--- - name: Configure environment hosts: all tasks: - name: Set hostname become: true hostname: name: "{{ ansible_host }}" - import_tasks: tasks/sshd/banner.yml - name: Install global bash components become: true copy: src: bash/{{ item }}.sh dest: /etc/profile.d/Z-{{ 10 + loop_index }}-enpn-{{ item }}.sh mode: 0644 loop: - global - pyenv - aliases - helpers loop_control: index_var: loop_index label: "{{ item }}" - name: Disable dynamic MOTD become: true replace: path: /etc/pam.d/sshd regexp: "^session\\s+optional\\s+pam_motd\\.so.*$" replace: "#session optional pam_motd.so" - name: Remove legacy global bashrc become: true file: path: /etc/profile.d/ZA-enpn-bashrc.sh state: absent - name: Disable case-sensitive autocomplete become: true lineinfile: path: /etc/inputrc line: set completion-ignore-case ((o|O)(n|ff)) create: true mode: 0644 - name: Configure additional security settings on shared servers hosts: servers tasks: - name: Identify local home directories become: true find: file_type: directory path: /home/ recurse: false register: _local_home_dirs - name: Determine files to write-protect set_fact: _secure_files: >- {{ _secure_files | default([]) + [ item.path ~ '/.bashrc', item.path ~ '/.bash_profile', item.path ~ '/.ssh/authorized_keys', item.path ~ '/.ssh/config' ] }} loop: "{{ _local_home_dirs.files }}" loop_control: label: "{{ item.path }}" - name: Fetch status of secure files become: true stat: path: "{{ item }}" loop: "{{ _secure_files }}" loop_control: label: "{{ item }}" register: _secure_file_stats - name: Restrict access to secure files become: true file: path: "{{ item.item }}" state: "{{ 'file' if item.stat.exists else 'touch' }}" mode: 0400 loop: "{{ _secure_file_stats.results }}" loop_control: label: "Write-protecting: {{ item.item }}"