--- /dev/null
+---
+- name: only allow pubkey auth for root
+ lineinfile:
+ dest: /etc/ssh/sshd_config
+ regexp: "^PermitRootLogin"
+ line: "PermitRootLogin without-password"
+ notify: restart ssh
+
+- name: limit allowed users (1/2)
+ lineinfile:
+ dest: /etc/ssh/sshd_config
+ regexp: "^AllowUsers"
+ line: "AllowUsers {{ ' '.join([ 'root' ] | union(sshd_allowusers_group | default([])) | union(sshd_allowusers_host | default([]))) }}"
+ when: "{{ sshd_allowusers_set | default(true) }}"
+ notify: restart ssh
+
+- name: limit allowed users (2/2)
+ lineinfile:
+ dest: /etc/ssh/sshd_config
+ regexp: "^AllowUsers"
+ state: absent
+ when: "not {{ sshd_allowusers_set | default(true) }}"
+ notify: restart ssh
+
+- name: Set authorized keys for root user
+ authorized_key:
+ user: root
+ key: "{{ lookup('pipe','cat ssh/noc/*.pub') }}"
+ exclusive: yes
+
+- name: disable apt suggests and recommends
+ copy: src=02no-recommends dest=/etc/apt/apt.conf.d/ mode=0644
+
+- name: install basic packages
+ apt: name={{ item }} state=present
+ with_items:
+ - less
+ - psmisc
+ - sudo
+ - htop
+ - dstat
+ - mtr-tiny
+ - tcpdump
+ - debian-goodies
+ - lsof
+ - haveged
+ - ntp
+ - screen
+ - aptitude
+ - unp
+ - ca-certificates
+ - file
+ - zsh
+
+- name: install systemd specific packages
+ apt: name={{ item }} state=present
+ with_items:
+ - dbus
+ - libpam-systemd
+ when: ansible_service_mgr == "systemd"
+
+- name: install zshrc
+ copy: src={{ item.src }} dest={{ item.dest }} mode=0640
+ with_items:
+ - { "src": "zshrc", "dest": "/etc/zsh/zshrc" }
+ - { "src": "zshrc.skel", "dest": "/etc/skel/.zshrc" }
+
+- name: set root default shell to zsh
+ user: name=root shell=/bin/zsh
+
+- name: set default shell for adduser
+ lineinfile: dest=/etc/adduser.conf regexp={{ item.regexp }} line={{ item.line }}
+ with_items:
+ - { regexp: "^DSHELL", line: "DSHELL=/bin/zsh" }