瀏覽代碼

Same Google auth install should work for both Jessie and Trusty.

Move Apache task to their own file.
Alex Payne 9 年之前
父節點
當前提交
c9b32cd2e2
共有 4 個文件被更改,包括 30 次插入87 次删除
  1. 24
    0
      roles/common/tasks/apache.yml
  2. 3
    17
      roles/common/tasks/google_auth.yml
  3. 0
    41
      roles/common/tasks/google_auth_mod.yml
  4. 3
    29
      roles/common/tasks/main.yml

+ 24
- 0
roles/common/tasks/apache.yml 查看文件

@@ -0,0 +1,24 @@
1
+---
2
+# Configures the Apache HTTP server with sane defaults.
3
+
4
+- name: Disable default Apache site
5
+  command: a2dissite 000-default removes=/etc/apache2/sites-enabled/000-default
6
+  notify: restart apache
7
+
8
+- name: Enable Apache headers module
9
+  command: a2enmod headers creates=/etc/apache2/mods-enabled/headers.load
10
+  notify: restart apache
11
+
12
+- name: Set ServerName for Apache
13
+  template: src=fqdn.j2 dest=/etc/apache2/conf.d/fqdn
14
+  notify: restart apache
15
+  when: ansible_distribution_release != 'trusty'
16
+
17
+- name: Create ServerName configuration file for Apache for Ubuntu Trusty
18
+  template: src=fqdn.j2 dest=/etc/apache2/conf-available/fqdn.conf
19
+  when: ansible_distribution_release == 'trusty'
20
+
21
+- name: Set ServerName for Apache for Ubuntu Trusty
22
+  command: a2enconf fqdn creates=/etc/apache2/conf-enabled/fqdn.conf
23
+  notify: restart apache
24
+  when: ansible_distribution_release == 'trusty'

+ 3
- 17
roles/common/tasks/google_auth.yml 查看文件

@@ -1,29 +1,15 @@
1 1
 ---
2
-# Defines tasks applicable for Google Authenticator
2
+# Defines tasks applicable for Google Authenticator.
3 3
 
4 4
 - name: Ensure required packages are installed
5 5
   apt: pkg={{ item }} state=present
6 6
   with_items:
7
-    #- libpam-google-authenticator    wasn't available in wheezy
7
+    - libpam-google-authenticator
8 8
     - libpam0g-dev
9 9
     - libqrencode3
10 10
   tags:
11 11
     - dependencies
12 12
 
13
-- name: Download Google authenticator pam module
14
-  get_url: url=https://google-authenticator.googlecode.com/files/libpam-google-authenticator-{{ google_auth_version }}-source.tar.bz2
15
-           dest=/root/libpam-google-authenticator-{{ google_auth_version }}-source.tar.bz2
16
-
17
-- name: Extract Google authenticator
18
-  unarchive: src=/root/libpam-google-authenticator-{{ google_auth_version }}-source.tar.bz2
19
-             creates=/root/libpam-google-authenticator-{{ google_auth_version }}
20
-             dest=/root copy=no
21
-
22
-- name: Install Google authenticator
23
-  command: make install
24
-           chdir=/root/libpam-google-authenticator-{{ google_auth_version }}
25
-           creates=/usr/local/bin/google-authenticator
26
-
27 13
 - name: Update sshd config to enable challenge responses
28 14
   lineinfile: dest=/etc/ssh/sshd_config
29 15
               regexp=^ChallengeResponseAuthentication
@@ -38,7 +24,7 @@
38 24
               state=present
39 25
 
40 26
 - name: Generate a timed-based, no reuse, rate-limited (3 logins per 30 seconds) with one concurrently valid code for default user
41
-  command: /usr/local/bin/google-authenticator -t -f -d --label="{{ main_user_name }}@{{ domain }}" --qr-mode=ANSI -r 3 -R 30 -w 1 --secret=/home/{{ main_user_name }}/.google_authenticator
27
+  command: /usr/bin/google-authenticator -t -f -d --label="{{ main_user_name }}@{{ domain }}" --qr-mode=ANSI -r 3 -R 30 -w 1 --secret=/home/{{ main_user_name }}/.google_authenticator
42 28
            creates=/home/{{ main_user_name }}/.google_authenticator
43 29
   sudo: yes
44 30
   sudo_user: "{{ main_user_name }}"

