From eff2fccc90b7b00e723a8f47d37649ebb5cf1060 Mon Sep 17 00:00:00 2001 From: binary Date: Tue, 8 Sep 2020 18:41:59 +0200 Subject: added sshd, doas handling --- roles/setup_security/files/doas.conf | 2 ++ roles/setup_security/tasks/main.yml | 43 ++++++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100644 roles/setup_security/files/doas.conf (limited to 'roles/setup_security') diff --git a/roles/setup_security/files/doas.conf b/roles/setup_security/files/doas.conf new file mode 100644 index 0000000..cf3a9d0 --- /dev/null +++ b/roles/setup_security/files/doas.conf @@ -0,0 +1,2 @@ +permit keepenv nopass puffy as root +permit keepenv nopass root diff --git a/roles/setup_security/tasks/main.yml b/roles/setup_security/tasks/main.yml index 7d29cf5..36844c3 100644 --- a/roles/setup_security/tasks/main.yml +++ b/roles/setup_security/tasks/main.yml @@ -20,3 +20,46 @@ group: name: pi state: absent + +- name: Apply syspatch for system type = {{ ansible_distribution }} + syspatch: + apply: true + when: inventory_hostname in groups["openbsd"] + +- name: Add puffy account for system type = {{ ansible_distribution }} + user: + name: puffy + group: wheel + when: inventory_hostname in groups["openbsd"] + +- name: Copy doas.conf to /etc/doas.conf for system type = {{ ansible_distribution }} + copy: + src: "{{ role_path }}/files/doas.conf" + dest: "/etc/doas.conf" + +- name: Copy ssh key for puffy account + authorized_key: + user: puffy + state: present + key: "{{ item }}" + with_file: + - "{{ playbook_dir }}/files/pub_ssh/rgoncalves.pub.ssh" + +- name: Copy ssh key for root account + authorized_key: + user: root + state: present + key: "{{ item }}" + with_file: + - "{{ playbook_dir }}/files/pub_ssh/rgoncalves.pub.ssh" + +- name: Disable password login in sshd_config + lineinfile: + path: /etc/ssh/sshd_config + regexp: "PasswordAuthentication" + line: "PasswordAuthentication no" + +- name: Restart sshd daemon + service: + name: sshd + state: restarted -- cgit v1.2.3