---
- name: Configure environment
hosts: all
tasks:
- name: Set hostname
become: true
hostname:
name: "{{ ansible_host }}"
- import_tasks: tasks/sshd/banner.yml
- name: Install global bash components
copy:
src: bash/{{ item }}.sh
dest: /etc/profile.d/Z-{{ 10 + loop_index }}-enpn-{{ item }}.sh
mode: 0644
loop:
- global
- pyenv
- aliases
- helpers
loop_control:
index_var: loop_index
label: "{{ item }}"
- name: Disable dynamic MOTD
replace:
path: /etc/pam.d/sshd
regexp: "^session\\s+optional\\s+pam_motd\\.so.*$"
replace: "#session optional pam_motd.so"
- name: Remove legacy global bashrc
file:
path: /etc/profile.d/ZA-enpn-bashrc.sh
state: absent
- name: Disable case-sensitive autocomplete
lineinfile:
path: /etc/inputrc
line: set completion-ignore-case ((o|O)(n|ff))
create: true
- name: Configure additional security settings on shared servers
hosts: servers
- name: Identify local home directories
find:
file_type: directory
path: /home/
recurse: false
register: _local_home_dirs
- name: Determine files to write-protect
set_fact:
_secure_files: >-
{{ _secure_files | default([]) + [
item.path ~ '/.bashrc',
item.path ~ '/.bash_profile',
item.path ~ '/.ssh/authorized_keys',
item.path ~ '/.ssh/config'
] }}
loop: "{{ _local_home_dirs.files }}"
label: "{{ item.path }}"
- name: Fetch status of secure files
stat:
path: "{{ item }}"
loop: "{{ _secure_files }}"
register: _secure_file_stats
- name: Restrict access to secure files
path: "{{ item.item }}"
state: "{{ 'file' if item.stat.exists else 'touch' }}"
mode: 0400
loop: "{{ _secure_file_stats.results }}"
label: "Write-protecting: {{ item.item }}"
