--- - hosts: servers gather_facts: true become_user: root become: true tasks: #==============================================================================# ### SSHD/SFTP-Konfiguration - Anfang #------------------------------------------------------------------------------# ### die letzte Sektion wird entfernt, weil sie immer am Ende bleiben muss ### und hier aber noch etwas hinzugefühgt (bzw. eingeschoben) werden soll # 330 # Sicherheitssektion entfernen - name: Textblock aus der Datei entfernen ansible.builtin.blockinfile: path: "{{SSHDCFG}}" marker: "# {mark} Sicherheitssektion" block: "" state: absent #----------------------------------------------------------------------# ### Das SFTP-Sub-System mus umgestellt werden - name: SFTP-User umask 0002 ansible.builtin.lineinfile: path: "{{SSHDCFG}}" line: Subsystem sftp internal-sftp -u 002 -l VERBOSE create: yes #--------------------------------------------------------------------------# # SFTP-Log #--------------------------------------------------------------------------# # 350 # SSHD/SFTP - überprüfen und ggf. konfigurieren - name: SFTP - logadmin einrichten ansible.builtin.lineinfile: path: "{{SSHDCFG}}" line: "{{ item }}" create: yes with_items: - '# Log internal-sftp in a separate file' - ':programname, isequal, "internal-sftp" -/var/log/sftp.log' - ':programname, isequal, "internal-sftp" ~' #--------------------------------------------------------------------------# # 365 # spezieller Benutzer zum lesen von Logs - name: SFTP - SSHD-CFG für logadmin ansible.builtin.lineinfile: path: "{{SSHDCFG}}" line: "{{ item }}" create: yes with_items: - '# Create an additional socket for some of the sshd chrooted users.' - '$AddUnixListenSocket /home/logadmin/dev/log' - '#========================================================================#' - 'Match user logadmin' - ' ChrootDirectory %h' - ' X11Forwarding no' - ' AllowTcpForwarding no' - ' ForceCommand internal-sftp -l VERBOSE' #==============================================================================# ### SSHD/SFTP-Konfiguration - Mitte #------------------------------------------------------------------------------# ### Master: item['name'] == item['gruppe'] - name: Master-Gruppe anlegen ansible.builtin.group: name: "{{ item['gruppe'] }}" state: present local: false non_unique: false when: item['name'] == item['gruppe'] with_items: - "{{ users }}" - name: Master-Benutzer anlegen ansible.builtin.user: name: "{{ item['name'] }}" group: "{{ item['gruppe'] }}" home: "/home/{{ item['name'] }}" comment: "{{ item['comment'] }}" password: "{{ item.password | default('!') }}" state: present umask: 0002 append: false create_home: true generate_ssh_key: false local: false non_unique: false when: item['name'] == item['gruppe'] with_items: - "{{ users }}" - name: Rechte vom Master-Home-Verzeichnis setzen ansible.builtin.file: path: "/home/{{ item['name'] }}" owner: root group: root mode: '0755' recurse: false state: directory when: item['name'] == item['gruppe'] with_items: - "{{ users }}" - name: Rechte vom Master-DEV-Verzeichnis setzen ansible.builtin.file: path: "/home/{{ item['name'] }}/dev" owner: root group: root mode: '0755' recurse: false state: directory when: item['name'] == item['gruppe'] with_items: - "{{ users }}" - name: Rechte vom Master-SSH-Verzeichnis setzen ansible.builtin.file: path: "/home/{{ item['name'] }}/.ssh" owner: "{{ item['name'] }}" group: root mode: '0755' recurse: false state: directory when: item['name'] == item['gruppe'] with_items: - "{{ users }}" #------------------------------------------------------------------------------# ### Kunden: item['name'] != item['gruppe'] - name: Kunde-Benutzer anlegen ansible.builtin.user: name: "{{ item['name'] }}" group: "{{ item['gruppe'] }}" home: "/home/{{ item['gruppe'] }}/{{ item['name'] }}" comment: "{{ item['comment'] }}" password: "{{ item.password | default('!') }}" state: present umask: 0002 append: false create_home: true generate_ssh_key: false local: false non_unique: false when: item['name'] != item['gruppe'] with_items: - "{{ users }}" - name: Rechte vom Kunden-Home-Verzeichnis setzen ansible.builtin.file: path: "/home/{{ item['gruppe'] }}/{{ item['name'] }}" owner: root group: root mode: '0755' recurse: false state: directory when: item['name'] != item['gruppe'] with_items: - "{{ users }}" - name: Rechte vom Kunden-DEV-Verzeichnis setzen ansible.builtin.file: path: "/home/{{ item['gruppe'] }}/{{ item['name'] }}/dev" owner: root group: root mode: '0755' recurse: false state: directory when: item['name'] != item['gruppe'] with_items: - "{{ users }}" - name: Rechte vom Kunden-SSH-Verzeichnis setzen ansible.builtin.file: path: "/home/{{ item['gruppe'] }}/{{ item['name'] }}/.ssh" owner: "{{ item['name'] }}" group: root mode: '0755' recurse: false state: directory when: item['name'] != item['gruppe'] with_items: - "{{ users }}" - name: Rechte vom Kunden-DATADIR-Verzeichnis setzen ansible.builtin.file: path: "/home/{{ item['gruppe'] }}/{{ item['name'] }}/{{ item['datadir'] }}" owner: "{{ item['name'] }}" group: "{{ item['gruppe'] }}" mode: '0755' recurse: false state: directory when: item['name'] != item['gruppe'] with_items: - "{{ users }}" #------------------------------------------------------------------------------# ### Alle Benutzer - name: SSH-Schlüssel ablegen authorized_key: user: "{{ item['name'] }}" key: "{{ item['ssh_key'] }}" state: present with_items: - "{{ users }}" #==============================================================================# ### SSHD/SFTP-Konfiguration - Ende #------------------------------------------------------------------------------# #--------------------------------------------------------------------------# # Sicherheitssektion - name: "Textblock an die Datei anhängen / der muß immer ganz unten in der Datei sein" ansible.builtin.blockinfile: path: "{{SSHDCFG}}" marker: "# {mark} Sicherheitssektion" block: "#------------------------------------------------------------------------------#\nMatch group !root,!admin,*\n\t ChrootDirectory /tmp\n\t X11Forwarding no\n\t AllowTcpForwarding no\n\t ForceCommand internal-sftp -l VERBOSE\n#------------------------------------------------------------------------------#" state: present #--------------------------------------------------------------------------# - name: Restart sshd service: name: sshd state: restarted enabled: true