Refactor ansible-apply.yaml to include playbook_login.yml

This commit is contained in:
2024-09-29 11:42:32 +02:00
parent 5324ef7ec0
commit a03aca39df
11 changed files with 68 additions and 52 deletions
+2 -2
View File
@@ -86,7 +86,7 @@
- name: Configure login.defs
ansible.builtin.include_tasks: logindefs.yml
tags:
- roles::cis::logindefs
- roles::cis::logindefs
- name: Set limits
ansible.builtin.include_tasks: limits.yml
@@ -224,4 +224,4 @@
- name: Miscellaneous tasks after all handlers
ansible.builtin.include_tasks: post.yml
tags:
- always
- always
+25 -1
View File
@@ -13,6 +13,18 @@
shell: "{{ item.shell if item.shell is defined else '/bin/bash' }}"
loop: "{{ login_users }}"
- name: Disable password expiration
command: chage -M -1 "{{ item.username }}"
become: yes
when: item.password_expiration is defined and not item.password_expiration
loop: "{{ login_users }}"
- name: Disable password login
command: passwd -d "{{ item.username }}"
become: yes
when: item.password_disabled is defined and item.password_disabled
loop: "{{ login_users }}"
- name: "Add SSH Authorized key"
become: true
ansible.posix.authorized_key:
@@ -27,9 +39,21 @@
ansible.builtin.copy:
dest: "/etc/sudoers.d/{{ item.username }}"
content: |
{{ item.username }} ALL=(ALL) ALL
{{ item.username }} ALL=({{ 'root' if item.sudoer_root_only is defined and item.sudoer_root_only else 'ALL' }}) {{ 'NOPASSWD:' if item.sudoer_no_password is defined and item.sudoer_no_password else '' }}ALL
owner: root
group: root
mode: "0600"
when: item.sudoer is defined and item.sudoer
loop: "{{ login_users }}"
- name: Disable user history
become: true
ansible.builtin.copy:
dest: "/etc/profile.d/disable_history.sh"
content: |
#!/bin/bash
readonly PROMPT_COMMAND='history -a'
readonly HISTFILE=/dev/null
owner: root
group: root
mode: "0755"