4 {{ [ 'root' ] | union(user_groups.noc)
5 | union(sshd_allowusers_group | default([]))
6 | union(sshd_allowusers_host | default([])) }}
8 - name: only allow pubkey auth for root
10 dest: /etc/ssh/sshd_config
11 regexp: "^PermitRootLogin"
12 line: "PermitRootLogin without-password"
15 - name: limit allowed users (1/2)
16 when: sshd_allowgroup is not defined
18 dest: /etc/ssh/sshd_config
19 regexp: "^#?AllowUsers"
20 line: "AllowUsers {{ ' '.join(sshd_allowusers) }}"
24 - name: "limit allowed users (2/2): Make sure AllowUsers is not in sshd_config"
26 dest: /etc/ssh/sshd_config
31 - name: "limit allowed users (2/2): Set AllowGroups in sshd_config"
33 dest: /etc/ssh/sshd_config
34 regexp: "^#?AllowGroups"
35 line: AllowGroups {{ sshd_allowgroup }}
38 - name: "limit allowed users (2/2): Add allowed users to ssh group"
41 groups: "{{ sshd_allowgroup }}"
43 with_items: "{{ sshd_allowusers }}"
45 when: sshd_allowgroup is defined
47 - name: Set authorized keys for root user
50 ### TODO: this lookup doesn't work if the playbook lives in another directory
51 ### replace this with variables!!!
52 key: "{{ lookup('pipe','cat ../ssh/noc/*.pub') }}"
55 - name: disable apt suggests and recommends
58 dest: /etc/apt/apt.conf.d/
61 - name: install basic packages
85 - name: make sure grml-(etc|scripts)-core is not installed
94 - name: install systemd specific packages
101 - name: set systemd-related environment variables
103 src: xdg_runtime_dir.sh
104 dest: /etc/profile.d/xdg_runtime_dir.sh
107 when: ansible_service_mgr == "systemd"
109 - name: install zshrc
112 dest: "/etc/zsh/zprofile"
114 dest: "/etc/zsh/zshrc"
116 dest: "/etc/skel/.zshrc"
118 src: "{{ item.src }}"
119 dest: "{{ item.dest }}"
122 - name: set root default shell to zsh
127 - name: set default shell for adduser
130 line: "DSHELL=/bin/zsh"
132 dest: /etc/adduser.conf
133 regexp: "{{ item.regexp }}"
134 line: "{{ item.line }}"