X-Git-Url: https://git.realraum.at/?p=noc.git;a=blobdiff_plain;f=ansible%2Froles%2Fbase%2Ftasks%2Fmain.yml;h=1bf424304f62214f0346f543633024228016ef1f;hp=b148a6dc44a58c6cb96fc6384ff984108eb9434b;hb=6150678824b1a67026d65a04835947cc22d32864;hpb=986993ce55989c8dd1509981f8ff8e5c8a6328ab

diff --git a/ansible/roles/base/tasks/main.yml b/ansible/roles/base/tasks/main.yml
index b148a6d..1bf4243 100644
--- a/ansible/roles/base/tasks/main.yml
+++ b/ansible/roles/base/tasks/main.yml
@@ -1,177 +1,7 @@
 ---
-- set_fact:
-    sshd_allowusers: >-
-      {{ [ 'root' ] | union(user_groups.noc)
-                    | union(sshd_allowusers_group | default([]))
-                    | union(sshd_allowusers_host  | default([])) }}
-
-- name: only allow pubkey auth for root
-  lineinfile:
-    dest: /etc/ssh/sshd_config
-    regexp: "^PermitRootLogin"
-    line: "PermitRootLogin without-password"
-  notify: restart ssh
-
-- name: limit allowed users (1/2)
-  when: sshd_allowgroup is not defined
-  lineinfile:
-    dest: /etc/ssh/sshd_config
-    regexp: "^#?AllowUsers"
-    line: "AllowUsers {{ ' '.join(sshd_allowusers) }}"
-  notify: restart ssh
-
-- block:
-    - name: "limit allowed users (2/2): Make sure AllowUsers is not in sshd_config"
-      lineinfile:
-        dest: /etc/ssh/sshd_config
-        regexp: "^AllowUsers"
-        state: absent
-      notify: restart ssh
-
-    - name: "limit allowed users (2/2): Set AllowGroups in sshd_config"
-      lineinfile:
-        dest: /etc/ssh/sshd_config
-        regexp: "^#?AllowGroups"
-        line: AllowGroups {{ sshd_allowgroup }}
-      notify: restart ssh
-
-    - name: "limit allowed users (2/2): Add allowed users to ssh group"
-      user:
-        name: "{{ item }}"
-        groups: "{{ sshd_allowgroup }}"
-        append: True
-      with_items: "{{ sshd_allowusers }}"
-
-  when: sshd_allowgroup is defined
-
-- name: Set authorized keys for root user
-  authorized_key:
-    user: root
-    key: "{{ ssh_users_root | user_ssh_keys(users) | join('\n') }}"
-    exclusive: yes
-
-- name: disable apt suggests and recommends
-  copy:
-    src: 02no-recommends
-    dest: /etc/apt/apt.conf.d/
-    mode: 0644
-
-- name: install basic packages
-  apt:
-    name:
-      - less
-      - psmisc
-      - sudo
-      - htop
-      - dstat
-      - mtr-tiny
-      - tcpdump
-      - debian-goodies
-      - lsof
-      - haveged
-      - net-tools
-      - screen
-      - aptitude
-      - unp
-      - ca-certificates
-      - file
-      - nano
-      - zsh
-      - python-apt
-      - command-not-found
-      - man-db
-      - lshw
-    state: present
-
-- when: base_managed_ntpd
-  block:
-    - name: check that ISC ntpd is not installed
-      apt:
-        name: ntp
-        state: absent
-        purge: yes
-
-    - name: install openntpd
-      apt:
-        name: openntpd
-
-    - name: configure openntpd
-      copy:
-        dest: /etc/openntpd/ntpd.conf
-        content: |
-          # Use the ffgraz.net NTP server
-          servers ntp.ffgraz.net weight 3
-
-          # Use some servers announced from the NTP Pool
-          servers 0.debian.pool.ntp.org
-          servers 1.debian.pool.ntp.org
-
-      notify: restart openntpd
-
-
-- name: make sure grml-(etc|scripts)-core is not installed
-  apt:
-    name:
-      - grml-etc-core
-      - grml-scripts-core
-    state: absent
-    purge: yes
-
-- block:
-    - name: install systemd specific packages
-      apt:
-        name:
-          - dbus
-          - libpam-systemd
-        state: present
-
-    - name: set systemd-related environment variables
-      copy:
-        src: xdg_runtime_dir.sh
-        dest: /etc/profile.d/xdg_runtime_dir.sh
-        mode: 0644
-
-  when: ansible_service_mgr == "systemd"
-
-- block:
-    - name: workaround console-setup race condition (1/2)
-      file:
-        path: /etc/systemd/system/console-setup.service.d/
-        state: directory
-
-    - name: workaround console-setup race condition (2/2)
-      copy:
-        content: "[Unit]\nAfter=systemd-tmpfiles-setup.service\n"
-        dest: /etc/systemd/system/console-setup.service.d/override.conf
-        mode: 0644
-      # no need to relaod systemd here, it is only there to fix a boot-time race-condition
-
-  when: ansible_distribution == "Ubuntu"
-
-- name: set root default shell to zsh
-  user:
-    name: root
-    shell: /bin/zsh
-
-- name: set default shell for adduser
-  with_dict:
-    DSHELL: /bin/zsh
-  lineinfile:
-    dest: /etc/adduser.conf
-    regexp: "^#?{{ item.key }}="
-    line: "{{ item.key }}={{ item.value }}"
-
-- name: Deploy default configuration for tools
-  with_dict:
-    /etc/htoprc: "{{ global_files_dir }}/common/htoprc"
-
-    /etc/zsh/zprofile: zprofile
-    /etc/zsh/zshrc: zshrc
-    /etc/skel/.zshrc: zshrc.skel
-
-  loop_control:
-    label: "{{ item.key }}"
-  copy:
-    mode: 0644
-    src: "{{ item.value }}"
-    dest: "{{ item.key }}"
+- import_tasks: 01ssh.yml
+- import_tasks: 02debian.yml
+- import_tasks: 03ntp.yml
+- when: ansible_service_mgr == "systemd"
+  import_tasks: 04systemd.yml
+- import_tasks: 05tools.yml