From 26f671ab31252d9f52abedb4995c6ddb82c1fc6a Mon Sep 17 00:00:00 2001 From: RyanSquared Date: Tue, 26 Jun 2018 10:17:32 -0500 Subject: [PATCH 1/3] ansible/**/*.yml: Add `marker` to blockinfile and fix regexes --- ansible/tasks/dns/main.yml | 3 +++ ansible/tasks/ldap-nss/main.yml | 3 ++- ansible/tasks/mail/main.yml | 4 ++-- ansible/tasks/misc/main.yml | 1 + ansible/tasks/security/main.yml | 4 ++++ 5 files changed, 12 insertions(+), 3 deletions(-) diff --git a/ansible/tasks/dns/main.yml b/ansible/tasks/dns/main.yml index f0822b5..489ae8a 100644 --- a/ansible/tasks/dns/main.yml +++ b/ansible/tasks/dns/main.yml @@ -27,6 +27,7 @@ - name: Use DNS root hints from the dns-root-data Debian package blockinfile: path: /etc/unbound/unbound.conf.d/debian.conf + marker: "# {mark} ANSIBLE - DNS Root Hints" create: true block: | server: @@ -34,6 +35,7 @@ - name: Prefetch popular domains before the cache expires blockinfile: path: /etc/unbound/unbound.conf.d/prefetch.conf + marker: "# {mark} ANSIBLE - Prefetch popular domains" create: true block: | server: @@ -42,6 +44,7 @@ - name: Enable RFC 7816 "DNS Query Name Minimisation to Improve Privacy" blockinfile: path: /etc/unbound/unbound.conf.d/qname-minimisation.conf + marker: "# {mark} ANSIBLE - Enable RFC 7816" create: true block: | server: diff --git a/ansible/tasks/ldap-nss/main.yml b/ansible/tasks/ldap-nss/main.yml index a37869b..45e9fa7 100644 --- a/ansible/tasks/ldap-nss/main.yml +++ b/ansible/tasks/ldap-nss/main.yml @@ -2,7 +2,7 @@ - name: Configure ssh to use sss for authorized-keys blockinfile: path: /etc/ssh/sshd_config - marker: "" + marker: "# {mark} ANSIBLE - sss config for ssh" block: | AuthorizedKeysFile none AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys @@ -11,6 +11,7 @@ - name: Configure sssd to use custom ldap server blockinfile: path: /etc/sssd/sssd.conf + marker: "# {mark} ANSIBLE - LDAP configuration for sss" mode: 0600 create: true block: | diff --git a/ansible/tasks/mail/main.yml b/ansible/tasks/mail/main.yml index 18a5097..b71518c 100644 --- a/ansible/tasks/mail/main.yml +++ b/ansible/tasks/mail/main.yml @@ -73,12 +73,12 @@ - name: Update maildir for console login lineinfile: path: /etc/pam.d/login - regexp: "^session optional pam_mail.so standard" + regexp: "^session optional pam_mail.so( dir=~/Mail)? standard" line: "session optional pam_mail.so dir=~/Mail standard" - name: Update maildir for sshd login lineinfile: path: /etc/pam.d/sshd - regexp: "^session optional pam_mail.so standard noenv" + regexp: "^session optional pam_mail.so( dir=~/Mail)? standard noenv" line: "session optional pam_mail.so dir=~/Mail standard noenv" - name: Setup msmtprc for hashbang smtp diff --git a/ansible/tasks/misc/main.yml b/ansible/tasks/misc/main.yml index 6a70a64..e21b676 100644 --- a/ansible/tasks/misc/main.yml +++ b/ansible/tasks/misc/main.yml @@ -17,6 +17,7 @@ - name: Configure systemd for increased resource accounting blockinfile: path: /etc/systemd/system.conf + marker: "# {mark} ANSIBLE - Config for better resource accounting" block: | DefaultCPUAccounting=yes DefaultBlockIOAccounting=yes diff --git a/ansible/tasks/security/main.yml b/ansible/tasks/security/main.yml index 73111b4..9c5245e 100644 --- a/ansible/tasks/security/main.yml +++ b/ansible/tasks/security/main.yml @@ -127,6 +127,7 @@ - name: Filesystem security settings blockinfile: path: /etc/fstab + marker: "# {mark} ANSIBLE - Filesystem Security Settings" block: | proc /proc proc defaults,hidepid=2 0 0 udev /dev devtmpfs defaults,nosuid,noatime 0 0 @@ -135,6 +136,7 @@ - name: Use pty instead of tty for sudoers blockinfile: path: /etc/sudoers + marker: "# {mark} ANSIBLE - PTY configuration for users" block: | Defaults !requiretty, !tty_tickets Defaults use_pty @@ -179,6 +181,7 @@ - name: enable spoof protection via reverse-path filter blockinfile: path: /etc/sysctl.conf + marker: "# {mark} ANSIBLE - Spoof Protection via Reverse-Path Filter" block: | net.ipv4.conf.default.rp_filter=1 net.ipv4.conf.all.rp_filter=1 @@ -227,6 +230,7 @@ - name: Allow root ssh via hardcoded keys as failsafe blockinfile: path: /etc/ssh/sshd_config + marker: "# {mark} ANSIBLE - Root SSH via hardcoded keys" block: | Match User root AuthorizedKeysFile .ssh/authorized_keys From d69060e90dc4c761c44a174743807dc82d4398cf Mon Sep 17 00:00:00 2001 From: RyanSquared Date: Tue, 26 Jun 2018 16:29:44 -0500 Subject: [PATCH 2/3] ansible/tasks/mail: fixup regex to match more --- ansible/tasks/mail/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ansible/tasks/mail/main.yml b/ansible/tasks/mail/main.yml index b71518c..f855b5a 100644 --- a/ansible/tasks/mail/main.yml +++ b/ansible/tasks/mail/main.yml @@ -73,13 +73,13 @@ - name: Update maildir for console login lineinfile: path: /etc/pam.d/login - regexp: "^session optional pam_mail.so( dir=~/Mail)? standard" - line: "session optional pam_mail.so dir=~/Mail standard" + regexp: "^session +optional +pam_mail.so" + line: "session optional pam_mail.so dir=~/Mail standard" - name: Update maildir for sshd login lineinfile: path: /etc/pam.d/sshd - regexp: "^session optional pam_mail.so( dir=~/Mail)? standard noenv" - line: "session optional pam_mail.so dir=~/Mail standard noenv" + regexp: "^session +optional +pam_mail.so" + line: "session optional pam_mail.so dir=~/Mail standard noenv" - name: Setup msmtprc for hashbang smtp copy: From 716c0a26dd045e8740e0d34c5a330a92544badf9 Mon Sep 17 00:00:00 2001 From: RyanSquared Date: Tue, 26 Jun 2018 16:52:02 -0500 Subject: [PATCH 3/3] tasks/hashbang/main.yml: Fix quirk to make modes work properly --- ansible/tasks/hashbang/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/tasks/hashbang/main.yml b/ansible/tasks/hashbang/main.yml index 6e6a259..0876afe 100644 --- a/ansible/tasks/hashbang/main.yml +++ b/ansible/tasks/hashbang/main.yml @@ -52,7 +52,7 @@ - template: src: "{{ item.src }}" dest: "/{{ item.path | regex_replace('.j2','') }}" - mode: "{{ item.mode }}" + mode: "{{ item.mode[1] == '7' and '0755' or '0644' }}" with_filetree: "tasks/hashbang/templates" when: item.state == 'file'