69 lines
2.0 KiB
YAML
69 lines
2.0 KiB
YAML
#SPDX-License-Identifier: MIT-0
|
|
---
|
|
# tasks file for roles/init-vps
|
|
# @TODO complete below tasks
|
|
- name: Checking whether administrative login used
|
|
when: ansible_user not in (admins | map(attribute="username") | list)
|
|
ansible.builtin.fail:
|
|
msg: Must use administrative user for subsequent tasks
|
|
- name: Setting approved SSH authentication procedures
|
|
when: harden and ansible_facts["system"] == "Linux"
|
|
become: true
|
|
ansible.builtin.copy:
|
|
src: sshd_config.d/auth.conf
|
|
dest: /etc/ssh/sshd_config.d/auth.conf
|
|
owner: root
|
|
group: root
|
|
mode: "644"
|
|
force: true
|
|
backup: true
|
|
validate: "sshd -t %s"
|
|
register: ssh_authenticator
|
|
tags:
|
|
- ssh_secure_auth
|
|
- name: Prohibiting SSH root login
|
|
when: harden and ansible_facts["system"] == "Linux"
|
|
become: true
|
|
ansible.builtin.copy:
|
|
src: sshd_config.d/denyroot.conf
|
|
dest: /etc/ssh/sshd_config.d/denyroot.conf
|
|
owner: root
|
|
group: root
|
|
mode: "644"
|
|
force: true
|
|
backup: true
|
|
validate: "sshd -t %s"
|
|
- name: Create groups for FTP services
|
|
when: "'sftp-server' in item.service or 'proftpd' in item.service or 'vsftpd' in item.service"
|
|
become: true
|
|
ansible.builtin.group:
|
|
name: "{{ item.username }}"
|
|
system: true
|
|
state: present
|
|
loop: "{{ sys_users }}"
|
|
register: ftp_groups
|
|
- name: Configuring SFTP for FTP group
|
|
when: ansible_facts["system"] == "Linux"
|
|
become: true
|
|
ansible.builtin.blockinfile:
|
|
# src: sshd_config.d/sftp.conf.j2
|
|
# dest: /etc/ssh/sshd_config.d/sftp.conf
|
|
path: /etc/ssh/sshd_config.d/sftp.conf
|
|
block: |
|
|
Match Group {{ item.name }}
|
|
ForceCommand internal-sftp -d /%u
|
|
ChrootDirectory /srv/{{ item.name}}
|
|
AllowAgentForwarding no
|
|
AllowTcpForwarding no
|
|
X11Forwarding no
|
|
append_newline: true
|
|
marker_begin: "BEGIN FTP GROUP SSH MATCH BLOCK"
|
|
create: true
|
|
owner: root
|
|
group: root
|
|
mode: "644"
|
|
backup: true
|
|
validate: "sshd -t %s"
|
|
state: present
|
|
loop: "{{ ftp_groups.results }}"
|
|
register: configured_sftp |