ansible/roles/base/tasks/main.yml

   1 ---
   2 - set_fact:
   3     sshd_allowusers: >-
   4       {{ [ 'root' ] | union(user_groups.noc)
   5                     | union(sshd_allowusers_group | default([]))
   6                     | union(sshd_allowusers_host  | default([])) }}
   7
   8 - name: only allow pubkey auth for root
   9   lineinfile:
  10     dest: /etc/ssh/sshd_config
  11     regexp: "^PermitRootLogin"
  12     line: "PermitRootLogin without-password"
  13   notify: restart ssh
  14
  15 - name: limit allowed users (1/2)
  16   when: sshd_allowgroup is not defined
  17   lineinfile:
  18     dest: /etc/ssh/sshd_config
  19     regexp: "^#?AllowUsers"
  20     line: "AllowUsers {{ ' '.join(sshd_allowusers) }}"
  21   notify: restart ssh
  22
  23 - block:
  24     - name: "limit allowed users (2/2): Make sure AllowUsers is not in sshd_config"
  25       lineinfile:
  26         dest: /etc/ssh/sshd_config
  27         regexp: "^AllowUsers"
  28         state: absent
  29       notify: restart ssh
  30
  31     - name: "limit allowed users (2/2): Set AllowGroups in sshd_config"
  32       lineinfile:
  33         dest: /etc/ssh/sshd_config
  34         regexp: "^#?AllowGroups"
  35         line: AllowGroups {{ sshd_allowgroup }}
  36       notify: restart ssh
  37
  38     - name: "limit allowed users (2/2): Add allowed users to ssh group"
  39       user:
  40         name: "{{ item }}"
  41         groups: "{{ sshd_allowgroup }}"
  42         append: True
  43       with_items: "{{ sshd_allowusers }}"
  44
  45   when: sshd_allowgroup is defined
  46
  47 - name: Set authorized keys for root user
  48   authorized_key:
  49     user: root
  50     key: "{{ ssh_users_root | user_ssh_keys(users) | join('\n') }}"
  51     exclusive: yes
  52
  53 - name: disable apt suggests and recommends
  54   copy:
  55     src: 02no-recommends
  56     dest: /etc/apt/apt.conf.d/
  57     mode: 0644
  58
  59 - name: install basic packages
  60   apt:
  61     name:
  62       - less
  63       - psmisc
  64       - sudo
  65       - htop
  66       - dstat
  67       - mtr-tiny
  68       - tcpdump
  69       - debian-goodies
  70       - lsof
  71       - haveged
  72       - net-tools
  73       - screen
  74       - aptitude
  75       - unp
  76       - ca-certificates
  77       - file
  78       - nano
  79       - zsh
  80       - python-apt
  81       - command-not-found
  82       - man-db
  83       - lshw
  84     state: present
  85
  86 - when: base_managed_ntpd
  87   block:
  88     - name: check that ISC ntpd is not installed
  89       apt:
  90         name: ntp
  91         state: absent
  92         purge: yes
  93
  94     - name: install openntpd
  95       apt:
  96         name: openntpd
  97
  98     - name: configure openntpd
  99       copy:
 100         dest: /etc/openntpd/ntpd.conf
 101         content: |
 102           # Use the ffgraz.net NTP server
 103           servers ntp.ffgraz.net weight 3
 104
 105           # Use some servers announced from the NTP Pool
 106           servers 0.debian.pool.ntp.org
 107           servers 1.debian.pool.ntp.org
 108
 109       notify: restart openntpd
 110
 111
 112 - name: make sure grml-(etc|scripts)-core is not installed
 113   apt:
 114     name:
 115       - grml-etc-core
 116       - grml-scripts-core
 117     state: absent
 118     purge: yes
 119
 120 - block:
 121     - name: install systemd specific packages
 122       apt:
 123         name:
 124           - dbus
 125           - libpam-systemd
 126         state: present
 127
 128     - name: set systemd-related environment variables
 129       copy:
 130         src: xdg_runtime_dir.sh
 131         dest: /etc/profile.d/xdg_runtime_dir.sh
 132         mode: 0644
 133
 134   when: ansible_service_mgr == "systemd"
 135
 136 - block:
 137     - name: workaround console-setup race condition (1/2)
 138       file:
 139         path: /etc/systemd/system/console-setup.service.d/
 140         state: directory
 141
 142     - name: workaround console-setup race condition (2/2)
 143       copy:
 144         content: "[Unit]\nAfter=systemd-tmpfiles-setup.service\n"
 145         dest: /etc/systemd/system/console-setup.service.d/override.conf
 146         mode: 0644
 147       # no need to relaod systemd here, it is only there to fix a boot-time race-condition
 148
 149   when: ansible_distribution == "Ubuntu"
 150
 151 - name: set root default shell to zsh
 152   user:
 153     name: root
 154     shell: /bin/zsh
 155
 156 - name: set default shell for adduser
 157   with_dict:
 158     DSHELL: /bin/zsh
 159   lineinfile:
 160     dest: /etc/adduser.conf
 161     regexp: "^#?{{ item.key }}="
 162     line: "{{ item.key }}={{ item.value }}"
 163
 164 - name: Deploy default configuration for tools
 165   with_dict:
 166     /etc/htoprc: "{{ global_files_dir }}/common/htoprc"
 167
 168     /etc/zsh/zprofile: zprofile
 169     /etc/zsh/zshrc: zshrc
 170     /etc/skel/.zshrc: zshrc.skel
 171
 172   loop_control:
 173     label: "{{ item.key }}"
 174   copy:
 175     mode: 0644
 176     src: "{{ item.value }}"
 177     dest: "{{ item.key }}"