diff --git a/roles/dotfiles/defaults/main.yml b/roles/dotfiles/defaults/main.yml index ea1a278..21fe338 100644 --- a/roles/dotfiles/defaults/main.yml +++ b/roles/dotfiles/defaults/main.yml @@ -28,58 +28,7 @@ l3d_users__local_users: [] # admin: false # pubkeys: "{{ lookup('url', 'https://github.com/do1jlr.keys', split_lines=False) }}" -l3d_users__ssh_login: [] -# - name: 'dora' -# state: 'present' - -l3d_users__limit_login: true - -l3d_users__sshd_port: 22 -l3d_users__sshd_password_authentication: false -l3d_users__sshd_permitrootlogin: false -l3d_users__create_ansible: true -l3d_users__ansible_user_state: 'present' - -l3d_users__sshd_manage_server_key_types: true -l3d_users__sshd_server_key_types: - - 'ed25519' - # - 'rsa' - # - 'ecdsa' - -l3d_users__sshd_manage_key_algorithmus: true -l3d_users__sshd_key_algorithmus: - - 'ssh-ed25519-cert-v01@openssh.com' - - 'ssh-ed25519' - - 'ecdsa-sha2-nistp521-cert-v01@openssh.com' - - 'ecdsa-sha2-nistp384-cert-v01@openssh.com' - - 'ecdsa-sha2-nistp256-cert-v01@openssh.com' - # - 'rsa-sha2-512-cert-v01@openssh.com' - # - 'rsa-sha2-256-cert-v01@openssh.com' - # - 'ssh-rsa-cert-v01@openssh.com' - # - 'ecdsa-sha2-nistp521' - # - 'ecdsa-sha2-nistp384' - # - 'ecdsa-sha2-nistp256' - # - 'rsa-sha2-512' - # - 'rsa-sha2-256' - # - 'ssh-rsa' - -l3d_users__sshd_manage_kex_algorithmus: true -l3d_users__sshd_kex_algorithmus: - - 'curve25519-sha256@libssh.org' - - 'diffie-hellman-group-exchange-sha256' - - 'diffie-hellman-group-exchange-sha1' - # - 'diffie-hellman-group14-sha1' - # - 'diffie-hellman-group1-sha1' - -l3d_users__sshd_manage_ciphers: true -l3d_users__sshd_ciphers: - - 'chacha20-poly1305@openssh.com' - - 'aes256-gcm@openssh.com' - - 'aes256-ctr' - # - 'aes256-cbc' - # - 'aes128-ctr' - # - 'aes128-cbc' - +l3d_users__bashrc: true # run simple versionscheck submodules_versioncheck: false diff --git a/roles/dotfiles/tasks/bashrc.yml b/roles/dotfiles/tasks/bashrc.yml new file mode 100644 index 0000000..ac91fae --- /dev/null +++ b/roles/dotfiles/tasks/bashrc.yml @@ -0,0 +1,9 @@ +--- +- name: Create global bashrc configuration + become: true + ansible.builtin.template: + src: 'templates/bash.bashrc.j2' + dest: '/etc/bash.bashrc' + owner: root + group: root + mode: 'u=rw,g=r,o=r' diff --git a/roles/dotfiles/tasks/main.yml b/roles/dotfiles/tasks/main.yml index 35e92aa..c44f1fd 100644 --- a/roles/dotfiles/tasks/main.yml +++ b/roles/dotfiles/tasks/main.yml @@ -10,5 +10,5 @@ - name: Setup and configure bashrc ansible.builtin.include_tasks: - file: 'packages.yml' - when: + file: 'bashrc.yml' + when: l3d_users__bashrc | bool diff --git a/roles/dotfiles/templates/bash.bashrc.j2 b/roles/dotfiles/templates/bash.bashrc.j2 new file mode 100644 index 0000000..6524b14 --- /dev/null +++ b/roles/dotfiles/templates/bash.bashrc.j2 @@ -0,0 +1,61 @@ +# /etc/bashrc + +# System wide functions and aliases +# Environment stuff goes in /etc/profile + +# This file may be overwritten by ansible. Please think about commiting +# changes you want to keep persistent. + +# enable color support of ls and also add handy aliases +if [ -x /usr/bin/dircolors ]; then + test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)" +{% for alias in dotfiles__aliases %} +{% if alias.color %} + alias {{ alias.alias }}="{{ alias.command }} --color=auto" +{% endif%} +{% endfor %} +fi + +{% for alias in dotfiles__aliases %} +{% if not alias.color %} + alias {{ alias.alias }}="{{ alias.command }}" +{% endif%} +{% endfor %} + +{%if dotfiles__bash_completion_enabled %} +if ! shopt -oq posix; then + if [ -f /usr/share/bash-completion/bash_completion ]; then + . /usr/share/bash-completion/bash_completion + elif [ -f /etc/bash_completion ]; then + . /etc/bash_completion + fi +fi + +{% endif %} + +# fancy Prompt +if [ $(id -u) -eq 0 ]; then + export PS1='{{ dotfiles__root_prompt }} ' +else + export PS1='{{ dotfiles__user_prompt }} ' +fi + + +HISTCONTROL={{ dotfiles__history_control }} +shopt -s histappend +{% if ansible_os_family == 