ansible-roles/evolinux-users/tasks/ssh.yml

99 lines
2.9 KiB
YAML

---
- name: verify AllowGroups directive
ansible.builtin.command:
cmd: "grep -Er '^AllowGroups' /etc/ssh"
changed_when: False
failed_when: False
check_mode: no
register: grep_allowgroups_ssh
- ansible.builtin.debug:
var: grep_allowgroups_ssh
verbosity: 1
- name: verify AllowUsers directive
ansible.builtin.command:
cmd: "grep -Er '^AllowUsers' /etc/ssh"
changed_when: False
failed_when: False
check_mode: no
register: grep_allowusers_ssh
- ansible.builtin.debug:
var: grep_allowusers_ssh
verbosity: 1
- ansible.builtin.assert:
that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)"
msg: "We can't deal with AllowUsers and AllowGroups at the same time"
- ansible.builtin.set_fact:
# If "AllowGroups is present" or "AllowUsers is absent and Debian 10+",
ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and (ansible_distribution_major_version is version('10', '>='))) }}"
# If "AllowGroups is absent" and "AllowUsers is absent or Debian <10"
ssh_allowusers: "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution_major_version is version('10', '<'))) }}"
- ansible.builtin.debug:
var: ssh_allowgroups
verbosity: 1
- ansible.builtin.debug:
var: ssh_allowusers
verbosity: 1
- ansible.builtin.include: ssh_allowgroups.yml
when:
- ssh_allowgroups
- not ssh_allowusers
- ansible.builtin.include: ssh_allowusers.yml
vars:
user: "{{ item.value }}"
loop: "{{ evolinux_users | dict2items }}"
when:
- user.create == evolinux_users_create
- ssh_allowusers
- not ssh_allowgroups
- name: disable root login
ansible.builtin.replace:
dest: /etc/ssh/sshd_config
regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)'
replace: "PermitRootLogin no"
notify: reload sshd
when:
- evolinux_root_disable_ssh | bool
- ansible_distribution_major_version is version('11', '<=')
- name: verify PermitRootLogin directive (Debian >= 12)
ansible.builtin.command:
cmd: "grep -Er '^PermitRootLogin' /etc/ssh"
changed_when: False
failed_when: False
check_mode: no
register: grep_permitrootlogin_ssh
when:
- ansible_distribution_major_version is version('12', '>=')
# TODO avertir lorsque PermitRootLogin est déjà configuré?
- ansible.builtin.debug:
var: grep_permitrootlogin_ssh
verbosity: 1
- name: disable root login (Debian >= 12)
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/z-evolinux-users.conf
line: "PermitRootLogin no"
create: yes
mode: "0644"
validate: '/usr/sbin/sshd -t -f %s'
insertbefore: "BOF"
notify: reload sshd
when:
- evolinux_root_disable_ssh | bool
- ansible_distribution_major_version is version('12', '>=')
- grep_permitrootlogin_ssh.rc == 1
- ansible.builtin.meta: flush_handlers