---
- set_fact:
sshd_allowusers: >-
- {{ [ 'root' ] | union(sshd_allowusers_group | default([]))
+ {{ [ 'root' ] | union(user_groups.noc)
+ | union(sshd_allowusers_group | default([]))
| union(sshd_allowusers_host | default([])) }}
- name: only allow pubkey auth for root
lineinfile:
- dest: /etc/ssh/sshd_config
- regexp: "^PermitRootLogin"
- line: "PermitRootLogin without-password"
+ dest: /etc/ssh/sshd_config
+ regexp: "^PermitRootLogin"
+ line: "PermitRootLogin without-password"
notify: restart ssh
-- name: limit allowed users (1/3)
+- name: limit allowed users (1/2)
+ when: sshd_allowgroup is not defined
lineinfile:
- dest: /etc/ssh/sshd_config
- regexp: "^#?AllowUsers"
- line: "AllowUsers {{ ' '.join(sshd_allowusers) }}"
- when: sshd_allowusers_set is defined and sshd_allowgroup is not defined
+ dest: /etc/ssh/sshd_config
+ regexp: "^#?AllowUsers"
+ line: "AllowUsers {{ ' '.join(sshd_allowusers) }}"
notify: restart ssh
- block:
- - name: "limit allowed users (2/3): Make sure AllowUsers is not in sshd_config"
+ - name: "limit allowed users (2/2): Make sure AllowUsers is not in sshd_config"
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^AllowUsers"
state: absent
+ notify: restart ssh
- - name: "limit allowed users (2/3): Set AllowGroups in sshd_config"
+ - name: "limit allowed users (2/2): Set AllowGroups in sshd_config"
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^#?AllowGroups"
line: AllowGroups {{ sshd_allowgroup }}
+ notify: restart ssh
- - name: "limit allowed users (2/3): Add allowed users to ssh group"
+ - name: "limit allowed users (2/2): Add allowed users to ssh group"
user:
name: "{{ item }}"
groups: "{{ sshd_allowgroup }}"
when: sshd_allowgroup is defined
-- name: limit allowed users (3/3)
- lineinfile:
- dest: /etc/ssh/sshd_config
- regexp: "^Allow(Users|Groups)"
- state: absent
- when: sshd_allowusers_set is not defined and sshd_allowgroup is not defined
- notify: restart ssh
-
- name: Set authorized keys for root user
authorized_key:
user: root
exclusive: yes
- name: disable apt suggests and recommends
- copy: src=02no-recommends dest=/etc/apt/apt.conf.d/ mode=0644
+ copy:
+ src: 02no-recommends
+ dest: /etc/apt/apt.conf.d/
+ mode: 0644
- name: install basic packages
- apt: name={{ item }} state=present
- with_items:
- - less
- - psmisc
- - sudo
- - htop
- - dstat
- - mtr-tiny
- - tcpdump
- - debian-goodies
- - lsof
- - haveged
- - net-tools
- - ntp
- - screen
- - aptitude
- - unp
- - ca-certificates
- - file
- - zsh
- - python-apt
+ apt:
+ name:
+ - less
+ - psmisc
+ - sudo
+ - htop
+ - dstat
+ - mtr-tiny
+ - tcpdump
+ - debian-goodies
+ - lsof
+ - haveged
+ - net-tools
+ - ntp
+ - screen
+ - aptitude
+ - unp
+ - ca-certificates
+ - file
+ - zsh
+ - python-apt
+ state: present
+
+- name: make sure grml-(etc|scripts)-core is not installed
+ apt:
+ name:
+ - grml-etc-core
+ - grml-scripts-core
+ state: absent
+ purge: yes
- block:
- name: install systemd specific packages
- apt: name={{ item }} state=present
- with_items:
- - dbus
- - libpam-systemd
+ apt:
+ name:
+ - dbus
+ - libpam-systemd
+ state: present
- name: set systemd-related environment variables
- copy: src=xdg_runtime_dir.sh dest=/etc/profile.d/xdg_runtime_dir.sh mode=0644
+ copy:
+ src: xdg_runtime_dir.sh
+ dest: /etc/profile.d/xdg_runtime_dir.sh
+ mode: 0644
when: ansible_service_mgr == "systemd"
- name: install zshrc
- copy: src={{ item.src }} dest={{ item.dest }} mode=0644
with_items:
- - { "src": "zprofile", "dest": "/etc/zsh/zprofile" }
- - { "src": "zshrc", "dest": "/etc/zsh/zshrc" }
- - { "src": "zshrc.skel", "dest": "/etc/skel/.zshrc" }
+ - src: "zprofile"
+ dest: "/etc/zsh/zprofile"
+ - src: "zshrc"
+ dest: "/etc/zsh/zshrc"
+ - src: "zshrc.skel"
+ dest: "/etc/skel/.zshrc"
+ copy:
+ src: "{{ item.src }}"
+ dest: "{{ item.dest }}"
+ mode: 0644
- name: set root default shell to zsh
- user: name=root shell=/bin/zsh
+ user:
+ name: root
+ shell: /bin/zsh
- name: set default shell for adduser
- lineinfile: dest=/etc/adduser.conf regexp={{ item.regexp }} line={{ item.line }}
with_items:
- - { regexp: "^DSHELL", line: "DSHELL=/bin/zsh" }
+ - regexp: "^DSHELL"
+ line: "DSHELL=/bin/zsh"
+ lineinfile:
+ dest: /etc/adduser.conf
+ regexp: "{{ item.regexp }}"
+ line: "{{ item.line }}"