73c0a0d29a
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend
|:-:|:-:|:-:|:-:|:-:
|2622|10|2612|10|:-1:
Reference build: <a href="https://jenkins.evolix.org/job/gitea/job/ansible-roles/job/unstable/335//ansiblelint">Evolix » ansible-roles » unstable #335</a>
gitea/ansible-roles/pipeline/head This commit looks good
In case we need to add the Include directive, we add it at the beginning of the global configuration file. This way the Include directive can't be inside a Match directive.
138 lines
3.9 KiB
YAML
138 lines
3.9 KiB
YAML
---
|
|
|
|
- name: chmod 700 /root
|
|
ansible.builtin.file:
|
|
path: /root
|
|
state: directory
|
|
mode: "0700"
|
|
when: evolinux_root_chmod | bool
|
|
|
|
- name: "Customize root's bashrc..."
|
|
ansible.builtin.lineinfile:
|
|
dest: /root/.bashrc
|
|
line: "{{ item }}"
|
|
create: yes
|
|
state: present
|
|
loop:
|
|
- "export HISTCONTROL=$HISTCONTROL${HISTCONTROL+,}ignoreboth,erasedups"
|
|
- "export HISTSIZE=65535"
|
|
- "export HISTTIMEFORMAT=\"%c : \""
|
|
- "shopt -s histappend"
|
|
- "PROMPT_COMMAND=\"history -a;${PROMPT_COMMAND}\""
|
|
when: evolinux_root_bashrc | bool
|
|
|
|
## .bash_history should be append-only
|
|
|
|
- name: Create .bash_history if missing
|
|
ansible.builtin.copy:
|
|
content: ""
|
|
dest: "/root/.bash_history"
|
|
force: false
|
|
when: evolinux_root_bash_history | bool
|
|
|
|
- name: Set umask in /root/.profile
|
|
ansible.builtin.lineinfile:
|
|
dest: "/root/.profile"
|
|
line: "umask 0077"
|
|
regexp: "umask [0-9]+"
|
|
when: evolinux_root_umask | bool
|
|
|
|
- name: "/usr/share/scripts is present in root's PATH"
|
|
ansible.builtin.lineinfile:
|
|
dest: "/root/.profile"
|
|
line: "PATH=\"${PATH}:/usr/share/scripts\""
|
|
when: ansible_distribution_major_version is version('10', '>=')
|
|
|
|
- name: Custom git config for root
|
|
ansible.builtin.copy:
|
|
src: root/gitconfig
|
|
dest: "/root/.gitconfig"
|
|
force: false
|
|
when: evolinux_root_gitconfig | bool
|
|
|
|
- name: Is .bash_history append-only
|
|
ansible.builtin.shell:
|
|
cmd: lsattr /root/.bash_history | grep -E "^.*a.* "
|
|
check_mode: no
|
|
register: bash_history_append_only
|
|
failed_when: "'Inappropriate ioctl' in bash_history_append_only.stderr"
|
|
ignore_errors: yes
|
|
changed_when: False
|
|
|
|
- name: Set .bash_history append-only
|
|
ansible.builtin.command:
|
|
cmd: chattr +a /root/.bash_history
|
|
when:
|
|
- evolinux_root_bash_history_appendonly | bool
|
|
- bash_history_append_only.rc != 0
|
|
- "'Inappropriate ioctl' not in bash_history_append_only.stderr"
|
|
|
|
- name: Setting vim as selected-editor
|
|
ansible.builtin.lineinfile:
|
|
dest: /root/.selected_editor
|
|
regexp: '^SELECTED_EDITOR='
|
|
line: "SELECTED_EDITOR=\"/usr/bin/vim.basic\""
|
|
create: yes
|
|
when: evolinux_root_vim_default | bool
|
|
|
|
- name: Setting vim root configuration
|
|
ansible.builtin.lineinfile:
|
|
dest: /root/.vimrc
|
|
line: "{{ item }}"
|
|
create: yes
|
|
state: present
|
|
loop:
|
|
- "syntax on"
|
|
- "set background=dark"
|
|
- "set expandtab"
|
|
- "set tabstop=4"
|
|
- "set softtabstop=4"
|
|
- "set shiftwidth=4"
|
|
when: evolinux_root_vim_conf | bool
|
|
|
|
- name: disable SSH access for root
|
|
ansible.builtin.replace:
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^#?PermitRootLogin (yes|without-password|prohibit-password)'
|
|
replace: "PermitRootLogin no"
|
|
validate: '/usr/sbin/sshd -t -f %s'
|
|
notify: reload sshd
|
|
when:
|
|
- evolinux_root_disable_ssh | bool
|
|
- ansible_distribution_major_version is version('11', '<=')
|
|
|
|
- name: files under /etc/ssh/sshd_config.d are included (Debian >= 12)
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
line: "Include /etc/ssh/sshd_config.d/*.conf"
|
|
insertbefore: BOF
|
|
notify: reload ssh
|
|
when:
|
|
- evolinux_root_disable_ssh | bool
|
|
- ansible_distribution_major_version is version('12', '>=')
|
|
|
|
- name: disable SSH access for root (Debian >= 12)
|
|
ansible.builtin.replace:
|
|
path: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
|
|
line: "PermitRootLogin no"
|
|
create: yes
|
|
mode: "0644"
|
|
validate: '/usr/sbin/sshd -t -f %s'
|
|
notify: reload sshd
|
|
when:
|
|
- evolinux_root_disable_ssh | bool
|
|
- ansible_distribution_major_version is version('12', '>=')
|
|
|
|
|
|
### Disabled : it seems useless and too dangerous for now
|
|
# - name: remove root from AllowUsers directive
|
|
# ansible.builtin.replace:
|
|
# dest: /etc/ssh/sshd_config
|
|
# regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$'
|
|
# replace: '\1\4'
|
|
# validate: '/usr/sbin/sshd -T -f %s'
|
|
# notify: reload sshd
|
|
# when: evolinux_root_disable_ssh
|
|
|
|
- ansible.builtin.meta: flush_handlers
|