X-Git-Url: https://git.realraum.at/?a=blobdiff_plain;f=ansible%2Froles%2Fbase%2Ftasks%2Fmain.yaml;h=df3b075ab0b25a113cbae0ff92c5b3508eb84bcd;hb=c6e1016c9a263ee5b156400fb12ff88ba565d3c2;hp=c62d223a5f90ac3fd5903ec5f50d35642a92c702;hpb=41dfd44f1520728da65e43abc6fddfb59b2fed78;p=noc.git

diff --git a/ansible/roles/base/tasks/main.yaml b/ansible/roles/base/tasks/main.yaml
index c62d223..df3b075 100644
--- a/ansible/roles/base/tasks/main.yaml
+++ b/ansible/roles/base/tasks/main.yaml
@@ -1,7 +1,8 @@
 ---
 - set_fact:
     sshd_allowusers: >-
-      {{ [ 'root' ] | union(sshd_allowusers_group | default([]))
+      {{ [ 'root' ] | union(user_groups.noc)
+                    | union(sshd_allowusers_group | default([]))
                     | union(sshd_allowusers_host  | default([])) }}
 
 - name: only allow pubkey auth for root
@@ -11,28 +12,30 @@
      line: "PermitRootLogin without-password"
   notify: restart ssh
 
-- name: limit allowed users (1/3)
+- name: limit allowed users (1/2)
   lineinfile:
      dest: /etc/ssh/sshd_config
      regexp: "^#?AllowUsers"
      line: "AllowUsers {{ ' '.join(sshd_allowusers) }}"
-  when: sshd_allowusers_set is defined and sshd_allowgroup is not defined
+  when: sshd_allowgroup is not defined
   notify: restart ssh
 
 - block:
-    - name: "limit allowed users (2/3): Make sure AllowUsers is not in sshd_config"
+    - name: "limit allowed users (2/2): Make sure AllowUsers is not in sshd_config"
       lineinfile:
         dest: /etc/ssh/sshd_config
         regexp: "^AllowUsers"
         state: absent
+      notify: restart ssh
 
-    - name: "limit allowed users (2/3): Set AllowGroups in sshd_config"
+    - name: "limit allowed users (2/2): Set AllowGroups in sshd_config"
       lineinfile:
         dest: /etc/ssh/sshd_config
         regexp: "^#?AllowGroups"
         line: AllowGroups {{ sshd_allowgroup }}
+      notify: restart ssh
 
-    - name: "limit allowed users (2/3): Add allowed users to ssh group"
+    - name: "limit allowed users (2/2): Add allowed users to ssh group"
       user:
         name: "{{ item }}"
         groups: "{{ sshd_allowgroup }}"
@@ -41,14 +44,6 @@
 
   when: sshd_allowgroup is defined
 
-- name: limit allowed users (3/3)
-  lineinfile:
-     dest: /etc/ssh/sshd_config
-     regexp: "^Allow(Users|Groups)"
-     state: absent
-  when: sshd_allowusers_set is not defined and sshd_allowgroup is not defined
-  notify: restart ssh
-
 - name: Set authorized keys for root user
   authorized_key:
     user: root