ansible/role/base: Fixup the sshd_allowusers mess

diff --git a/ansible/group_vars/all b/ansible/group_vars/all
new file mode 100644 (file)
index 0000000..3037b7e
--- /dev/null
+++ b/ansible/group_vars/all
@@ -0,0 +1,27 @@
+user_groups:
+  noc:
+    - equinox
+    - gebi
+    - nicoo
+    - bernhard
+
+users:
+  equinox:
+    email: equinox@realraum.at
+    gpg:   0xD74907C9E64E6CED8FE3
+
+  gebi:
+    email: michael@mgeb.org
+    gpg:   0x6E302CF4D98B9702
+
+  nicoo:
+    email: nicolas@braud-santoni.eu
+    gpg:   0x3F41B0739AAD91B7CDC0
+
+  bernhard:
+    email: xro@realraum.at
+    gpg:   0xE3468B9CE81EB4F91486
+
+noc_groups:
+  - adm
+  - sudo

diff --git a/ansible/host_vars/ctf b/ansible/host_vars/ctf
index bbd7e60..15b2514 100644 (file)
--- a/ansible/host_vars/ctf
+++ b/ansible/host_vars/ctf
@@ -1,3 +1,3 @@
-sshd_allowusers_set:
+sshd_allowusers_host:
   - f0rki
   - verr

diff --git a/ansible/roles/base/tasks/main.yaml b/ansible/roles/base/tasks/main.yaml
index c62d223..df3b075 100644 (file)
--- a/ansible/roles/base/tasks/main.yaml
+++ b/ansible/roles/base/tasks/main.yaml
@@ -1,7 +1,8 @@
 ---
 - set_fact:
     sshd_allowusers: >-
-      {{ [ 'root' ] | union(sshd_allowusers_group | default([]))
+      {{ [ 'root' ] | union(user_groups.noc)
+                    | union(sshd_allowusers_group | default([]))
                     | union(sshd_allowusers_host  | default([])) }}
 
 - name: only allow pubkey auth for root
@@ -11,28 +12,30 @@
      line: "PermitRootLogin without-password"
   notify: restart ssh
 
-- name: limit allowed users (1/3)
+- name: limit allowed users (1/2)
   lineinfile:
      dest: /etc/ssh/sshd_config
      regexp: "^#?AllowUsers"
      line: "AllowUsers {{ ' '.join(sshd_allowusers) }}"
-  when: sshd_allowusers_set is defined and sshd_allowgroup is not defined
+  when: sshd_allowgroup is not defined
   notify: restart ssh
 
 - block:
-    - name: "limit allowed users (2/3): Make sure AllowUsers is not in sshd_config"
+    - name: "limit allowed users (2/2): Make sure AllowUsers is not in sshd_config"
       lineinfile:
         dest: /etc/ssh/sshd_config
         regexp: "^AllowUsers"
         state: absent
+      notify: restart ssh
 
-    - name: "limit allowed users (2/3): Set AllowGroups in sshd_config"
+    - name: "limit allowed users (2/2): Set AllowGroups in sshd_config"
       lineinfile:
         dest: /etc/ssh/sshd_config
         regexp: "^#?AllowGroups"
         line: AllowGroups {{ sshd_allowgroup }}
+      notify: restart ssh
 
-    - name: "limit allowed users (2/3): Add allowed users to ssh group"
+    - name: "limit allowed users (2/2): Add allowed users to ssh group"
       user:
         name: "{{ item }}"
         groups: "{{ sshd_allowgroup }}"
@@ -41,14 +44,6 @@
 
   when: sshd_allowgroup is defined
 
-- name: limit allowed users (3/3)
-  lineinfile:
-     dest: /etc/ssh/sshd_config
-     regexp: "^Allow(Users|Groups)"
-     state: absent
-  when: sshd_allowusers_set is not defined and sshd_allowgroup is not defined
-  notify: restart ssh
-
 - name: Set authorized keys for root user
   authorized_key:
     user: root