Merge pull request 'Adds user list in variable docker_users to docker group' (#5) from bugfix/docker-users-group into master

Reviewed-on: #5

README.md

@@ -30,6 +30,8 @@ ensure_ansible_version: 2.10.3
 enable_sudo: yes
 # Allow passwordless sudo (applied to group wheel)
 enable_passwordless_sudo: yes
+# Skip provisioning of the firewall
+skip_firewall: no
 ```
 
 Dependencies
@@ -41,7 +43,8 @@ Example Playbook
 License
 -------
 
-MIT
+- BSD-3-Clause
+- MIT
 
 Author Information
 ------------------

defaults/main.yml

@@ -18,3 +18,10 @@ ensure_ansible_version: 2.10.3
 enable_sudo: yes
 # Allow passwordless sudo (applied to group wheel)
 enable_passwordless_sudo: yes
+# Allow root to connect through SSH
+enable_ssh_for_root: yes
+# Allow root to connect only using public key authentication, no password
+enable_ssh_for_root_prohibit_password: no
+# Skip provisioning of the firewall
+skip_firewall: no
+authorized_keys_are_exclusive: false # Be careful, this will delete non-Ansible-managed authorized keys from the target!

handlers/main.yml

@@ -1,2 +1,7 @@
 ---
 # handlers file for common
+- name: Restart SSH
+  ansible.builtin.service:
+    name: ssh
+    state: restarted
+  become: true

meta/main.yml

@@ -1,7 +1,7 @@
 galaxy_info:
-  author: your name
+  author: jotbe
-  description: your description
+  description: Common packages and configuration
-  company: your company (optional)
+  company: ""
 
   # If the issue tracker for your role is not on github, uncomment the
   # next line and provide a value
@@ -14,7 +14,9 @@ galaxy_info:
   # - GPL-3.0-only
   # - Apache-2.0
   # - CC-BY-4.0
-  license: license (GPL-2.0-or-later, MIT, etc)
+  license:
+    - BSD-3-Clause
+    - MIT
 
   min_ansible_version: 2.4
 

tasks/main.yml

@@ -12,10 +12,13 @@
   import_role:
     name: geerlingguy.firewall
   tags: firewall
+  when: not skip_firewall
 
 - include: locales-debian.yml
   become: true
-  when: ansible_facts['os_family'] == 'Debian'
+  when:
+    - ansible_facts['os_family'] == 'Debian'
+    - not ansible_is_chroot
 
 - include: users.yml
   become: true
@@ -46,9 +49,9 @@
     #update_cache: yes
   vars:
     packages:
-      - python-pip
+      - python3-pip
-      - python-setuptools
+      - python3-setuptools
-      - python-virtualenv
+      - python3-virtualenv
       - apt-transport-https
       - htop
       - tmux

tasks/users.yml

@@ -11,6 +11,14 @@
     groups: users
   with_items: "{{ users }}"
 
+- name: 'Add docker users'
+  user:
+    name: "{{ item }}"
+    groups: docker
+    append: yes
+  with_items: "{{ docker_users }}"
+  when: docker_users | count
+
 - block:
     - name: 'Ensure that sudo group is existing'
       group:
@@ -44,8 +52,9 @@
     user: "{{ item }}"
     state: present
     key: "{{ lookup('file', 'public_keys/id_{{ item }}.pub') }}"
+    exclusive: "{{ authorized_keys_are_exclusive | bool }}"
   with_items: "{{ users }}"
-  ignore_errors: yes
+  ignore_errors: true
 
 - block:
     - name: 'Ensure that wheel group is existing'
@@ -71,6 +80,38 @@
         files:
           - /etc/sudoers
           - /usr/local/etc/sudoers # e.g. FreeBSD
+
+    - name: 'Disable SSH for root'
+      lineinfile:
+        dest: "/etc/ssh/sshd_config"
+        state: present
+        regexp: '^#?\s*PermitRootLogin'
+        line: 'PermitRootLogin No'
+      notify: Restart SSH
+      when:
+        - enable_ssh_for_root | bool == false
+    
+    - name: 'Enable SSH for root through password or key'
+      lineinfile:
+        dest: "/etc/ssh/sshd_config"
+        state: present
+        regexp: '^#?\s*PermitRootLogin'
+        line: 'PermitRootLogin Yes'
+      notify: Restart SSH
+      when:
+        - enable_ssh_for_root | bool == true
+        - enable_ssh_for_root_prohibit_password | bool == false
+    
+    - name: 'Enable SSH for root through key only'
+      lineinfile:
+        dest: "/etc/ssh/sshd_config"
+        state: present
+        regexp: '^#?\s*PermitRootLogin'
+        line: 'PermitRootLogin prohibit-password'
+      notify: Restart SSH
+      when:
+        - enable_ssh_for_root | bool == true
+        - enable_ssh_for_root_prohibit_password | bool == true
   when:
     - enable_sudo
     - enable_passwordless_sudo