securiti

roles/common/tasks/user-ops.yaml

@@ -14,6 +14,22 @@
     owner: ansible@intra.tormakris.dev
     group: ansible@intra.tormakris.dev
 
+- name: Check if group is presend in sudoers
+  ansible.builtin.lineinfile:
+    state: absent
+    path: /etc/sudoers
+    regexp: "^%linuxadmins"
+  check_mode: true
+  changed_when: false
+  register: checksudoers
+
+- name: Define group in sudoers
+  ansible.builtin.lineinfile:
+    state: present
+    path: /etc/sudoers
+    line: "%linuxadmins@intra.tormakris.dev ALL=(ALL) NOPASSWD: ALL"
+  when: checksudoers.found == 0
+
 - name: "Update authorized_keys of tormakris"
   ansible.posix.authorized_key:
     user: tormakris@intra.tormakris.dev

roles/realmd/tasks/main.yaml

@@ -103,65 +103,8 @@
     line: "%linuxadmins@intra.tormakris.dev ALL=(ALL) NOPASSWD: ALL"
   when: checksudoers.found == 0
 
-- name: Remove misconfig from sshd
+- name: "Restart ssh"
-  ansible.builtin.lineinfile:
+  ansible.builtin.service:
-    state: absent
+    name: sshd
-    path: /etc/ssh/sshd_config
+    state: restarted
-    line: "%linuxadmins@intra.tormakris.dev ALL=(ALL) NOPASSWD: ALL"
-
-- name: Remove old AllowUsers
-  ansible.builtin.lineinfile:
-    state: absent
-    path: /etc/ssh/sshd_config
-    regexp: "^AllowUsers tormakris ansible service-user"
-
-- name: Check if AllowUsers is defined
-  ansible.builtin.lineinfile:
-    state: absent
-    path: /etc/ssh/sshd_config
-    regexp: "intra.tormakris.dev"
-  check_mode: true
-  changed_when: false
-  register: checkallowusers
-
-- name: Define AllowUsers if undefined
-  ansible.builtin.lineinfile:
-    state: present
-    path: /etc/ssh/sshd_config
-    line: "AllowUsers tormakris@intra.tormakris.dev ansible@intra.tormakris.dev service-user@intra.tormakris.dev"
-  when: checkallowusers.found == 0
-
-- name: Create home for tormakris
-  ansible.builtin.command:
-    cmd: mkhomedir_helper tormakris@intra.tormakris.dev
-
-- name: Create home for tormakris
-  ansible.builtin.command:
-    cmd: rm -rf /home/tormakris@intra.tormakris.dev/tormakris
-
-- name: Copy tormakris home
-  ansible.builtin.copy:
-    src: /home/tormakris/
-    dest: /home/tormakris@intra.tormakris.dev/
-    remote_src: yes
-    owner: tormakris@intra.tormakris.dev
-    group: domain users@intra.tormakris.dev
-
-- name: Create home for ansible
-  ansible.builtin.command:
-    cmd: mkhomedir_helper ansible@intra.tormakris.dev
-
-- name: Copy ansible home
-  ansible.builtin.copy:
-    src: /home/ansible/
-    dest: /home/ansible@intra.tormakris.dev/
-    remote_src: yes
-    owner: tormakris@intra.tormakris.dev
-    group: domain users@intra.tormakris.dev
-
-- name: "Update authorized_keys of tormakris"
-  ansible.posix.authorized_key:
-    user: tormakris@intra.tormakris.dev
-    state: present
-    key: https://static.tormakristof.eu/ssh.keys
 ...