94 lines
3 KiB
YAML
94 lines
3 KiB
YAML
---
|
|
- ansible.builtin.debug:
|
|
msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, some configuration elements won't be set!"
|
|
when: evolinux_ssh_password_auth_addresses == []
|
|
|
|
- name: files under /etc/ssh/sshd_config.d are included
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
line: "Include /etc/ssh/sshd_config.d/*.conf"
|
|
insertbefore: BOF
|
|
notify: reload ssh
|
|
|
|
- name: add SSH server configuration template
|
|
ansible.builtin.template:
|
|
src: sshd/defaults.j2
|
|
dest: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
|
|
mode: "0644"
|
|
|
|
# Should we allow the current user?
|
|
- name: Allow the current user
|
|
block:
|
|
- name: "Get current user's login"
|
|
ansible.builtin.command:
|
|
cmd: logname
|
|
changed_when: False
|
|
register: _logname
|
|
check_mode: no
|
|
|
|
- name: verify AllowUsers directive
|
|
ansible.builtin.command:
|
|
cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowUsers' /etc/ssh/sshd_config /etc/ssh/sshd_config.d"
|
|
failed_when: False
|
|
changed_when: False
|
|
register: grep_allowusers_ssh
|
|
check_mode: no
|
|
|
|
- name: verify AllowGroups directive
|
|
ansible.builtin.command:
|
|
cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowGroups' /etc/ssh/sshd_config /etc/ssh/sshd_config.d"
|
|
failed_when: False
|
|
changed_when: False
|
|
register: grep_allowgroups_ssh
|
|
check_mode: no
|
|
|
|
# If we have AllowUsers but not AllowGroups, append the user to the list
|
|
# (in the first file where we found the directive)
|
|
|
|
- name: "Append user to existing AllowUsers sshd directive"
|
|
ansible.builtin.replace:
|
|
dest: "{{ grep_allowusers_ssh.stdout_lines[0] }}"
|
|
regexp: '^(AllowUsers ((?!{{ _logname.stdout }}).)*)$'
|
|
replace: '\1 {{ _logname.stdout }}'
|
|
validate: '/usr/sbin/sshd -t -f %s'
|
|
notify: reload sshd
|
|
when:
|
|
- grep_allowusers_ssh.rc == 0
|
|
- grep_allowgroups_ssh.rc != 0
|
|
|
|
# If we have AllowGroups but not AllowUsers, add the user to the group and append the group to the list
|
|
# (in the first file where we found the directive)
|
|
|
|
- name: "Append evolinux ssh group to AllowGroups sshd directive"
|
|
ansible.builtin.replace:
|
|
dest: "{{ grep_allowgroups_ssh.stdout_lines[0] }}"
|
|
regexp: '^(AllowGroups ((?!{{ evolinux_ssh_group }}).)*)$'
|
|
replace: '\1 {{ evolinux_ssh_group }}'
|
|
validate: '/usr/sbin/sshd -t -f %s'
|
|
notify: reload sshd
|
|
when:
|
|
- grep_allowusers_ssh.rc != 0
|
|
- grep_allowgroups_ssh.rc == 0
|
|
|
|
- name: "evolinux ssh group is present"
|
|
ansible.builtin.group:
|
|
name: "{{ evolinux_ssh_group }}"
|
|
when:
|
|
- grep_allowusers_ssh.rc != 0
|
|
- grep_allowgroups_ssh.rc == 0
|
|
|
|
- name: "Add current user to evolinux ssh group"
|
|
ansible.builtin.user:
|
|
name: "{{ _logname.stdout }}"
|
|
group: "{{ evolinux_ssh_group }}"
|
|
append: yes
|
|
when:
|
|
- grep_allowusers_ssh.rc != 0
|
|
- grep_allowgroups_ssh.rc == 0
|
|
|
|
# If we don't have AllowGroups nor AllowUsers, do nothing
|
|
|
|
when: evolinux_ssh_allow_current_user | bool
|
|
|
|
- ansible.builtin.meta: flush_handlers
|