blob: 59cb4f6607c5ccf6cbe49896f3f058b31c7c0fcf (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
|
---
- name: load os/distrubtion/version specific variables
with_first_found:
- files:
- "{{ ansible_distribution_release }}.yml"
- "{{ ansible_distribution }}.yml"
- "{{ ansible_os_family }}.yml"
include_vars: "{{ item }}"
- name: add jump users
loop: "{{ sshd_jump_users | dict2items }}"
loop_control:
label: "{{ item.key }}"
user:
name: "{{ item.key }}"
shell: /bin/false
home: "/nonexistent/{{ item.key }}"
create_home: false
- name: create directory for authorized_keys
file:
path: /etc/ssh/authorized_keys.d
mode: 0755
state: directory
- name: install authorized_keys file for jump users
loop: "{{ sshd_jump_users | dict2items }}"
loop_control:
label: "{{ item.key }} ({{ item.value.authorized_keys | length }} keys)"
copy:
content: "{{ item.value.authorized_keys | join('\n') }}\n"
dest: "/etc/ssh/authorized_keys.d/{{ item.key }}"
mode: 0640
owner: root
group: "{{ item.key }}"
- name: create match user configs
blockinfile:
marker: "# {mark} ansible core/sshd/jump"
block: |
{% for name, config in sshd_jump_users.items() %}
Match User {{ name }}
AuthorizedKeysFile /etc/ssh/authorized_keys.d/%u
PasswordAuthentication no
PermitTTY no
X11Forwarding no
PermitTunnel no
GatewayPorts no
AllowAgentForwarding no
AllowStreamLocalForwarding no
ForceCommand /sbin/nologin
AllowTcpForwarding {{ config.tcp_forwarding | default('local') }}
PermitOpen {{ config.permit_open | default(['any']) | list | join(' ') }}
PermitListen {{ config.permit_listen | default(['none']) | list | join(' ') }}
{% if not loop.last %}
{% endif %}
{% endfor %}
insertafter: "### ansible core/sshd/base config barrier ###"
dest: /etc/ssh/sshd_config
notify: restart ssh
|