-
Notifications
You must be signed in to change notification settings - Fork 26
/
Copy pathusers.yml
146 lines (125 loc) · 3.97 KB
/
users.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
##### USER ACCOUNTS ####
- name: enable local login for root and current user account
user:
name: "{{ item }}"
password_lock: no
with_items:
- "root"
- "{{ ansible_user }}"
- name: copy login.defs (umask and password aging)
template:
src: etc_login.defs.j2
dest: /etc/login.defs
mode: "0600"
- name: set shadow file owner to root and mode to 0600
file:
path: /etc/shadow
owner: root
group: root
mode: "0600"
- name: set permissions/mode of ansible user and root home directories to 0700
file:
state: directory
path: "{{ item.path }}"
owner: "{{ item.owner }}"
group: "{{ item.owner }}"
mode: "0700"
with_items:
- path: "{{ ansible_env.HOME }}"
owner: "{{ ansible_user }}"
- path: /root
owner: root
- name: create additional user accounts
user:
name: "{{ item.name }}"
comment: "{{ item.comment | default('') }}"
create_home: "{{ item.create_home | default(True) }}"
home: "{{ item.home | default('/home/' + item.name) }}"
groups: "{{ item.groups | default() }}"
append: "{{ item.append | default(True) }}"
generate_ssh_key: "{{ item.generate_ssh_key | default(True) }}"
password: "{{ (item.password | password_hash('sha512')) if item.password is defined else '' }}"
update_password: "{{ item.update_password | default('on_create') }}"
with_items: "{{ linux_users }}"
ignore_errors: "{{ ansible_check_mode }}"
- name: authorize SSH keys for additional user accounts
authorized_key:
user: "{{ item.0.name }}"
key: "{{ lookup('file', item.1) }}"
loop: "{{ q('subelements', linux_users, 'ssh_authorized_keys', {'skip_missing': True}) }}"
ignore_errors: "{{ ansible_check_mode }}"
- name: allow users to run specific commands as root without password
template:
src: etc_sudoers.d_nopasswd.j2
dest: /etc/sudoers.d/nopasswd
mode: "0440"
- name: configure sudo to run processes in a pseudo-terminal
template:
src: etc_sudoers.d_use-pty.j2
dest: /etc/sudoers.d/use-pty
mode: "0440"
##### SFTP #####
# chrooted users home directories must be owned by root:$USER
- name: set sftponly home directories ownership
file:
path: "{{ item.home }}"
owner: "root"
group: "{{ item.name }}"
mode: "0750"
when:
- item.groups is defined
- '"sftponly" in item.groups'
with_items: "{{ linux_users }}"
ignore_errors: "{{ ansible_check_mode }}"
- name: create writeable subdirectory in sftponly users homes
file:
state: directory
path: "{{ item.home }}/{{ item.name }}"
owner: "{{ item.name }}"
group: "{{ item.name }}"
mode: "0770"
when:
- item.groups is defined
- '"sftponly" in item.groups'
with_items: "{{ linux_users }}"
##### PAM/LOGIND #####
- name: configure the pam_limits module
template:
src: etc_security_limits.conf.j2
dest: /etc/security/limits.conf
owner: root
group: root
mode: "0600"
# remove libpam-ccreds to disable password caching (prevents connections using cached LDAP credentials, when no connection to the LDAP server is not available)
# add libpam-tmpdir to use per-user temporary directories
- name: install/remove PAM modules
apt:
state: "{{ item.state }}"
package: "{{ item.name }}"
with_items:
- { name: 'libpam-ccreds', state: 'absent' }
- { name: 'libpam-tmpdir', state: 'present' }
notify: update pam configuration
- name: configure systemd-logind
template:
src: etc_systemd_logind.conf.j2
dest: /etc/systemd/logind.conf
owner: root
group: root
mode: "0644"
notify: restart systemd-logind
# update pam configuration, restart systemd-logind
- name: apply configuration (flush handlers)
meta: flush_handlers
- name: configure bash to terminate sessions after 15 minutes of idle
template:
src: etc_profile.d_tmout.sh.j2
dest: /etc/profile.d/tmout.sh
mode: "0755"
owner: root
group: root
##### OTHER ####
- name: mask debug-shell systemd service
systemd:
name: debug-shell.service
masked: yes