66 lines
1.5 KiB
YAML
66 lines
1.5 KiB
YAML
---
|
|
# tasks file for ssh
|
|
- name: Add group
|
|
ansible.builtin.group:
|
|
name: "{{ ssh_item.name }}"
|
|
state: present
|
|
loop: "{{ ssh_users }}"
|
|
loop_control:
|
|
loop_var: ssh_item
|
|
|
|
- name: Add user
|
|
ansible.builtin.user:
|
|
name: "{{ ssh_item.name }}"
|
|
group: "{{ ssh_item.name }}"
|
|
home: /home/{{ ssh_item.name }}
|
|
create_home: true
|
|
shell: /bin/bash
|
|
state: "{{ ssh_item.state }}"
|
|
loop: "{{ ssh_users }}"
|
|
loop_control:
|
|
loop_var: ssh_item
|
|
|
|
- name: Add authorized_key
|
|
ansible.posix.authorized_key:
|
|
user: "{{ ssh_item.0.name }}"
|
|
key: "{{ ssh_item.1.key }}"
|
|
exclusive: "{{ ssh_item.0.exclusive }}"
|
|
state: "{{ ssh_item.0.state }}"
|
|
loop: "{{ ssh_users | subelements('keys') }}"
|
|
loop_control:
|
|
loop_var: ssh_item
|
|
|
|
- name: Add sudoer rule for local user
|
|
ansible.builtin.template:
|
|
src: templates/10_allowed_suoders.j2
|
|
dest: /etc/sudoers.d/10_allowed_suoders
|
|
owner: root
|
|
group: root
|
|
mode: '0440'
|
|
validate: /usr/sbin/visudo -csf %s
|
|
|
|
- name: Add hardened SSH config
|
|
ansible.builtin.template:
|
|
src: templates/00-sshd.conf.j2
|
|
dest: /etc/ssh/sshd_config.d/00-sshd.conf
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
validate: /usr/sbin/sshd -t -f %s
|
|
notify: Reload SSH
|
|
|
|
- name: Set bash profile
|
|
ansible.builtin.copy:
|
|
src: files/profile.d/00-bash.sh
|
|
dest: /etc/profile.d/00-bash.sh
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
|
|
- name: Set vim config
|
|
ansible.builtin.copy:
|
|
src: files/vim/vimrc.local
|
|
dest: /etc/vim/vimrc.local
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|