b148a6dc44a58c6cb96fc6384ff984108eb9434b
[noc.git] / ansible / roles / base / tasks / main.yml
1 ---
2 - set_fact:
3     sshd_allowusers: >-
4       {{ [ 'root' ] | union(user_groups.noc)
5                     | union(sshd_allowusers_group | default([]))
6                     | union(sshd_allowusers_host  | default([])) }}
7
8 - name: only allow pubkey auth for root
9   lineinfile:
10     dest: /etc/ssh/sshd_config
11     regexp: "^PermitRootLogin"
12     line: "PermitRootLogin without-password"
13   notify: restart ssh
14
15 - name: limit allowed users (1/2)
16   when: sshd_allowgroup is not defined
17   lineinfile:
18     dest: /etc/ssh/sshd_config
19     regexp: "^#?AllowUsers"
20     line: "AllowUsers {{ ' '.join(sshd_allowusers) }}"
21   notify: restart ssh
22
23 - block:
24     - name: "limit allowed users (2/2): Make sure AllowUsers is not in sshd_config"
25       lineinfile:
26         dest: /etc/ssh/sshd_config
27         regexp: "^AllowUsers"
28         state: absent
29       notify: restart ssh
30
31     - name: "limit allowed users (2/2): Set AllowGroups in sshd_config"
32       lineinfile:
33         dest: /etc/ssh/sshd_config
34         regexp: "^#?AllowGroups"
35         line: AllowGroups {{ sshd_allowgroup }}
36       notify: restart ssh
37
38     - name: "limit allowed users (2/2): Add allowed users to ssh group"
39       user:
40         name: "{{ item }}"
41         groups: "{{ sshd_allowgroup }}"
42         append: True
43       with_items: "{{ sshd_allowusers }}"
44
45   when: sshd_allowgroup is defined
46
47 - name: Set authorized keys for root user
48   authorized_key:
49     user: root
50     key: "{{ ssh_users_root | user_ssh_keys(users) | join('\n') }}"
51     exclusive: yes
52
53 - name: disable apt suggests and recommends
54   copy:
55     src: 02no-recommends
56     dest: /etc/apt/apt.conf.d/
57     mode: 0644
58
59 - name: install basic packages
60   apt:
61     name:
62       - less
63       - psmisc
64       - sudo
65       - htop
66       - dstat
67       - mtr-tiny
68       - tcpdump
69       - debian-goodies
70       - lsof
71       - haveged
72       - net-tools
73       - screen
74       - aptitude
75       - unp
76       - ca-certificates
77       - file
78       - nano
79       - zsh
80       - python-apt
81       - command-not-found
82       - man-db
83       - lshw
84     state: present
85
86 - when: base_managed_ntpd
87   block:
88     - name: check that ISC ntpd is not installed
89       apt:
90         name: ntp
91         state: absent
92         purge: yes
93
94     - name: install openntpd
95       apt:
96         name: openntpd
97
98     - name: configure openntpd
99       copy:
100         dest: /etc/openntpd/ntpd.conf
101         content: |
102           # Use the ffgraz.net NTP server
103           servers ntp.ffgraz.net weight 3
104
105           # Use some servers announced from the NTP Pool
106           servers 0.debian.pool.ntp.org
107           servers 1.debian.pool.ntp.org
108
109       notify: restart openntpd
110
111
112 - name: make sure grml-(etc|scripts)-core is not installed
113   apt:
114     name:
115       - grml-etc-core
116       - grml-scripts-core
117     state: absent
118     purge: yes
119
120 - block:
121     - name: install systemd specific packages
122       apt:
123         name:
124           - dbus
125           - libpam-systemd
126         state: present
127
128     - name: set systemd-related environment variables
129       copy:
130         src: xdg_runtime_dir.sh
131         dest: /etc/profile.d/xdg_runtime_dir.sh
132         mode: 0644
133
134   when: ansible_service_mgr == "systemd"
135
136 - block:
137     - name: workaround console-setup race condition (1/2)
138       file:
139         path: /etc/systemd/system/console-setup.service.d/
140         state: directory
141
142     - name: workaround console-setup race condition (2/2)
143       copy:
144         content: "[Unit]\nAfter=systemd-tmpfiles-setup.service\n"
145         dest: /etc/systemd/system/console-setup.service.d/override.conf
146         mode: 0644
147       # no need to relaod systemd here, it is only there to fix a boot-time race-condition
148
149   when: ansible_distribution == "Ubuntu"
150
151 - name: set root default shell to zsh
152   user:
153     name: root
154     shell: /bin/zsh
155
156 - name: set default shell for adduser
157   with_dict:
158     DSHELL: /bin/zsh
159   lineinfile:
160     dest: /etc/adduser.conf
161     regexp: "^#?{{ item.key }}="
162     line: "{{ item.key }}={{ item.value }}"
163
164 - name: Deploy default configuration for tools
165   with_dict:
166     /etc/htoprc: "{{ global_files_dir }}/common/htoprc"
167
168     /etc/zsh/zprofile: zprofile
169     /etc/zsh/zshrc: zshrc
170     /etc/skel/.zshrc: zshrc.skel
171
172   loop_control:
173     label: "{{ item.key }}"
174   copy:
175     mode: 0644
176     src: "{{ item.value }}"
177     dest: "{{ item.key }}"