+ 0
- 41
roles/common/tasks/google_auth_mod.yml 查看文件

@@ -1,41 +0,0 @@
1
----
2
-# Defines tasks applicable for Google Authenticator
3
-# Ubuntu trusty version, uses standard libpam-google-authenticator package
4
-
5
-- name: Ensure required packages are installed
6
-  apt: pkg={{ item }} state=present
7
-  with_items:
8
-    - libpam-google-authenticator
9
-    - libpam0g-dev
10
-    - libqrencode3
11
-  tags:
12
-    - dependencies
13
-
14
-- name: Update sshd config to enable challenge responses
15
-  lineinfile: dest=/etc/ssh/sshd_config
16
-              regexp=^ChallengeResponseAuthentication
17
-              line="ChallengeResponseAuthentication yes"
18
-              state=present
19
-  notify: restart ssh
20
-
21
-- name: Add Google authenticator to PAM
22
-  lineinfile: dest=/etc/pam.d/sshd
23
-              line="auth required pam_google_authenticator.so"
24
-              insertbefore=BOF
25
-              state=present
26
-
27
-- name: Generate a timed-based, no reuse, rate-limited (3 logins per 30 seconds) with one concurrently valid code for default user
28
-  command: /usr/bin/google-authenticator -t -f -d --label="{{ main_user_name }}@{{ domain }}" --qr-mode=ANSI -r 3 -R 30 -w 1 --secret=/home/{{ main_user_name }}/.google_authenticator
29
-           creates=/home/{{ main_user_name }}/.google_authenticator
30
-  sudo: yes
31
-  sudo_user: "{{ main_user_name }}"
32
-  when: ansible_ssh_user != "vagrant"
33
-
34
-- name: Retrieve generated keys from server
35
-  fetch: src=/home/{{ main_user_name }}/.google_authenticator
36
-         dest=/tmp/sovereign-google-auth-files
37
-  when: ansible_ssh_user != "vagrant"
38
-
39
-- pause: seconds=5
40
-         prompt="Your Google Authentication keys are in /tmp/sovereign-google-auth-files. Press any key to continue..."
41
-  when: ansible_ssh_user != "vagrant"

+ 3
- 29
roles/common/tasks/main.yml 查看文件

@@ -1,6 +1,6 @@
1 1
 ---
2 2
 # Defines tasks applicable across all machines in the infrastructure.
3
-- name: Set up closest mirror autoselect (ubuntu-only)
3
+- name: Set up closest mirror autoselect (Ubuntu-only)
4 4
   template: src=apt_sources.list.j2 dest=/etc/apt/sources.list
5 5
   when: ansible_distribution == 'Ubuntu'
6 6
   tags:
@@ -28,14 +28,13 @@
28 28
     - htop
29 29
     - iftop
30 30
     - iotop
31
+    - molly-guard
31 32
     - mosh
32 33
     - python-software-properties
33 34
     - ruby
34 35
     - screen
35 36
     - sudo
36
-    - update-notifier-common
37 37
     - unattended-upgrades
38
-    - molly-guard
39 38
     - vim
40 39
     - zsh
41 40
   tags:
@@ -49,33 +48,10 @@
49 48
 
50 49
 - name: Reconfigure tzdata
51 50
   action: command dpkg-reconfigure -f noninteractive tzdata
52
-  when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
53 51
 
54 52
 - name: Apticron email configuration
55 53
   template: src=apticron.conf.j2 dest=/etc/apticron/apticron.conf
56 54
 
57
-- name: Disable default Apache site
58
-  command: a2dissite 000-default removes=/etc/apache2/sites-enabled/000-default
59
-  notify: restart apache
60
-
61
-- name: Enable Apache headers module
62
-  command: a2enmod headers creates=/etc/apache2/mods-enabled/headers.load
63
-  notify: restart apache
64
-
65
-- name: Set ServerName for Apache
66
-  template: src=fqdn.j2 dest=/etc/apache2/conf.d/fqdn
67
-  notify: restart apache
68
-  when: ansible_distribution_release != 'trusty'
69
-
70
-- name: Create ServerName configuration file for Apache for Ubuntu Trusty
71
-  template: src=fqdn.j2 dest=/etc/apache2/conf-available/fqdn.conf
72
-  when: ansible_distribution_release == 'trusty'
73
-
74
-- name: Set ServerName for Apache for Ubuntu Trusty
75
-  command: a2enconf fqdn creates=/etc/apache2/conf-enabled/fqdn.conf
76
-  notify: restart apache
77
-  when: ansible_distribution_release == 'trusty'
78
-
79 55
 - name: Create decrypted directory (even if encfs isn't used)
80 56
   file: state=directory path=/decrypted
81 57
 
@@ -84,11 +60,9 @@
84 60
 
85 61
 - include: encfs.yml tags=encfs
86 62
 - include: users.yml tags=users
63
+- include: apache.yml tags=apache
87 64
 - include: ssl.yml tags=ssl
88 65
 - include: ufw.yml tags=ufw
89 66
 - include: security.yml tags=security
90 67
 - include: ntp.yml tags=ntp
91 68
 - include: google_auth.yml tags=google_auth
92
-  when: ansible_distribution_release != 'trusty'
93
-- include: google_auth_mod.yml tags=google_auth
94
-  when: ansible_distribution_release == 'trusty'

Loading…
取消
儲存