diff options
author | binary <me@rgoncalves.se> | 2020-09-08 18:41:59 +0200 |
---|---|---|
committer | binary <me@rgoncalves.se> | 2020-09-08 18:41:59 +0200 |
commit | eff2fccc90b7b00e723a8f47d37649ebb5cf1060 (patch) | |
tree | 1f359d2e957e9b7a9f23cb57007769bed64d9fdf /roles/setup_security | |
parent | 67b3a99074566ed09f2f30fb035b7b529dca8aab (diff) | |
download | infrastructure-eff2fccc90b7b00e723a8f47d37649ebb5cf1060.tar.gz |
added sshd, doas handling
Diffstat (limited to 'roles/setup_security')
-rw-r--r-- | roles/setup_security/files/doas.conf | 2 | ||||
-rw-r--r-- | roles/setup_security/tasks/main.yml | 43 |
2 files changed, 45 insertions, 0 deletions
diff --git a/roles/setup_security/files/doas.conf b/roles/setup_security/files/doas.conf new file mode 100644 index 0000000..cf3a9d0 --- /dev/null +++ b/roles/setup_security/files/doas.conf @@ -0,0 +1,2 @@ +permit keepenv nopass puffy as root +permit keepenv nopass root diff --git a/roles/setup_security/tasks/main.yml b/roles/setup_security/tasks/main.yml index 7d29cf5..36844c3 100644 --- a/roles/setup_security/tasks/main.yml +++ b/roles/setup_security/tasks/main.yml @@ -20,3 +20,46 @@ group: name: pi state: absent + +- name: Apply syspatch for system type = {{ ansible_distribution }} + syspatch: + apply: true + when: inventory_hostname in groups["openbsd"] + +- name: Add puffy account for system type = {{ ansible_distribution }} + user: + name: puffy + group: wheel + when: inventory_hostname in groups["openbsd"] + +- name: Copy doas.conf to /etc/doas.conf for system type = {{ ansible_distribution }} + copy: + src: "{{ role_path }}/files/doas.conf" + dest: "/etc/doas.conf" + +- name: Copy ssh key for puffy account + authorized_key: + user: puffy + state: present + key: "{{ item }}" + with_file: + - "{{ playbook_dir }}/files/pub_ssh/rgoncalves.pub.ssh" + +- name: Copy ssh key for root account + authorized_key: + user: root + state: present + key: "{{ item }}" + with_file: + - "{{ playbook_dir }}/files/pub_ssh/rgoncalves.pub.ssh" + +- name: Disable password login in sshd_config + lineinfile: + path: /etc/ssh/sshd_config + regexp: "PasswordAuthentication" + line: "PasswordAuthentication no" + +- name: Restart sshd daemon + service: + name: sshd + state: restarted |