }}" + with_dict: "{{ evolinux_users }}" when: ansible_distribution_major_version | version_compare('9', '>=') - meta: flush_handlers diff --git a/evolinux-users/tasks/sudo_jessie.yml b/evolinux-users/tasks/sudo_jessie.yml deleted file mode 100644 index f675954e..00000000 --- a/evolinux-users/tasks/sudo_jessie.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- - -- name: "Verify Evolinux sudoers file presence (jessie)" - template: - src: sudoers_jessie.j2 - dest: /etc/sudoers.d/evolinux - force: no - mode: "0440" - validate: '/usr/sbin/visudo -cf %s' - register: copy_sudoers_evolinux - -- name: "Add user in sudoers file for '{{ user.name }}' (jessie)" - replace: - dest: /etc/sudoers.d/evolinux - regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$' - replace: '\1,{{ user.name }}' - validate: '/usr/sbin/visudo -cf %s' - when: not copy_sudoers_evolinux.changed diff --git a/evolinux-users/tasks/sudo_stretch.yml b/evolinux-users/tasks/sudo_stretch.yml index dc744c56..97f1f77d 100644 --- a/evolinux-users/tasks/sudo_stretch.yml +++ b/evolinux-users/tasks/sudo_stretch.yml @@ -1,19 +1,5 @@ --- -- name: "Verify 'evolinux' sudoers file presence (Debian 9 or later)" - template: - src: sudoers_stretch.j2 - dest: /etc/sudoers.d/evolinux - force: no - mode: "0440" - validate: '/usr/sbin/visudo -cf %s' - register: copy_sudoers_evolinux - -- name: "Create '{{ evolinux_sudo_group }}' group (Debian 9 or later)" - group: - name: "{{ evolinux_sudo_group }}" - system: yes - - name: "Add user to '{{ evolinux_sudo_group }}' group (Debian 9 or later)" user: name: '{{ user.name }}'