47 lines
1.0 KiB
YAML
47 lines
1.0 KiB
YAML
---
|
|
# Install and configure main LDAP tools
|
|
- include_tasks: install_ldap.yml
|
|
|
|
# Disable passwd and chsh
|
|
- name: Copy passwd and chsh scripts
|
|
template:
|
|
src: bin/passwd.j2
|
|
dest: "/usr/local/bin/{{ item }}"
|
|
mode: 0755
|
|
loop:
|
|
- chsh
|
|
- chsh.ldap
|
|
- passwd
|
|
|
|
- name: Filter SSH on groups
|
|
lineinfile:
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: ^AllowGroups
|
|
line: "AllowGroups {{ ssh_allow_groups }}"
|
|
state: present
|
|
|
|
- name: Configure sudoers
|
|
template:
|
|
src: "{{ item }}.j2"
|
|
dest: "/etc/{{ item }}"
|
|
mode: 0440
|
|
loop:
|
|
- sudoers.d/custom_passprompt
|
|
- sudoers.d/group_privilege
|
|
- sudoers
|
|
|
|
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=568577
|
|
- name: Ensure home directories are created upon login
|
|
lineinfile:
|
|
dest: /etc/pam.d/common-account
|
|
regexp: 'pam_mkhomedir\.so'
|
|
line: "session required pam_mkhomedir.so skel=/etc/skel/ umask=0077"
|
|
|
|
# If LDAP crashes
|
|
- name: Install SSH keys for root account
|
|
authorized_key:
|
|
user: root
|
|
key: "{{ ssh_pub_keys }}"
|
|
state: present
|
|
exclusive: true
|