--- - set_fact: sshd_allowusers: >- {{ [ 'root' ] | union(user_groups.noc) | union(sshd_allowusers_group | default([])) | union(sshd_allowusers_host | default([])) }} - name: only allow pubkey auth for root lineinfile: dest: /etc/ssh/sshd_config regexp: "^PermitRootLogin" line: "PermitRootLogin without-password" notify: restart ssh - name: limit allowed users (1/2) when: sshd_allowgroup is not defined lineinfile: dest: /etc/ssh/sshd_config regexp: "^#?AllowUsers" line: "AllowUsers {{ ' '.join(sshd_allowusers) }}" notify: restart ssh - block: - name: "limit allowed users (2/2): Make sure AllowUsers is not in sshd_config" lineinfile: dest: /etc/ssh/sshd_config regexp: "^AllowUsers" state: absent notify: restart ssh - name: "limit allowed users (2/2): Set AllowGroups in sshd_config" lineinfile: dest: /etc/ssh/sshd_config regexp: "^#?AllowGroups" line: AllowGroups {{ sshd_allowgroup }} notify: restart ssh - name: "limit allowed users (2/2): Add allowed users to ssh group" user: name: "{{ item }}" groups: "{{ sshd_allowgroup }}" append: True with_items: "{{ sshd_allowusers }}" when: sshd_allowgroup is defined - name: Set authorized keys for root user authorized_key: user: root key: "{{ ssh_keys_root | join('\n') }}" exclusive: yes - name: disable apt suggests and recommends copy: src: 02no-recommends dest: /etc/apt/apt.conf.d/ mode: 0644 - name: install basic packages apt: name: - less - psmisc - sudo - htop - dstat - mtr-tiny - tcpdump - debian-goodies - lsof - haveged - net-tools - screen - aptitude - unp - ca-certificates - file - nano - zsh - python-apt - command-not-found - man-db - lshw state: present - when: base_managed_ntpd block: - name: check that ISC ntpd is not installed apt: name: ntp state: absent purge: yes - name: install openntpd apt: name: openntpd - name: configure openntpd copy: dest: /etc/openntpd/ntpd.conf content: | # Use the ffgraz.net NTP server servers ntp.ffgraz.net weight 3 # Use some servers announced from the NTP Pool servers 0.debian.pool.ntp.org servers 1.debian.pool.ntp.org notify: restart openntpd - name: make sure grml-(etc|scripts)-core is not installed apt: name: - grml-etc-core - grml-scripts-core state: absent purge: yes - block: - name: install systemd specific packages apt: name: - dbus - libpam-systemd state: present - name: set systemd-related environment variables copy: src: xdg_runtime_dir.sh dest: /etc/profile.d/xdg_runtime_dir.sh mode: 0644 when: ansible_service_mgr == "systemd" - block: - name: workaround console-setup race condition (1/2) file: path: /etc/systemd/system/console-setup.service.d/ state: directory - name: workaround console-setup race condition (2/2) copy: content: "[Unit]\nAfter=systemd-tmpfiles-setup.service\n" dest: /etc/systemd/system/console-setup.service.d/override.conf mode: 0644 # no need to relaod systemd here, it is only there to fix a boot-time race-condition when: ansible_distribution == "Ubuntu" - name: set root default shell to zsh user: name: root shell: /bin/zsh - name: set default shell for adduser with_dict: DSHELL: /bin/zsh lineinfile: dest: /etc/adduser.conf regexp: "^#?{{ item.key }}=" line: "{{ item.key }}={{ item.value }}" - name: Deploy default configuration for tools with_dict: /etc/htoprc: "{{ global_files_dir }}/common/htoprc" /etc/zsh/zprofile: zprofile /etc/zsh/zshrc: zshrc /etc/skel/.zshrc: zshrc.skel loop_control: label: "{{ item.key }}" copy: mode: 0644 src: "{{ item.value }}" dest: "{{ item.key }}"