initial commit
Simeon Keske
4 years ago
commit
5a5cdc94cc
@ -0,0 +1,4 @@
|
||||
---
|
||||
users:
|
||||
- { name: 'user', state: 'present', public_key: '' }
|
||||
- { name: 'nouser', state: 'absent', public_key: '' }
|
||||
@ -0,0 +1,11 @@
|
||||
# molly-guard settings
|
||||
#
|
||||
# ALWAYS_QUERY_HOSTNAME
|
||||
# when set, causes the 30-query-hostname script to always ask for the
|
||||
# hostname, even if no SSH session was detected.
|
||||
ALWAYS_QUERY_HOSTNAME=true
|
||||
|
||||
# USE_FQDN
|
||||
# when set, causes the 30-query-hostname script to ask for the fully-qualified
|
||||
# hostname, rather than the short name
|
||||
#USE_FQDN=true
|
||||
@ -0,0 +1,5 @@
|
||||
---
|
||||
dependencies:
|
||||
# - role: ssh_server
|
||||
# tags: ['ssh', 'sshd']
|
||||
- role: jnv.unattended-upgrades
|
||||
@ -0,0 +1,16 @@
|
||||
---
|
||||
- import_tasks: packages.yml
|
||||
- include: sudo.yml
|
||||
- include: molly-guard.yml
|
||||
|
||||
- include: user.yml user={{ users }}
|
||||
tags: user
|
||||
|
||||
- name: adding message of the day
|
||||
template:
|
||||
dest: /etc/motd
|
||||
src: "{{ motd_path }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
when: motd_path and motd_path != ''
|
||||
@ -0,0 +1,10 @@
|
||||
---
|
||||
- name: install molly-guard
|
||||
apt:
|
||||
name: molly-guard
|
||||
state: present
|
||||
|
||||
- name: configure molly-guard
|
||||
copy: dest=/etc/molly-guard/rc
|
||||
src=molly-guard
|
||||
owner=root group=root mode=0644
|
||||
@ -0,0 +1,26 @@
|
||||
---
|
||||
- name: Update and upgrade apt packages
|
||||
apt:
|
||||
upgrade: 'yes'
|
||||
update_cache: 'yes'
|
||||
cache_valid_time: 86400 # One day
|
||||
|
||||
- name: install a default set of packages
|
||||
package:
|
||||
name:
|
||||
- vim
|
||||
- nano
|
||||
- htop
|
||||
- git
|
||||
- tmux
|
||||
- screen
|
||||
- byobu
|
||||
- ncdu
|
||||
- moreutils
|
||||
- apt-transport-https
|
||||
- smartmontools
|
||||
- zip
|
||||
- unzip
|
||||
- zsh
|
||||
state: present
|
||||
tags: packages
|
||||
@ -0,0 +1,9 @@
|
||||
---
|
||||
- name: ensure sudo is installed
|
||||
apt: name=sudo state=present
|
||||
|
||||
- name: allow sudo for users in the sudo group
|
||||
lineinfile: "dest=/etc/sudoers state=present regexp='^%sudo' line='%sudo ALL=(ALL:ALL) NOPASSWD: ALL'"
|
||||
|
||||
- name: allow sudo to keep SSH_AUTH_SOCK env
|
||||
lineinfile: "dest=/etc/sudoers state=present regexp='^Defaults.*env_keep.*SSH_AUTH_SOCK' line='Defaults env_keep += \"SSH_AUTH_SOCK\"'"
|
||||
@ -0,0 +1,77 @@
|
||||
---
|
||||
# remove user when remove variable is defined
|
||||
- name: remove user
|
||||
user: state=absent remove=yes
|
||||
name={{ item.name }}
|
||||
when: item.state == 'absent'
|
||||
with_items:
|
||||
- "{{ users }}"
|
||||
|
||||
- name: get bash's path
|
||||
shell: command -v bash
|
||||
register: bash_path
|
||||
changed_when: false
|
||||
|
||||
- name: create user
|
||||
user: state=present
|
||||
name="{{ item.name }}"
|
||||
groups="sudo,adm" append=yes
|
||||
shell={{ item.shell | default(bash_path.stdout) }}
|
||||
with_items:
|
||||
- "{{ users }}"
|
||||
when: item.state != 'absent'
|
||||
|
||||
- name: add user's authorized_keys
|
||||
authorized_key: user="{{ item.name }}" manage_dir=true key="{{ item.public_key }}"
|
||||
state=present exclusive=yes
|
||||
with_items:
|
||||
- "{{ users }}"
|
||||
when: item.state != 'absent' and item.public_key is defined and item.public_key != ''
|
||||
|
||||
- name: add user to root's authorized_keys
|
||||
authorized_key: user="root" manage_dir=true key="{{ item.public_key }}"
|
||||
state=present
|
||||
with_items:
|
||||
- "{{ users }}"
|
||||
when: item.state != 'absent' and item.public_key is defined and item.public_key != ''
|
||||
|
||||
- name: remove user from root's authorized_keys
|
||||
authorized_key: user="root" manage_dir=true key="{{ item.public_key }}"
|
||||
state=absent
|
||||
with_items:
|
||||
- "{{ users }}"
|
||||
when: item.state == 'absent' and item.public_key is defined and item.public_key != ''
|
||||
|
||||
- name: create pve admin-group
|
||||
shell:
|
||||
cmd: 'pveum groupadd admin -comment "System Administrators"'
|
||||
when: "'proxmox' in group_names"
|
||||
ignore_errors: True
|
||||
|
||||
- name: give pve admin-group privileges
|
||||
shell:
|
||||
cmd: 'pveum aclmod / -group admin -role Administrator'
|
||||
when: "'proxmox' in group_names"
|
||||
|
||||
- name: create pve user
|
||||
shell:
|
||||
cmd: 'pveum useradd {{ item.name }}@pam'
|
||||
with_items:
|
||||
- "{{ users }}"
|
||||
when: item.state != 'absent' and 'proxmox' in group_names
|
||||
ignore_errors: True
|
||||
|
||||
- name: disable pve user
|
||||
shell:
|
||||
cmd: 'pveum usermod {{ item.name }}@pam -enable 0'
|
||||
with_items:
|
||||
- "{{ users }}"
|
||||
when: item.state == 'absent' and 'proxmox' in group_names
|
||||
ignore_errors: True
|
||||
|
||||
- name: add user to pve admin group
|
||||
shell:
|
||||
cmd: 'pveum usermod {{ item.name }}@pam -group admin'
|
||||
with_items:
|
||||
- "{{ users }}"
|
||||
when: item.state != 'absent' and 'proxmox' in group_names
|
||||
Loading…
Reference in New Issue