Updates to segregate configs by device class

Split cloud VMs out from local VMs in 'cloud' group Generalize networkd install/config Generalize sshd config Create general update playbook Add host vm-host-nextcloud
2018-12-30 22:54:33 -05:00
parent 9a35e992d0
commit c27460c47e
13 changed files with 175 additions and 45 deletions
--- a/tasks/networkd/config.yml
+++ b/tasks/networkd/config.yml
@@ -0,0 +1,22 @@
+---
+# The directory is deleted ahead of creation to ensure that no old configs
+# remain after runnign ansible
+- name: Delete networkd config directory
+  become: true
+  file:
+    path: /etc/systemd/network
+    state: absent
+
+- name: Create the networkd config directory
+  become: true
+  file:
+    path: /etc/systemd/network
+    state: directory
+
+- name: Make .network files
+  when: networking is defined
+  become: true
+  template:
+    src: network.j2
+    dest: "/etc/systemd/network/{{ item.key }}.network"
+  with_dict: "{{ networking }}"
--- a/tasks/networkd/services.yml
+++ b/tasks/networkd/services.yml
@@ -0,0 +1,38 @@
+---
+- name: Disable network scripts and NetworkManager
+  become: true
+  service:
+    name: "{{ item }}"
+    enabled: false
+  with_items:
+    - network
+    - NetworkManager
+    - NetworkManager-wait-online
+
+- name: Enable systemd-networkd and systemd-resolved
+  become: true
+  service:
+    name: "{{ item }}"
+    enabled: true
+    state: started
+  with_items:
+    - systemd-networkd
+    - systemd-resolved
+    - systemd-networkd-wait-online
+
+- name: Symlink so systemd-resolved uses /etc/resolv.conf
+  become: true
+  file:
+    dest: /etc/resolv.conf
+    src: /run/systemd/resolve/resolv.conf
+    state: link
+    force: true
+    setype: net_conf_t
+
+- name: Symlink so /etc/resolv.conf uses systemd
+  become: true
+  file:
+    dest: /etc/systemd/system/multi-user.target.wants/systemd-resolved.service
+    src: /usr/lib/systemd/system/systemd-resolved.service
+    state: link
+    force: true
--- a/tasks/sshd/banner.yml
+++ b/tasks/sshd/banner.yml
@@ -0,0 +1,13 @@
+- name: Install SSH Banner
+  become: true
+  template:
+    src: motd.j2
+    dest: /etc/issue.net
+    mode: 0644
+
+- name: Configure SSH banner
+  become: true
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '#Banner none'
+    line: 'Banner /etc/issue.net'
--- a/tasks/sshd/disable-password-auth.yml
+++ b/tasks/sshd/disable-password-auth.yml
@@ -0,0 +1,25 @@
+- name: Turn off password authentication
+  become: true
+  replace:
+    path: /etc/ssh/sshd_config
+    regexp: "PasswordAuthentication yes"
+    replace: "PasswordAuthentication no"
+
+- name: Turn off challenge response authentication
+  become: true
+  replace:
+    path: /etc/ssh/sshd_config
+    regexp: "ChallengeResponseAuthentication yes"
+    replace: "ChallengeResponseAuthentication no"
+
+- name: Turn off GSSAPI authentication
+  become: true
+  replace:
+    path: /etc/ssh/sshd_config
+    regexp: "GSSAPIAuthentication yes"
+    replace: "GSSAPIAuthentication no"
+
+- name: Restart sshd
+  service:
+    name: sshd
+    state: restarted