ansible/roles/base/tasks/main.yml

   1 ---
   2 - set_fact:
   3     sshd_allowusers: >-
   4       {{ [ 'root' ] | union(user_groups.noc)
   5                     | union(sshd_allowusers_group | default([]))
   6                     | union(sshd_allowusers_host  | default([])) }}
   7
   8 - name: only allow pubkey auth for root
   9   lineinfile:
  10     dest: /etc/ssh/sshd_config
  11     regexp: "^PermitRootLogin"
  12     line: "PermitRootLogin without-password"
  13   notify: restart ssh
  14
  15 - name: limit allowed users (1/2)
  16   when: sshd_allowgroup is not defined
  17   lineinfile:
  18     dest: /etc/ssh/sshd_config
  19     regexp: "^#?AllowUsers"
  20     line: "AllowUsers {{ ' '.join(sshd_allowusers) }}"
  21   notify: restart ssh
  22
  23 - block:
  24     - name: "limit allowed users (2/2): Make sure AllowUsers is not in sshd_config"
  25       lineinfile:
  26         dest: /etc/ssh/sshd_config
  27         regexp: "^AllowUsers"
  28         state: absent
  29       notify: restart ssh
  30
  31     - name: "limit allowed users (2/2): Set AllowGroups in sshd_config"
  32       lineinfile:
  33         dest: /etc/ssh/sshd_config
  34         regexp: "^#?AllowGroups"
  35         line: AllowGroups {{ sshd_allowgroup }}
  36       notify: restart ssh
  37
  38     - name: "limit allowed users (2/2): Add allowed users to ssh group"
  39       user:
  40         name: "{{ item }}"
  41         groups: "{{ sshd_allowgroup }}"
  42         append: True
  43       with_items: "{{ sshd_allowusers }}"
  44
  45   when: sshd_allowgroup is defined
  46
  47 - name: Set authorized keys for root user
  48   authorized_key:
  49     user: root
  50     ### TODO: this lookup doesn't work if the playbook lives in another directory
  51     ###       replace this with variables!!!
  52     key: "{{ lookup('pipe','cat ../ssh/noc/*.pub') }}"
  53     exclusive: yes
  54
  55 - name: disable apt suggests and recommends
  56   copy:
  57     src: 02no-recommends
  58     dest: /etc/apt/apt.conf.d/
  59     mode: 0644
  60
  61 - name: install basic packages
  62   apt:
  63     name:
  64       - less
  65       - psmisc
  66       - sudo
  67       - htop
  68       - dstat
  69       - mtr-tiny
  70       - tcpdump
  71       - debian-goodies
  72       - lsof
  73       - haveged
  74       - net-tools
  75       - ntp
  76       - screen
  77       - aptitude
  78       - unp
  79       - ca-certificates
  80       - file
  81       - zsh
  82       - python-apt
  83     state: present
  84
  85 - name: make sure grml-(etc|scripts)-core is not installed
  86   apt:
  87     name:
  88       - grml-etc-core
  89       - grml-scripts-core
  90     state: absent
  91     purge: yes
  92
  93 - block:
  94     - name: install systemd specific packages
  95       apt:
  96         name:
  97           - dbus
  98           - libpam-systemd
  99         state: present
 100
 101     - name: set systemd-related environment variables
 102       copy:
 103         src: xdg_runtime_dir.sh
 104         dest: /etc/profile.d/xdg_runtime_dir.sh
 105         mode: 0644
 106
 107   when: ansible_service_mgr == "systemd"
 108
 109 - name: install zshrc
 110   with_items:
 111     - src: "zprofile"
 112       dest: "/etc/zsh/zprofile"
 113     - src: "zshrc"
 114       dest: "/etc/zsh/zshrc"
 115     - src: "zshrc.skel"
 116       dest: "/etc/skel/.zshrc"
 117   copy:
 118     src: "{{ item.src }}"
 119     dest: "{{ item.dest }}"
 120     mode: 0644
 121
 122 - name: set root default shell to zsh
 123   user:
 124     name: root
 125     shell: /bin/zsh
 126
 127 - name: set default shell for adduser
 128   with_items:
 129     - regexp: "^DSHELL"
 130       line: "DSHELL=/bin/zsh"
 131   lineinfile:
 132     dest: /etc/adduser.conf
 133     regexp: "{{ item.regexp }}"
 134     line: "{{ item.line }}"