ansible-roles/evolinux-base/tasks/root.yml

---

- name: chmod 700 /root
  ansible.builtin.file:
    path: /root
    state: directory
    mode: "0700"
  when: evolinux_root_chmod | bool

- name: "Customize root's bashrc..."
  ansible.builtin.lineinfile:
    dest: /root/.bashrc
    line: "{{ item }}"
    create: yes
    state: present
  loop:
    - "export HISTCONTROL=$HISTCONTROL${HISTCONTROL+,}ignoreboth,erasedups"
    - "export HISTSIZE=65535"
    - "export HISTTIMEFORMAT=\"%c : \""
    - "shopt -s histappend"
    - "PROMPT_COMMAND=\"history -a;${PROMPT_COMMAND}\""
  when: evolinux_root_bashrc | bool

## .bash_history should be append-only

- name: Create .bash_history if missing
  ansible.builtin.copy:
    content: ""
    dest: "/root/.bash_history"
    force: false
  when: evolinux_root_bash_history | bool

- name: Set umask in /root/.profile
  ansible.builtin.lineinfile:
    dest: "/root/.profile"
    line: "umask 0077"
    regexp: "umask [0-9]+"
  when: evolinux_root_umask | bool

- name: "/usr/share/scripts is present in root's PATH"
  ansible.builtin.lineinfile:
    dest: "/root/.profile"
    line: "PATH=\"${PATH}:/usr/share/scripts\""
  when: ansible_distribution_major_version is version('10', '>=')

- name: Custom git config for root
  ansible.builtin.copy:
    src: root/gitconfig
    dest: "/root/.gitconfig"
    force: false
  when: evolinux_root_gitconfig | bool

- name: Is .bash_history append-only
  ansible.builtin.shell:
    cmd: lsattr /root/.bash_history | grep -E "^.*a.* "
  check_mode: no
  register: bash_history_append_only
  failed_when: "'Inappropriate ioctl' in bash_history_append_only.stderr"
  ignore_errors: yes
  changed_when: False

- name: Set .bash_history append-only
  ansible.builtin.command:
    cmd: chattr +a /root/.bash_history
  when:
    - evolinux_root_bash_history_appendonly | bool
    - bash_history_append_only.rc != 0
    - "'Inappropriate ioctl' not in bash_history_append_only.stderr"

- name: Setting vim as selected-editor
  ansible.builtin.lineinfile:
    dest: /root/.selected_editor
    regexp: '^SELECTED_EDITOR='
    line: "SELECTED_EDITOR=\"/usr/bin/vim.basic\""
    create: yes
  when: evolinux_root_vim_default | bool

- name: Setting vim root configuration
  ansible.builtin.lineinfile:
    dest: /root/.vimrc
    line: "{{ item }}"
    create: yes
    state: present
  loop:
    - "syntax on"
    - "set background=dark"
    - "set expandtab"
    - "set tabstop=4"
    - "set softtabstop=4"
    - "set shiftwidth=4"
  when: evolinux_root_vim_conf | bool

- name: disable SSH access for root (Debian < 12)
  ansible.builtin.replace:
    dest: /etc/ssh/sshd_config
    regexp: '^#?PermitRootLogin (yes|without-password|prohibit-password)'
    replace: "PermitRootLogin no"
    validate: '/usr/sbin/sshd -t -f %s'
  notify: reload sshd
  when:
    - evolinux_root_disable_ssh | bool
    - ansible_distribution_major_version is version('11', '<=')

- name: files under /etc/ssh/sshd_config.d are included (Debian >= 12)
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    line: "Include /etc/ssh/sshd_config.d/*.conf"
    insertbefore: BOF
  notify: reload ssh
  when:
    - evolinux_root_disable_ssh | bool
    - ansible_distribution_major_version is version('12', '>=')

- name: disable SSH access for root (Debian >= 12)
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
    line: "PermitRootLogin no"
    regexp: "^#?PermitRootLogin "
    create: yes
    mode: "0644"
    validate: '/usr/sbin/sshd -t -f %s'
  notify: reload sshd
  when:
    - evolinux_root_disable_ssh | bool
    - ansible_distribution_major_version is version('12', '>=')


### Disabled : it seems useless and too dangerous for now
# - name: remove root from AllowUsers directive
#   ansible.builtin.replace:
#     dest: /etc/ssh/sshd_config
#     regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$'
#     replace: '\1\4'
#     validate: '/usr/sbin/sshd -T -f %s'
#   notify: reload sshd
#   when: evolinux_root_disable_ssh

- ansible.builtin.meta: flush_handlers