-
Notifications
You must be signed in to change notification settings - Fork 1
/
debian.yml
72 lines (63 loc) · 1.99 KB
/
debian.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
---
- name: install apt-transport-https for prerequisite
apt:
name: apt-transport-https
state: present
update_cache: yes
- name: import linyows/octopass key
apt_key:
id: 871257A0BC9106C4
url: https://packagecloud.io/linyows/octopass/gpgkey
state: present
- name: configure octopass apt repository
template:
src: linyows_octopass.list
dest: /etc/apt/sources.list.d/linyows_octopass.list
- name: install octopass
apt:
name: octopass
state: present
update_cache: yes
- name: configure octopass
template:
src: octopass.conf
dest: /etc/octopass.conf
owner: root
mode: 0644
- name: try octopass could get passwd
command: '/usr/bin/octopass passwd'
register: octopass_passwd
changed_when: False
failed_when: octopass_passwd.stdout == ''
- name: configure sshd
lineinfile:
path: /etc/ssh/sshd_config
line: '{{ item }}'
validate: '/usr/sbin/sshd -t -f %s'
with_items:
- 'AuthorizedKeysCommandUser root'
- 'AuthorizedKeysCommand /usr/bin/octopass'
- 'UsePAM yes'
- 'PasswordAuthentication no'
notify:
- restart sshd
- name: configure nss switch
lineinfile:
path: /etc/nsswitch.conf
regexp: '{{ item.regexp }}'
line: '{{ item.line }}'
backrefs: yes
with_items:
- {regexp: '^passwd:\s+(.*?)($|\soctopass$)', line: 'passwd: \1 octopass'}
- {regexp: '^shadow:\s+(.*?)($|\soctopass$)', line: 'shadow: \1 octopass'}
- {regexp: '^group: \s+(.*?)($|\soctopass$)', line: 'group: \1 octopass'}
- name: configure pam sshd
lineinfile:
path: /etc/pam.d/sshd
line: '{{ item.line }}'
state: '{{ item.state }}'
with_items:
- {line: '@include common-auth', state: 'absent'}
- {line: 'auth requisite pam_exec.so quiet expose_authtok /usr/bin/octopass pam', state: 'present'}
- {line: 'auth optional pam_unix.so not_set_pass use_first_pass nodelay', state: 'present'}
- {line: 'session required pam_mkhomedir.so skel: /etc/skel/ umask: 0022', state: 'present'}