Overhaul playbook organizational structure

provision playbooks now establish platform-related components of the macro system configure playbooks now configure/update/establish specific subcomponents of systems deploy playbooks will eventually deploy specific applications onto the platform
2020-12-04 14:52:49 -05:00
parent 39b2e4676e
commit 0a7b67b6c5
26 changed files with 534 additions and 905 deletions
--- a/playbooks/configure-env.yml
+++ b/playbooks/configure-env.yml
@@ -7,21 +7,83 @@
      hostname:
        name: "{{ ansible_host }}"

-    - import_tasks: tasks/preprocess-users.yml
+    - import_tasks: tasks/sshd/banner.yml

-    - name: Install network bash profile
+    - name: Install global bash components
      become: true
      copy:
-        src: bashrc.sh
-        dest: /home/{{ item.name }}/.bashrc
+        src: bash/{{ item }}.sh
+        dest: /etc/profile.d/Z-{{ 10 + loop_index }}-enpn-{{ item }}.sh
        mode: 0644
-      loop: "{{ _users_local }}"
+      loop:
+        - global
+        - pyenv
+        - aliases
+        - helpers
+      loop_control:
+        index_var: loop_index
+        label: "{{ item }}"
+
+    - name: Disable dynamic MOTD
+      become: true
+      replace:
+        path: /etc/pam.d/sshd
+        regexp: "^session\\s+optional\\s+pam_motd\\.so.*$"
+        replace: "#session    optional     pam_motd.so"
+
+    - name: Remove legacy global bashrc
+      become: true
+      file:
+        path: /etc/profile.d/ZA-enpn-bashrc.sh
+        state: absent

    - name: Disable case-sensitive autocomplete
      become: true
      lineinfile:
-        path: /home/{{ item.name }}/.inputrc
-        line: set completion-ignore-case On
+        path: /etc/inputrc
+        line: set completion-ignore-case ((o|O)(n|ff))
        create: true
        mode: 0644
-      loop: "{{ _users_local }}"
+
+- name: Configure additional security settings on shared servers
+  hosts: servers
+  tasks:
+    - name: Identify local home directories
+      become: true
+      find:
+        file_type: directory
+        path: /home/
+        recurse: false
+      register: _local_home_dirs
+
+    - name: Determine files to write-protect
+      set_fact:
+        _secure_files: >-
+          {{ _secure_files | default([]) + [
+            item.path ~ '/.bashrc',
+            item.path ~ '/.bash_profile',
+            item.path ~ '/.ssh/authorized_keys',
+            item.path ~ '/.ssh/config'
+          ] }}
+      loop: "{{ _local_home_dirs.files }}"
+      loop_control:
+        label: "{{ item.path }}"
+
+    - name: Fetch status of secure files
+      become: true
+      stat:
+        path: "{{ item }}"
+      loop: "{{ _secure_files }}"
+      loop_control:
+        label: "{{ item }}"
+      register: _secure_file_stats
+
+    - name: Restrict access to secure files
+      become: true
+      file:
+        path: "{{ item.item }}"
+        state: "{{ 'file' if item.stat.exists else 'touch' }}"
+        mode: 0400
+      loop: "{{ _secure_file_stats.results }}"
+      loop_control:
+        label: "Write-protecting: {{ item.item }}"