--- /dev/null
+---
+- set_fact:
+ sshd_allowusers: >-
+ {{ [ 'root' ] | union(user_groups.noc)
+ | union(sshd_allowusers_group | default([]))
+ | union(sshd_allowusers_host | default([])) }}
+
+- name: only allow pubkey auth for root
+ lineinfile:
+ dest: /etc/ssh/sshd_config
+ regexp: "^PermitRootLogin"
+ line: "PermitRootLogin without-password"
+ notify: restart ssh
+
+- name: limit allowed users (1/2)
+ when: sshd_allowgroup is not defined
+ lineinfile:
+ dest: /etc/ssh/sshd_config
+ regexp: "^#?AllowUsers"
+ line: "AllowUsers {{ ' '.join(sshd_allowusers) }}"
+ notify: restart ssh
+
+- block:
+ - name: "limit allowed users (2/2): Make sure AllowUsers is not in sshd_config"
+ lineinfile:
+ dest: /etc/ssh/sshd_config
+ regexp: "^AllowUsers"
+ state: absent
+ notify: restart ssh
+
+ - name: "limit allowed users (2/2): Set AllowGroups in sshd_config"
+ lineinfile:
+ dest: /etc/ssh/sshd_config
+ regexp: "^#?AllowGroups"
+ line: AllowGroups {{ sshd_allowgroup }}
+ notify: restart ssh
+
+ - name: "limit allowed users (2/2): Add allowed users to ssh group"
+ user:
+ name: "{{ item }}"
+ groups: "{{ sshd_allowgroup }}"
+ append: True
+ with_items: "{{ sshd_allowusers }}"
+
+ when: sshd_allowgroup is defined
+
+- name: Set authorized keys for root user
+ authorized_key:
+ user: root
+ key: "{{ ssh_users_root | user_ssh_keys(users) | join('\n') }}"
+ exclusive: yes
---
-- set_fact:
- sshd_allowusers: >-
- {{ [ 'root' ] | union(user_groups.noc)
- | union(sshd_allowusers_group | default([]))
- | union(sshd_allowusers_host | default([])) }}
-
-- name: only allow pubkey auth for root
- lineinfile:
- dest: /etc/ssh/sshd_config
- regexp: "^PermitRootLogin"
- line: "PermitRootLogin without-password"
- notify: restart ssh
-
-- name: limit allowed users (1/2)
- when: sshd_allowgroup is not defined
- lineinfile:
- dest: /etc/ssh/sshd_config
- regexp: "^#?AllowUsers"
- line: "AllowUsers {{ ' '.join(sshd_allowusers) }}"
- notify: restart ssh
-
-- block:
- - name: "limit allowed users (2/2): Make sure AllowUsers is not in sshd_config"
- lineinfile:
- dest: /etc/ssh/sshd_config
- regexp: "^AllowUsers"
- state: absent
- notify: restart ssh
-
- - name: "limit allowed users (2/2): Set AllowGroups in sshd_config"
- lineinfile:
- dest: /etc/ssh/sshd_config
- regexp: "^#?AllowGroups"
- line: AllowGroups {{ sshd_allowgroup }}
- notify: restart ssh
-
- - name: "limit allowed users (2/2): Add allowed users to ssh group"
- user:
- name: "{{ item }}"
- groups: "{{ sshd_allowgroup }}"
- append: True
- with_items: "{{ sshd_allowusers }}"
-
- when: sshd_allowgroup is defined
-
-- name: Set authorized keys for root user
- authorized_key:
- user: root
- key: "{{ ssh_users_root | user_ssh_keys(users) | join('\n') }}"
- exclusive: yes
-
-- name: disable apt suggests and recommends
- copy:
- src: 02no-recommends
- dest: /etc/apt/apt.conf.d/
- mode: 0644
-
-- name: install basic packages
- apt:
- name:
- - less
- - psmisc
- - sudo
- - htop
- - dstat
- - mtr-tiny
- - tcpdump
- - debian-goodies
- - lsof
- - haveged
- - net-tools
- - screen
- - aptitude
- - unp
- - ca-certificates
- - file
- - nano
- - zsh
- - python-apt
- - command-not-found
- - man-db
- - lshw
- state: present
-
-- when: base_managed_ntpd
- block:
- - name: check that ISC ntpd is not installed
- apt:
- name: ntp
- state: absent
- purge: yes
-
- - name: install openntpd
- apt:
- name: openntpd
-
- - name: configure openntpd
- copy:
- dest: /etc/openntpd/ntpd.conf
- content: |
- # Use the ffgraz.net NTP server
- servers ntp.ffgraz.net weight 3
-
- # Use some servers announced from the NTP Pool
- servers 0.debian.pool.ntp.org
- servers 1.debian.pool.ntp.org
-
- notify: restart openntpd
-
-
-- name: make sure grml-(etc|scripts)-core is not installed
- apt:
- name:
- - grml-etc-core
- - grml-scripts-core
- state: absent
- purge: yes
-
-- block:
- - name: install systemd specific packages
- apt:
- name:
- - dbus
- - libpam-systemd
- state: present
-
- - name: set systemd-related environment variables
- copy:
- src: xdg_runtime_dir.sh
- dest: /etc/profile.d/xdg_runtime_dir.sh
- mode: 0644
-
- when: ansible_service_mgr == "systemd"
-
-- block:
- - name: workaround console-setup race condition (1/2)
- file:
- path: /etc/systemd/system/console-setup.service.d/
- state: directory
-
- - name: workaround console-setup race condition (2/2)
- copy:
- content: "[Unit]\nAfter=systemd-tmpfiles-setup.service\n"
- dest: /etc/systemd/system/console-setup.service.d/override.conf
- mode: 0644
- # no need to relaod systemd here, it is only there to fix a boot-time race-condition
-
- when: ansible_distribution == "Ubuntu"
-
-- name: set root default shell to zsh
- user:
- name: root
- shell: /bin/zsh
-
-- name: set default shell for adduser
- with_dict:
- DSHELL: /bin/zsh
- lineinfile:
- dest: /etc/adduser.conf
- regexp: "^#?{{ item.key }}="
- line: "{{ item.key }}={{ item.value }}"
-
-- name: Deploy default configuration for tools
- with_dict:
- /etc/htoprc: "{{ global_files_dir }}/common/htoprc"
-
- /etc/zsh/zprofile: zprofile
- /etc/zsh/zshrc: zshrc
- /etc/skel/.zshrc: zshrc.skel
-
- loop_control:
- label: "{{ item.key }}"
- copy:
- mode: 0644
- src: "{{ item.value }}"
- dest: "{{ item.key }}"
+- import_tasks: 01ssh.yml
+- import_tasks: 02debian.yml
+- import_tasks: 03ntp.yml
+- when: ansible_service_mgr == "systemd"
+ import_tasks: 04systemd.yml
+- import_tasks: 05tools.yml