ansible/roles/base/tasks/main.yaml

   1 ---
   2 - name: only allow pubkey auth for root
   3   lineinfile:
   4      dest: /etc/ssh/sshd_config
   5      regexp: "^PermitRootLogin"
   6      line: "PermitRootLogin without-password"
   7   notify: restart ssh
   8
   9 - name: limit allowed users (1/3)
  10   lineinfile:
  11      dest: /etc/ssh/sshd_config
  12      regexp: "^#?AllowUsers"
  13      line: "AllowUsers {{ ' '.join([ 'root' ] | union(sshd_allowusers_group | default([])) | union(sshd_allowusers_host | default([]))) }}"
  14   when: sshd_allowusers_set is defined and sshd_allowgroup is not defined
  15   notify: restart ssh
  16
  17 - block:
  18     - name: "limit allowed users (2/3): Make sure AllowUsers is not in sshd_config"
  19       lineinfile:
  20         dest: /etc/ssh/sshd_config
  21         regexp: "^AllowUsers"
  22         state: absent
  23
  24     - name: "limit allowed users (2/3): Set AllowGroups in sshd_config"
  25       lineinfile:
  26         dest: /etc/ssh/sshd_config
  27         regexp: "^#?AllowGroups"
  28         line: AllowGroups {{ sshd_allowgroup }}
  29
  30     - name: "limit allowed users (2/3): Add allowed users to ssh group"
  31       user:
  32         name: "{{ item }}"
  33         groups: "{{ sshd_allowgroup }}"
  34         append: True
  35       with_items: "{{ [ 'root' ] | union(sshd_allowusers_group | default([])) | union(sshd_allowusers_host | default([])) }}"
  36
  37   when: sshd_allowgroup is defined
  38
  39 - name: limit allowed users (3/3)
  40   lineinfile:
  41      dest: /etc/ssh/sshd_config
  42      regexp: "^Allow(Users|Groups)"
  43      state: absent
  44   when: sshd_allowusers_set is not defined and sshd_allowgroup is not defined
  45   notify: restart ssh
  46
  47 - name: Set authorized keys for root user
  48   authorized_key:
  49     user: root
  50     key: "{{ lookup('pipe','cat ssh/noc/*.pub') }}"
  51     exclusive: yes
  52
  53 - name: disable apt suggests and recommends
  54   copy: src=02no-recommends dest=/etc/apt/apt.conf.d/ mode=0644
  55
  56 - name: install basic packages
  57   apt: name={{ item }} state=present
  58   with_items:
  59     - less
  60     - psmisc
  61     - sudo
  62     - htop
  63     - dstat
  64     - mtr-tiny
  65     - tcpdump
  66     - debian-goodies
  67     - lsof
  68     - haveged
  69     - net-tools
  70     - ntp
  71     - screen
  72     - aptitude
  73     - unp
  74     - ca-certificates
  75     - file
  76     - zsh
  77     - python-apt
  78
  79 - block:
  80     - name: install systemd specific packages
  81       apt: name={{ item }} state=present
  82       with_items:
  83         - dbus
  84         - libpam-systemd
  85
  86     - name: set systemd-related environment variables
  87       copy: src=xdg_runtime_dir.sh dest=/etc/profile.d/xdg_runtime_dir.sh mode=0644
  88
  89   when: ansible_service_mgr == "systemd"
  90
  91 - name: install zshrc
  92   copy: src={{ item.src }} dest={{ item.dest }} mode=0644
  93   with_items:
  94     - { "src": "zprofile", "dest": "/etc/zsh/zprofile" }
  95     - { "src": "zshrc", "dest": "/etc/zsh/zshrc" }
  96     - { "src": "zshrc.skel", "dest": "/etc/skel/.zshrc" }
  97
  98 - name: set root default shell to zsh
  99   user: name=root shell=/bin/zsh
 100
 101 - name: set default shell for adduser
 102   lineinfile: dest=/etc/adduser.conf regexp={{ item.regexp }} line={{ item.line }}
 103   with_items:
 104     - { regexp: "^DSHELL", line: "DSHELL=/bin/zsh" }