Jérémy Lecour
7b88393ccf
* rename admin-users to evolinux-users * splitting the "sudo" part for users between jessie and stretch * with stretch, the sudo group is customizable and properly configured * import evolinux-users role from evolinux-base at proper time to ensure ssh connections are possible for other users before cutting root's access * evomaintenance is also included in evolinux-base to have it available when users are created
39 lines
1.2 KiB
YAML
39 lines
1.2 KiB
YAML
---
|
|
- debug:
|
|
msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, tasks will be skipped!"
|
|
when: evolinux_ssh_password_auth_addresses == []
|
|
|
|
- name: Security directives for Evolinux
|
|
blockinfile:
|
|
dest: /etc/ssh/sshd_config
|
|
block: |
|
|
Match Group evolinux-sudo
|
|
PasswordAuthentication no
|
|
Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
|
|
PasswordAuthentication yes
|
|
marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS"
|
|
insertafter: EOF
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
notify: reload sshd
|
|
when: not evolinux_ssh_password_auth_addresses == []
|
|
|
|
# We disable AcceptEnv because it can be a security issue, but also because we
|
|
# do not want clients to push their environment variables like LANG.
|
|
- name: disable AcceptEnv in ssh config
|
|
replace:
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^AcceptEnv'
|
|
replace: "#AcceptEnv"
|
|
notify: reload sshd
|
|
when: evolinux_ssh_disable_acceptenv
|
|
|
|
- name: Set log level to verbose (for Debian >= 9)
|
|
replace:
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^#?LogLevel [A-Z]+'
|
|
replace: "LogLevel VERBOSE"
|
|
notify: reload sshd
|
|
when: ansible_distribution_major_version | version_compare('9', '>=')
|
|
|
|
- meta: flush_handlers
|