diff --git a/roles/backuphost/tasks/main.yaml b/roles/backuphost/tasks/main.yaml index 20f85cb..a424e67 100644 --- a/roles/backuphost/tasks/main.yaml +++ b/roles/backuphost/tasks/main.yaml @@ -1,3 +1,4 @@ +# TODO: Make backup user part of AD --- - name: "Add backup user" ansible.builtin.user: @@ -5,40 +6,6 @@ comment: Backup user shell: /bin/bash -- name: "Dsiable service user" - ansible.builtin.user: - name: service-user - state: present - password_lock: true - shell: "/sbin/nologin" - -- name: Undefine AllowUsers - ansible.builtin.lineinfile: - state: absent - path: /etc/ssh/sshd_config - line: "AllowUsers tormakris ansible service-user" - -- name: Check if AllowUsers is defined - ansible.builtin.lineinfile: - state: absent - path: /etc/ssh/sshd_config - regexp: "^AllowUsers" - check_mode: true - changed_when: false - register: checkallowusers - -- name: Define AllowUsers if undefined - ansible.builtin.lineinfile: - state: present - path: /etc/ssh/sshd_config - line: "AllowUsers tormakris ansible backup" - when: checkallowusers.found == 0 - -- name: "Restart sshd" - ansible.builtin.service: - name: sshd - state: restarted - - name: Create .ssh directory of backup user ansible.builtin.file: path: /home/backup/.ssh diff --git a/roles/common/tasks/ssh-security-settings.yaml b/roles/common/tasks/ssh-security-settings.yaml index eb6d61e..adfee6c 100644 --- a/roles/common/tasks/ssh-security-settings.yaml +++ b/roles/common/tasks/ssh-security-settings.yaml @@ -1,10 +1,4 @@ --- -- name: Disable password authentication - ansible.builtin.replace: - path: /etc/ssh/sshd_config - regexp: 'PasswordAuthentication yes' - replace: 'PasswordAuthentication no' - - name: Disable root authentication ansible.builtin.replace: path: /etc/ssh/sshd_config @@ -23,22 +17,6 @@ regexp: '#AddressFamily any' replace: 'AddressFamily inet' -- name: Check if AllowUsers is defined - ansible.builtin.lineinfile: - state: absent - path: /etc/ssh/sshd_config - regexp: "intra.tormakris.dev" - check_mode: true - changed_when: false - register: checkallowusers - -- name: Define AllowUsers if undefined - ansible.builtin.lineinfile: - state: present - path: /etc/ssh/sshd_config - line: "AllowUsers tormakris@intra.tormakris.dev ansible@intra.tormakris.dev service-user@intra.tormakris.dev" - when: checkallowusers.found == 0 - - name: "Restart sshd" ansible.builtin.service: name: sshd diff --git a/roles/common/tasks/user-ops.yaml b/roles/common/tasks/user-ops.yaml index 3c65aec..172fdcd 100644 --- a/roles/common/tasks/user-ops.yaml +++ b/roles/common/tasks/user-ops.yaml @@ -1,5 +1,5 @@ --- -- name: Create .ssh directory of root user +- name: Create .ssh directory of ansible user ansible.builtin.file: path: /home/ansible@intra.tormakris.dev/.ssh state: directory diff --git a/roles/docker/tasks/main.yaml b/roles/docker/tasks/main.yaml index aabed20..55d95bb 100644 --- a/roles/docker/tasks/main.yaml +++ b/roles/docker/tasks/main.yaml @@ -24,7 +24,6 @@ - name: "Add service user to docker group" ansible.builtin.user: name: service-user@intra.tormakris.dev - comment: Service user groups: docker append: yes diff --git a/roles/realmd/tasks/main.yaml b/roles/realmd/tasks/main.yaml index 787b609..12552cf 100644 --- a/roles/realmd/tasks/main.yaml +++ b/roles/realmd/tasks/main.yaml @@ -1,25 +1,4 @@ --- -- name: "Use custom Ubuntu mirror" - ansible.builtin.replace: - path: /etc/apt/sources.list - regexp: 'https://tormakris.jfrog.io/artifactory/ubuntu-mirror' - replace: 'https://mirror.niif.hu' - backup: yes - -- name: "Use custom Ubuntu mirror" - ansible.builtin.replace: - path: /etc/apt/sources.list - regexp: 'http://hu.archive.ubuntu.com' - replace: 'https://mirror.niif.hu' - backup: yes - -- name: "Update machine" - ansible.builtin.apt: - update_cache: yes - upgrade: "yes" - autoclean: yes - autoremove: yes - - name: "Install realmd and dependencies" ansible.builtin.apt: update_cache: yes @@ -36,15 +15,25 @@ - oddjob-mkhomedir - packagekit +- name: Check if computer is joined to domain + ansible.builtin.lineinfile: + state: absent + path: /etc/sssd/sssd.conf + line: "^ad_access_filter" + check_mode: true + changed_when: false + register: checkjoined + - name: "Get join password from local environment variable" ansible.builtin.set_fact: join_passw: "{{ lookup('env', 'JOIN_PASSW') }}" delegate_to: localhost + when: checkjoined.found == 0 - name: Join to AD with realmd ansible.builtin.shell: cmd: echo {{ join_passw }} | realm join -v -U Administrator intra.tormakris.dev - ignore_errors: True + when: checkjoined.found == 0 - name: Enable pam homedir create on first logon ansible.builtin.command: @@ -102,9 +91,4 @@ path: /etc/sudoers line: "%linuxadmins@intra.tormakris.dev ALL=(ALL) NOPASSWD: ALL" when: checksudoers.found == 0 - -- name: "Restart ssh" - ansible.builtin.service: - name: sshd - state: restarted ...