113 lines
3.1 KiB
YAML
113 lines
3.1 KiB
YAML
---
|
|
|
|
- name: chmod 700 /root
|
|
ansible.builtin.file:
|
|
path: /root
|
|
state: directory
|
|
mode: "0700"
|
|
when: evolinux_root_chmod | bool
|
|
|
|
- name: "Customize root's bashrc..."
|
|
ansible.builtin.lineinfile:
|
|
dest: /root/.bashrc
|
|
line: "{{ item }}"
|
|
create: yes
|
|
state: present
|
|
loop:
|
|
- "export HISTCONTROL=$HISTCONTROL${HISTCONTROL+,}ignoreboth,erasedups"
|
|
- "export HISTSIZE=65535"
|
|
- "export HISTTIMEFORMAT=\"%c : \""
|
|
- "shopt -s histappend"
|
|
- "PROMPT_COMMAND=\"history -a;${PROMPT_COMMAND}\""
|
|
when: evolinux_root_bashrc | bool
|
|
|
|
## .bash_history should be append-only
|
|
|
|
- name: Create .bash_history if missing
|
|
ansible.builtin.copy:
|
|
content: ""
|
|
dest: "/root/.bash_history"
|
|
force: no
|
|
when: evolinux_root_bash_history | bool
|
|
|
|
- name: Set umask in /root/.profile
|
|
ansible.builtin.lineinfile:
|
|
dest: "/root/.profile"
|
|
line: "umask 0077"
|
|
regexp: "umask [0-9]+"
|
|
when: evolinux_root_umask | bool
|
|
|
|
- name: "/usr/share/scripts is present in root's PATH"
|
|
ansible.builtin.lineinfile:
|
|
dest: "/root/.profile"
|
|
line: "PATH=\"${PATH}:/usr/share/scripts\""
|
|
when: ansible_distribution_major_version is version('10', '>=')
|
|
|
|
- name: Custom git config for root
|
|
ansible.builtin.copy:
|
|
src: root/gitconfig
|
|
dest: "/root/.gitconfig"
|
|
force: no
|
|
when: evolinux_root_gitconfig | bool
|
|
|
|
- name: Is .bash_history append-only
|
|
ansible.builtin.shell:
|
|
cmd: lsattr /root/.bash_history | grep -E "^.*a.* "
|
|
check_mode: no
|
|
register: bash_history_append_only
|
|
failed_when: "'Inappropriate ioctl' in bash_history_append_only.stderr"
|
|
ignore_errors: yes
|
|
changed_when: False
|
|
|
|
- name: Set .bash_history append-only
|
|
ansible.builtin.command:
|
|
cmd: chattr +a /root/.bash_history
|
|
when:
|
|
- evolinux_root_bash_history_appendonly | bool
|
|
- bash_history_append_only.rc != 0
|
|
- "'Inappropriate ioctl' not in bash_history_append_only.stderr"
|
|
|
|
- name: Setting vim as selected-editor
|
|
ansible.builtin.lineinfile:
|
|
dest: /root/.selected_editor
|
|
regexp: '^SELECTED_EDITOR='
|
|
line: "SELECTED_EDITOR=\"/usr/bin/vim.basic\""
|
|
create: yes
|
|
when: evolinux_root_vim_default | bool
|
|
|
|
- name: Setting vim root configuration
|
|
ansible.builtin.lineinfile:
|
|
dest: /root/.vimrc
|
|
line: "{{ item }}"
|
|
create: yes
|
|
state: present
|
|
loop:
|
|
- "syntax on"
|
|
- "set background=dark"
|
|
- "set expandtab"
|
|
- "set tabstop=4"
|
|
- "set softtabstop=4"
|
|
- "set shiftwidth=4"
|
|
when: evolinux_root_vim_conf | bool
|
|
|
|
- name: disable SSH access for root
|
|
ansible.builtin.replace:
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^#?PermitRootLogin (yes|without-password|prohibit-password)'
|
|
replace: "PermitRootLogin no"
|
|
validate: '/usr/sbin/sshd -t -f %s'
|
|
notify: reload sshd
|
|
when: evolinux_root_disable_ssh | bool
|
|
|
|
### Disabled : it seems useless and too dangerous for now
|
|
# - name: remove root from AllowUsers directive
|
|
# ansible.builtin.replace:
|
|
# dest: /etc/ssh/sshd_config
|
|
# regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$'
|
|
# replace: '\1\4'
|
|
# validate: '/usr/sbin/sshd -T -f %s'
|
|
# notify: reload sshd
|
|
# when: evolinux_root_disable_ssh
|
|
|
|
- ansible.builtin.meta: flush_handlers
|