4 {{ [ 'root' ] | union(user_groups.noc)
5 | union(sshd_allowusers_group | default([]))
6 | union(sshd_allowusers_host | default([])) }}
8 - name: only allow pubkey auth for root
10 dest: /etc/ssh/sshd_config
11 regexp: "^PermitRootLogin"
12 line: "PermitRootLogin without-password"
15 - name: limit allowed users (1/2)
17 dest: /etc/ssh/sshd_config
18 regexp: "^#?AllowUsers"
19 line: "AllowUsers {{ ' '.join(sshd_allowusers) }}"
20 when: sshd_allowgroup is not defined
24 - name: "limit allowed users (2/2): Make sure AllowUsers is not in sshd_config"
26 dest: /etc/ssh/sshd_config
31 - name: "limit allowed users (2/2): Set AllowGroups in sshd_config"
33 dest: /etc/ssh/sshd_config
34 regexp: "^#?AllowGroups"
35 line: AllowGroups {{ sshd_allowgroup }}
38 - name: "limit allowed users (2/2): Add allowed users to ssh group"
41 groups: "{{ sshd_allowgroup }}"
43 with_items: "{{ sshd_allowusers }}"
45 when: sshd_allowgroup is defined
47 - name: Set authorized keys for root user
50 key: "{{ lookup('pipe','cat ssh/noc/*.pub') }}"
53 - name: disable apt suggests and recommends
54 copy: src=02no-recommends dest=/etc/apt/apt.conf.d/ mode=0644
56 - name: install basic packages
57 apt: name={{ item }} state=present
79 - name: make sure grml-(etc|scripts)-core is not installed
80 apt: name={{ item }} state=absent purge=yes
86 - name: install systemd specific packages
87 apt: name={{ item }} state=present
92 - name: set systemd-related environment variables
93 copy: src=xdg_runtime_dir.sh dest=/etc/profile.d/xdg_runtime_dir.sh mode=0644
95 when: ansible_service_mgr == "systemd"
98 copy: src={{ item.src }} dest={{ item.dest }} mode=0644
100 - { "src": "zprofile", "dest": "/etc/zsh/zprofile" }
101 - { "src": "zshrc", "dest": "/etc/zsh/zshrc" }
102 - { "src": "zshrc.skel", "dest": "/etc/skel/.zshrc" }
104 - name: set root default shell to zsh
105 user: name=root shell=/bin/zsh
107 - name: set default shell for adduser
108 lineinfile: dest=/etc/adduser.conf regexp={{ item.regexp }} line={{ item.line }}
110 - { regexp: "^DSHELL", line: "DSHELL=/bin/zsh" }