Jérémy Lecour
7b88393ccf
* rename admin-users to evolinux-users * splitting the "sudo" part for users between jessie and stretch * with stretch, the sudo group is customizable and properly configured * import evolinux-users role from evolinux-base at proper time to ensure ssh connections are possible for other users before cutting root's access * evomaintenance is also included in evolinux-base to have it available when users are created
92 lines
2.2 KiB
YAML
92 lines
2.2 KiB
YAML
---
|
|
|
|
- name: chmod 700 /root
|
|
file:
|
|
path: /root
|
|
state: directory
|
|
mode: "0700"
|
|
when: evolinux_root_chmod
|
|
|
|
- name: "Customize root's bashrc..."
|
|
lineinfile:
|
|
dest: /root/.bashrc
|
|
line: "{{ item }}"
|
|
create: yes
|
|
state: present
|
|
with_items:
|
|
- "export HISTCONTROL=$HISTCONTROL${HISTCONTROL+,}ignoreboth"
|
|
- "export HISTSIZE=65535"
|
|
- "export HISTTIMEFORMAT=\"%c : \""
|
|
when: evolinux_root_bashrc
|
|
|
|
## .bash_history should be append-only
|
|
|
|
- name: Create .bash_history if missing
|
|
copy:
|
|
content: ""
|
|
dest: "/root/.bash_history"
|
|
force: no
|
|
when: evolinux_root_bash_history
|
|
|
|
- name: Set umask in /root/.profile
|
|
lineinfile:
|
|
dest: "/root/.profile"
|
|
line: "umask 0077"
|
|
regexp: "umask [0-9]+"
|
|
when: evolinux_root_umask
|
|
|
|
- name: Custom git config for root
|
|
copy:
|
|
src: root/gitconfig
|
|
dest: "/root/.gitconfig"
|
|
force: no
|
|
when: evolinux_root_gitconfig
|
|
|
|
- name: Is .bash_history append-only
|
|
shell: lsattr /root/.bash_history | grep -E "^.*a.* "
|
|
check_mode: no
|
|
register: bash_history_append_only
|
|
failed_when: "'Inappropriate ioctl' in bash_history_append_only.stderr"
|
|
ignore_errors: yes
|
|
changed_when: False
|
|
|
|
- name: Set .bash_history append-only
|
|
command: chattr +a /root/.bash_history
|
|
when:
|
|
- evolinux_root_bash_history_appendonly
|
|
- bash_history_append_only.rc != 0
|
|
- "'Inappropriate ioctl' not in bash_history_append_only.stderr"
|
|
|
|
- name: Setting vim as selected-editor
|
|
lineinfile:
|
|
dest: /root/.selected_editor
|
|
regexp: '^SELECTED_EDITOR='
|
|
line: "SELECTED_EDITOR=\"/usr/bin/vim.basic\""
|
|
create: yes
|
|
when: evolinux_root_vim_default
|
|
|
|
- name: Setting vim root configuration
|
|
lineinfile:
|
|
dest: /root/.vimrc
|
|
line: "{{ item }}"
|
|
create: yes
|
|
state: present
|
|
with_items:
|
|
- "syntax on"
|
|
- "set background=dark"
|
|
- "set expandtab"
|
|
- "set tabstop=4"
|
|
- "set softtabstop=4"
|
|
- "set shiftwidth=4"
|
|
when: evolinux_root_vim_conf
|
|
|
|
- name: disable SSH access for root
|
|
replace:
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^PermitRootLogin (yes|without-password)'
|
|
replace: "PermitRootLogin no"
|
|
notify: reload sshd
|
|
when: evolinux_root_disable_ssh
|
|
|
|
- meta: flush_handlers
|