7c632352a0
The behaviour of the `include` module is badly defined (it try to choose between statically importing the tasks and dynamically including them) and can cause problems depending on any number of constraints (mostly if it choose the wrong behaviour). Replace it with the `import_tasks` (always statically import tasks) unless the `include` is in a loop in which case we replace it with `include_tasks` (always dynamically include tasks).
66 lines
1.8 KiB
YAML
66 lines
1.8 KiB
YAML
---
|
|
|
|
- name: verify AllowGroups directive
|
|
command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
|
|
changed_when: False
|
|
failed_when: False
|
|
check_mode: no
|
|
register: grep_allowgroups_ssh
|
|
|
|
- debug:
|
|
var: grep_allowgroups_ssh
|
|
verbosity: 1
|
|
|
|
- name: verify AllowUsers directive
|
|
command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
|
changed_when: False
|
|
failed_when: False
|
|
check_mode: no
|
|
register: grep_allowusers_ssh
|
|
|
|
- debug:
|
|
var: grep_allowusers_ssh
|
|
verbosity: 1
|
|
|
|
- assert:
|
|
that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)"
|
|
msg: "We can't deal with AllowUsers and AllowGroups at the same time"
|
|
|
|
- set_fact:
|
|
# If "AllowGroups is present" or "AllowUsers is absent and Debian 10+",
|
|
ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and (ansible_distribution_major_version is version('10', '>='))) }}"
|
|
# If "AllowGroups is absent" and "AllowUsers is absent or Debian <10"
|
|
ssh_allowusers: "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution_major_version is version('10', '<'))) }}"
|
|
|
|
- debug:
|
|
var: ssh_allowgroups
|
|
verbosity: 1
|
|
|
|
- debug:
|
|
var: ssh_allowusers
|
|
verbosity: 1
|
|
|
|
- import_tasks: ssh_allowgroups.yml
|
|
when:
|
|
- ssh_allowgroups
|
|
- not ssh_allowusers
|
|
|
|
- include_tasks: ssh_allowusers.yml
|
|
vars:
|
|
user: "{{ item.value }}"
|
|
loop: "{{ evolinux_users | dict2items }}"
|
|
when:
|
|
- user.create == evolinux_users_create
|
|
- ssh_allowusers
|
|
- not ssh_allowgroups
|
|
|
|
- name: disable root login
|
|
replace:
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)'
|
|
replace: "PermitRootLogin no"
|
|
notify: reload sshd
|
|
when: evolinux_root_disable_ssh | bool
|
|
|
|
- meta: flush_handlers
|