'Redhat' %} +# HISTSIZE={{ dotfiles__history_size }} +# HISTFILESIZE={{ dotfiles__history_file_size }} +{% elif ansible_distribution == "CentOS" %} +# HISTSIZE={{ dotfiles__history_size }} +# HISTFILESIZE={{ dotfiles__history_file_size }} +{% else %} +HISTSIZE={{ dotfiles__history_size }} +HISTFILESIZE={{ dotfiles__history_file_size }} +{% endif %} + + +{% for _row in dotfiles__additional_bashrc_lines | default() %} +{{ _row }} +{% endfor %} +# vim:ts=4:sw=4 diff --git a/roles/dotfiles/templates/sshd_config.j2 b/roles/dotfiles/templates/sshd_config.j2 deleted file mode 100644 index b61a262..0000000 --- a/roles/dotfiles/templates/sshd_config.j2 +++ /dev/null @@ -1,136 +0,0 @@ -# Attention, local changew will be overwritten -# MIT (C) L3D -# {{ ansible_managed }} -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -{% if _sshd_version | default(7.0) | float > 8.0 | bool %} -# Include SSHD config snippets -# Support fot this starts with sshd 8.0 -Include /etc/ssh/sshd_config.d/*.conf -{% endif %} - -# Networking -Port {{ l3d_users__sshd_port }} -AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: - -TCPKeepAlive yes - -# SSHD Key exchange -{% if l3d_users__sshd_manage_key_algorithmus | bool %} -# -> HostkeyAlgorithms -HostkeyAlgorithms {{ l3d_users__sshd_key_algorithmus | join(',') }} -{% else %} -# No HostkeyAlgorithms defined -{% endif %} - -{% if l3d_users__sshd_manage_kex_algorithmus | bool %} -# -> KexAlgorithms -KexAlgorithms {{ l3d_users__sshd_kex_algorithmus | join(',') }} -{% else %} -# No KexAlgorithms defined -{% endif %} - -# Ciphers and keying -{% if l3d_users__sshd_manage_ciphers | bool %} -# -> Ciphers -Ciphers {{ l3d_users__sshd_ciphers | join(',') }} -{% else %} -# No Ciphers defined -{% endif %} - -{% if l3d_users__sshd_manage_macs | bool %} -# -> Macs -MACs {{ l3d_users__sshd_macs | join(',') }} -{% else %} -# No MACs defined -{% endif %} - -# Server Authentication -Protocol 2 - -# Logging -SyslogFacility AUTH -LogLevel INFO - -# SSHD Host Keys -{% if l3d_users__sshd_manage_server_key_types | bool %} -{% for key in l3d_users__sshd_server_key_types %} -# -> {{ key }} -HostKey /etc/ssh/ssh_host_{{ key }}_key -{% endfor %} -{% endif %} - -# Client authentication -MaxAuthTries 6 -MaxSessions 10 -PasswordAuthentication {{ l3d_users__sshd_password_authentication | ternary('yes', 'no') }} -ChallengeResponseAuthentication no -PubkeyAuthentication yes -PermitRootLogin {{ l3d_users__sshd_permitrootlogin | ternary('without-password', 'no') }} -LoginGraceTime 120 -StrictModes yes -X11Forwarding {{ l3d_users__sshd_xforwarding | ternary('yes', 'no') }} - -AllowTcpForwarding yes -#GatewayPorts no -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PermitTTY yes - -PrintMotd no -PrintLastLog yes -TCPKeepAlive yes - -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS no -#PidFile /var/run/sshd.pid -#MaxStartups 10:30:100 -#PermitTunnel no -#ChrootDirectory none -#VersionAddendum none - -# no default banner path -#Banner none - - -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -UsePAM yes - -{% set _sshd_accounts = [] %} -{% for user in _l3d_users__merged_users %} -{% if user.name is defined and user.state | default('present') == 'present' %} -{% set _ = _sshd_accounts.append(user.name) %} -{% endif %} -{% endfor %} - -# User Authentication -{% if l3d_users__create_ansible | bool and l3d_users__ansible_user_state == 'present' %} -AllowUsers ansible {{ _sshd_accounts | join(' ') }} - -# Group Authentication -AllowGroups ansible {{ _sshd_accounts | join(' ') }} -{% else %} -AllowUsers {{ _sshd_accounts | join(' ') }} - -# Group Authentication -AllowGroups {{ _sshd_accounts | join(' ') }} -{% endif %} - -# Allow client to pass locale environment variables -AcceptEnv LANG LC_* - -# sftp (required by ansible) -# Subsystem sftp /usr/lib/openssh/sftp-server -{% if ansible_os_family == 'RedHat' %} -Subsystem sftp /usr/libexec/openssh/sftp-server -{% else %} -Subsystem sftp /usr/lib/openssh/sftp-server -{% endif %}