ansible/roles/base/tasks/main.yaml

   1 ---
   2 - set_fact:
   3     sshd_allowusers: >-
   4       {{ [ 'root' ] | union(sshd_allowusers_group | default([]))
   5                     | union(sshd_allowusers_host  | default([])) }}
   6
   7 - name: only allow pubkey auth for root
   8   lineinfile:
   9      dest: /etc/ssh/sshd_config
  10      regexp: "^PermitRootLogin"
  11      line: "PermitRootLogin without-password"
  12   notify: restart ssh
  13
  14 - name: limit allowed users (1/3)
  15   lineinfile:
  16      dest: /etc/ssh/sshd_config
  17      regexp: "^#?AllowUsers"
  18      line: "AllowUsers {{ ' '.join(sshd_allowusers) }}"
  19   when: sshd_allowusers_set is defined and sshd_allowgroup is not defined
  20   notify: restart ssh
  21
  22 - block:
  23     - name: "limit allowed users (2/3): Make sure AllowUsers is not in sshd_config"
  24       lineinfile:
  25         dest: /etc/ssh/sshd_config
  26         regexp: "^AllowUsers"
  27         state: absent
  28
  29     - name: "limit allowed users (2/3): Set AllowGroups in sshd_config"
  30       lineinfile:
  31         dest: /etc/ssh/sshd_config
  32         regexp: "^#?AllowGroups"
  33         line: AllowGroups {{ sshd_allowgroup }}
  34
  35     - name: "limit allowed users (2/3): Add allowed users to ssh group"
  36       user:
  37         name: "{{ item }}"
  38         groups: "{{ sshd_allowgroup }}"
  39         append: True
  40       with_items: "{{ sshd_allowusers }}"
  41
  42   when: sshd_allowgroup is defined
  43
  44 - name: limit allowed users (3/3)
  45   lineinfile:
  46      dest: /etc/ssh/sshd_config
  47      regexp: "^Allow(Users|Groups)"
  48      state: absent
  49   when: sshd_allowusers_set is not defined and sshd_allowgroup is not defined
  50   notify: restart ssh
  51
  52 - name: Set authorized keys for root user
  53   authorized_key:
  54     user: root
  55     key: "{{ lookup('pipe','cat ssh/noc/*.pub') }}"
  56     exclusive: yes
  57
  58 - name: disable apt suggests and recommends
  59   copy: src=02no-recommends dest=/etc/apt/apt.conf.d/ mode=0644
  60
  61 - name: install basic packages
  62   apt: name={{ item }} state=present
  63   with_items:
  64     - less
  65     - psmisc
  66     - sudo
  67     - htop
  68     - dstat
  69     - mtr-tiny
  70     - tcpdump
  71     - debian-goodies
  72     - lsof
  73     - haveged
  74     - net-tools
  75     - ntp
  76     - screen
  77     - aptitude
  78     - unp
  79     - ca-certificates
  80     - file
  81     - zsh
  82     - python-apt
  83
  84 - block:
  85     - name: install systemd specific packages
  86       apt: name={{ item }} state=present
  87       with_items:
  88         - dbus
  89         - libpam-systemd
  90
  91     - name: set systemd-related environment variables
  92       copy: src=xdg_runtime_dir.sh dest=/etc/profile.d/xdg_runtime_dir.sh mode=0644
  93
  94   when: ansible_service_mgr == "systemd"
  95
  96 - name: install zshrc
  97   copy: src={{ item.src }} dest={{ item.dest }} mode=0644
  98   with_items:
  99     - { "src": "zprofile", "dest": "/etc/zsh/zprofile" }
 100     - { "src": "zshrc", "dest": "/etc/zsh/zshrc" }
 101     - { "src": "zshrc.skel", "dest": "/etc/skel/.zshrc" }
 102
 103 - name: set root default shell to zsh
 104   user: name=root shell=/bin/zsh
 105
 106 - name: set default shell for adduser
 107   lineinfile: dest=/etc/adduser.conf regexp={{ item.regexp }} line={{ item.line }}
 108   with_items:
 109     - { regexp: "^DSHELL", line: "DSHELL=/bin/zsh" }