initial commit
Simeon Keske
5 years ago
commit
5a5cdc94cc
@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
users:
|
||||||
|
- { name: 'user', state: 'present', public_key: '' }
|
||||||
|
- { name: 'nouser', state: 'absent', public_key: '' }
|
||||||
@ -0,0 +1,11 @@
|
|||||||
|
# molly-guard settings
|
||||||
|
#
|
||||||
|
# ALWAYS_QUERY_HOSTNAME
|
||||||
|
# when set, causes the 30-query-hostname script to always ask for the
|
||||||
|
# hostname, even if no SSH session was detected.
|
||||||
|
ALWAYS_QUERY_HOSTNAME=true
|
||||||
|
|
||||||
|
# USE_FQDN
|
||||||
|
# when set, causes the 30-query-hostname script to ask for the fully-qualified
|
||||||
|
# hostname, rather than the short name
|
||||||
|
#USE_FQDN=true
|
||||||
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
dependencies:
|
||||||
|
# - role: ssh_server
|
||||||
|
# tags: ['ssh', 'sshd']
|
||||||
|
- role: jnv.unattended-upgrades
|
||||||
@ -0,0 +1,16 @@
|
|||||||
|
---
|
||||||
|
- import_tasks: packages.yml
|
||||||
|
- include: sudo.yml
|
||||||
|
- include: molly-guard.yml
|
||||||
|
|
||||||
|
- include: user.yml user={{ users }}
|
||||||
|
tags: user
|
||||||
|
|
||||||
|
- name: adding message of the day
|
||||||
|
template:
|
||||||
|
dest: /etc/motd
|
||||||
|
src: "{{ motd_path }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0644
|
||||||
|
when: motd_path and motd_path != ''
|
||||||
@ -0,0 +1,10 @@
|
|||||||
|
---
|
||||||
|
- name: install molly-guard
|
||||||
|
apt:
|
||||||
|
name: molly-guard
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: configure molly-guard
|
||||||
|
copy: dest=/etc/molly-guard/rc
|
||||||
|
src=molly-guard
|
||||||
|
owner=root group=root mode=0644
|
||||||
@ -0,0 +1,26 @@
|
|||||||
|
---
|
||||||
|
- name: Update and upgrade apt packages
|
||||||
|
apt:
|
||||||
|
upgrade: 'yes'
|
||||||
|
update_cache: 'yes'
|
||||||
|
cache_valid_time: 86400 # One day
|
||||||
|
|
||||||
|
- name: install a default set of packages
|
||||||
|
package:
|
||||||
|
name:
|
||||||
|
- vim
|
||||||
|
- nano
|
||||||
|
- htop
|
||||||
|
- git
|
||||||
|
- tmux
|
||||||
|
- screen
|
||||||
|
- byobu
|
||||||
|
- ncdu
|
||||||
|
- moreutils
|
||||||
|
- apt-transport-https
|
||||||
|
- smartmontools
|
||||||
|
- zip
|
||||||
|
- unzip
|
||||||
|
- zsh
|
||||||
|
state: present
|
||||||
|
tags: packages
|
||||||
@ -0,0 +1,9 @@
|
|||||||
|
---
|
||||||
|
- name: ensure sudo is installed
|
||||||
|
apt: name=sudo state=present
|
||||||
|
|
||||||
|
- name: allow sudo for users in the sudo group
|
||||||
|
lineinfile: "dest=/etc/sudoers state=present regexp='^%sudo' line='%sudo ALL=(ALL:ALL) NOPASSWD: ALL'"
|
||||||
|
|
||||||
|
- name: allow sudo to keep SSH_AUTH_SOCK env
|
||||||
|
lineinfile: "dest=/etc/sudoers state=present regexp='^Defaults.*env_keep.*SSH_AUTH_SOCK' line='Defaults env_keep += \"SSH_AUTH_SOCK\"'"
|
||||||
@ -0,0 +1,77 @@
|
|||||||
|
---
|
||||||
|
# remove user when remove variable is defined
|
||||||
|
- name: remove user
|
||||||
|
user: state=absent remove=yes
|
||||||
|
name={{ item.name }}
|
||||||
|
when: item.state == 'absent'
|
||||||
|
with_items:
|
||||||
|
- "{{ users }}"
|
||||||
|
|
||||||
|
- name: get bash's path
|
||||||
|
shell: command -v bash
|
||||||
|
register: bash_path
|
||||||
|
changed_when: false
|
||||||
|
|
||||||
|
- name: create user
|
||||||
|
user: state=present
|
||||||
|
name="{{ item.name }}"
|
||||||
|
groups="sudo,adm" append=yes
|
||||||
|
shell={{ item.shell | default(bash_path.stdout) }}
|
||||||
|
with_items:
|
||||||
|
- "{{ users }}"
|
||||||
|
when: item.state != 'absent'
|
||||||
|
|
||||||
|
- name: add user's authorized_keys
|
||||||
|
authorized_key: user="{{ item.name }}" manage_dir=true key="{{ item.public_key }}"
|
||||||
|
state=present exclusive=yes
|
||||||
|
with_items:
|
||||||
|
- "{{ users }}"
|
||||||
|
when: item.state != 'absent' and item.public_key is defined and item.public_key != ''
|
||||||
|
|
||||||
|
- name: add user to root's authorized_keys
|
||||||
|
authorized_key: user="root" manage_dir=true key="{{ item.public_key }}"
|
||||||
|
state=present
|
||||||
|
with_items:
|
||||||
|
- "{{ users }}"
|
||||||
|
when: item.state != 'absent' and item.public_key is defined and item.public_key != ''
|
||||||
|
|
||||||
|
- name: remove user from root's authorized_keys
|
||||||
|
authorized_key: user="root" manage_dir=true key="{{ item.public_key }}"
|
||||||
|
state=absent
|
||||||
|
with_items:
|
||||||
|
- "{{ users }}"
|
||||||
|
when: item.state == 'absent' and item.public_key is defined and item.public_key != ''
|
||||||
|
|
||||||
|
- name: create pve admin-group
|
||||||
|
shell:
|
||||||
|
cmd: 'pveum groupadd admin -comment "System Administrators"'
|
||||||
|
when: "'proxmox' in group_names"
|
||||||
|
ignore_errors: True
|
||||||
|
|
||||||
|
- name: give pve admin-group privileges
|
||||||
|
shell:
|
||||||
|
cmd: 'pveum aclmod / -group admin -role Administrator'
|
||||||
|
when: "'proxmox' in group_names"
|
||||||
|
|
||||||
|
- name: create pve user
|
||||||
|
shell:
|
||||||
|
cmd: 'pveum useradd {{ item.name }}@pam'
|
||||||
|
with_items:
|
||||||
|
- "{{ users }}"
|
||||||
|
when: item.state != 'absent' and 'proxmox' in group_names
|
||||||
|
ignore_errors: True
|
||||||
|
|
||||||
|
- name: disable pve user
|
||||||
|
shell:
|
||||||
|
cmd: 'pveum usermod {{ item.name }}@pam -enable 0'
|
||||||
|
with_items:
|
||||||
|
- "{{ users }}"
|
||||||
|
when: item.state == 'absent' and 'proxmox' in group_names
|
||||||
|
ignore_errors: True
|
||||||
|
|
||||||
|
- name: add user to pve admin group
|
||||||
|
shell:
|
||||||
|
cmd: 'pveum usermod {{ item.name }}@pam -group admin'
|
||||||
|
with_items:
|
||||||
|
- "{{ users }}"
|
||||||
|
when: item.state != 'absent' and 'proxmox' in group_names
|
||||||
Loading…
Reference in New Issue