#SPDX-License-Identifier: MIT-0 --- # tasks file for roles/init-vps # @TODO complete below tasks - name: Checking whether administrative login used when: ansible_user not in (admins | map(attribute="username") | list) ansible.builtin.fail: msg: Must use administrative user for subsequent tasks - name: Setting approved SSH authentication procedures when: harden and ansible_facts["system"] == "Linux" become: true ansible.builtin.copy: src: sshd_config.d/auth.conf dest: /etc/ssh/sshd_config.d/auth.conf owner: root group: root mode: "644" force: true backup: true validate: "sshd -t %s" register: ssh_authenticator tags: - ssh_secure_auth - name: Prohibiting SSH root login when: harden and ansible_facts["system"] == "Linux" become: true ansible.builtin.copy: src: sshd_config.d/denyroot.conf dest: /etc/ssh/sshd_config.d/denyroot.conf owner: root group: root mode: "644" force: true backup: true validate: "sshd -t %s" - name: Create groups for FTP services when: "'sftp-server' in item.service or 'proftpd' in item.service or 'vsftpd' in item.service" become: true ansible.builtin.group: name: "{{ item.username }}" system: true state: present loop: "{{ sys_users }}" register: ftp_groups - name: Configuring SFTP for FTP group when: ansible_facts["system"] == "Linux" become: true ansible.builtin.blockinfile: # src: sshd_config.d/sftp.conf.j2 # dest: /etc/ssh/sshd_config.d/sftp.conf path: /etc/ssh/sshd_config.d/sftp.conf block: | Match Group {{ item.name }} ForceCommand internal-sftp -d /%u ChrootDirectory /srv/{{ item.name}} AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no append_newline: true marker_begin: "BEGIN FTP GROUP SSH MATCH BLOCK" create: true owner: root group: root mode: "644" backup: true validate: "sshd -t %s" state: present loop: "{{ ftp_groups.results }}" register: configured_sftp