aboutsummaryrefslogtreecommitdiffstats
path: root/roles/setup_security
diff options
context:
space:
mode:
authorbinary <me@rgoncalves.se>2020-09-08 18:41:59 +0200
committerbinary <me@rgoncalves.se>2020-09-08 18:41:59 +0200
commiteff2fccc90b7b00e723a8f47d37649ebb5cf1060 (patch)
tree1f359d2e957e9b7a9f23cb57007769bed64d9fdf /roles/setup_security
parent67b3a99074566ed09f2f30fb035b7b529dca8aab (diff)
downloadinfrastructure-eff2fccc90b7b00e723a8f47d37649ebb5cf1060.tar.gz
added sshd, doas handling
Diffstat (limited to 'roles/setup_security')
-rw-r--r--roles/setup_security/files/doas.conf2
-rw-r--r--roles/setup_security/tasks/main.yml43
2 files changed, 45 insertions, 0 deletions
diff --git a/roles/setup_security/files/doas.conf b/roles/setup_security/files/doas.conf
new file mode 100644
index 0000000..cf3a9d0
--- /dev/null
+++ b/roles/setup_security/files/doas.conf
@@ -0,0 +1,2 @@
+permit keepenv nopass puffy as root
+permit keepenv nopass root
diff --git a/roles/setup_security/tasks/main.yml b/roles/setup_security/tasks/main.yml
index 7d29cf5..36844c3 100644
--- a/roles/setup_security/tasks/main.yml
+++ b/roles/setup_security/tasks/main.yml
@@ -20,3 +20,46 @@
group:
name: pi
state: absent
+
+- name: Apply syspatch for system type = {{ ansible_distribution }}
+ syspatch:
+ apply: true
+ when: inventory_hostname in groups["openbsd"]
+
+- name: Add puffy account for system type = {{ ansible_distribution }}
+ user:
+ name: puffy
+ group: wheel
+ when: inventory_hostname in groups["openbsd"]
+
+- name: Copy doas.conf to /etc/doas.conf for system type = {{ ansible_distribution }}
+ copy:
+ src: "{{ role_path }}/files/doas.conf"
+ dest: "/etc/doas.conf"
+
+- name: Copy ssh key for puffy account
+ authorized_key:
+ user: puffy
+ state: present
+ key: "{{ item }}"
+ with_file:
+ - "{{ playbook_dir }}/files/pub_ssh/rgoncalves.pub.ssh"
+
+- name: Copy ssh key for root account
+ authorized_key:
+ user: root
+ state: present
+ key: "{{ item }}"
+ with_file:
+ - "{{ playbook_dir }}/files/pub_ssh/rgoncalves.pub.ssh"
+
+- name: Disable password login in sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ regexp: "PasswordAuthentication"
+ line: "PasswordAuthentication no"
+
+- name: Restart sshd daemon
+ service:
+ name: sshd
+ state: restarted
remember that computers suck.