From c6e1016c9a263ee5b156400fb12ff88ba565d3c2 Mon Sep 17 00:00:00 2001
From: nicoo <nicoo@realraum.at>
Date: Fri, 17 Nov 2017 14:22:41 +0100
Subject: [PATCH] ansible/role/base: Fixup the sshd_allowusers mess
---
ansible/group_vars/all | 27 +++++++++++++++++++++++++++
ansible/host_vars/ctf | 2 +-
ansible/roles/base/tasks/main.yaml | 23 +++++++++--------------
3 files changed, 37 insertions(+), 15 deletions(-)
create mode 100644 ansible/group_vars/all
diff --git a/ansible/group_vars/all b/ansible/group_vars/all
new file mode 100644
index 0000000..3037b7e
--- /dev/null
+++ b/ansible/group_vars/all
@@ -0,0 +1,27 @@
+user_groups:
+ noc:
+ - equinox
+ - gebi
+ - nicoo
+ - bernhard
+
+users:
+ equinox:
+ email: equinox@realraum.at
+ gpg: 0xD74907C9E64E6CED8FE3
+
+ gebi:
+ email: michael@mgeb.org
+ gpg: 0x6E302CF4D98B9702
+
+ nicoo:
+ email: nicolas@braud-santoni.eu
+ gpg: 0x3F41B0739AAD91B7CDC0
+
+ bernhard:
+ email: xro@realraum.at
+ gpg: 0xE3468B9CE81EB4F91486
+
+noc_groups:
+ - adm
+ - sudo
diff --git a/ansible/host_vars/ctf b/ansible/host_vars/ctf
index bbd7e60..15b2514 100644
--- a/ansible/host_vars/ctf
+++ b/ansible/host_vars/ctf
@@ -1,3 +1,3 @@
-sshd_allowusers_set:
+sshd_allowusers_host:
- f0rki
- verr
diff --git a/ansible/roles/base/tasks/main.yaml b/ansible/roles/base/tasks/main.yaml
index c62d223..df3b075 100644
--- a/ansible/roles/base/tasks/main.yaml
+++ b/ansible/roles/base/tasks/main.yaml
@@ -1,7 +1,8 @@
---
- set_fact:
sshd_allowusers: >-
- {{ [ 'root' ] | union(sshd_allowusers_group | default([]))
+ {{ [ 'root' ] | union(user_groups.noc)
+ | union(sshd_allowusers_group | default([]))
| union(sshd_allowusers_host | default([])) }}
- name: only allow pubkey auth for root
@@ -11,28 +12,30 @@
line: "PermitRootLogin without-password"
notify: restart ssh
-- name: limit allowed users (1/3)
+- name: limit allowed users (1/2)
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^#?AllowUsers"
line: "AllowUsers {{ ' '.join(sshd_allowusers) }}"
- when: sshd_allowusers_set is defined and sshd_allowgroup is not defined
+ when: sshd_allowgroup is not defined
notify: restart ssh
- block:
- - name: "limit allowed users (2/3): Make sure AllowUsers is not in sshd_config"
+ - name: "limit allowed users (2/2): Make sure AllowUsers is not in sshd_config"
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^AllowUsers"
state: absent
+ notify: restart ssh
- - name: "limit allowed users (2/3): Set AllowGroups in sshd_config"
+ - name: "limit allowed users (2/2): Set AllowGroups in sshd_config"
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^#?AllowGroups"
line: AllowGroups {{ sshd_allowgroup }}
+ notify: restart ssh
- - name: "limit allowed users (2/3): Add allowed users to ssh group"
+ - name: "limit allowed users (2/2): Add allowed users to ssh group"
user:
name: "{{ item }}"
groups: "{{ sshd_allowgroup }}"
@@ -41,14 +44,6 @@
when: sshd_allowgroup is defined
-- name: limit allowed users (3/3)
- lineinfile:
- dest: /etc/ssh/sshd_config
- regexp: "^Allow(Users|Groups)"
- state: absent
- when: sshd_allowusers_set is not defined and sshd_allowgroup is not defined
- notify: restart ssh
-
- name: Set authorized keys for root user
authorized_key:
user: root
--
1.7.10.4