2025-06-26-13-33-49: Cronjob

roles/lmn_security/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+security_defaultuser_login_disable: true

roles/lmn_security/handlers/main.yml

@@ -0,0 +1,11 @@
+- name: Reload sshd
+  ansible.builtin.systemd:
+    name: sshd
+    state: reloaded
+  when: not run_in_installer|default(false)|bool
+
+- name: Restart polkit
+  ansible.builtin.systemd:
+    name: polkit
+    state: restarted
+  when: not run_in_installer|default(false)|bool

roles/lmn_security/tasks/main.yml

@@ -0,0 +1,52 @@
+---
+- name: Deploy SSH keys
+  ansible.posix.authorized_key:
+    user: ansible
+    key: "{{ item }}"
+  loop: "{{ keys2deploy }}"
+  when: keys2deploy is defined
+
+- name: Allow sudo without password for ansible
+  ansible.builtin.lineinfile:
+    path: /etc/sudoers.d/95-lmn-ansible
+    line: 'ansible ALL=(root) NOPASSWD: ALL'
+    create: true
+    owner: root
+    group: root
+    mode: '0700'
+
+- name: Disable ansible user login
+  ansible.builtin.user:
+    name: ansible
+    password_lock: true
+  when: security_defaultuser_login_disable
+
+- name: Limit SSH access to user ansible
+  ansible.builtin.blockinfile:
+    dest: /etc/ssh/sshd_config.d/local.conf
+    create: true
+    mode: '0644'
+    block: |
+      PasswordAuthentication no
+      AllowUsers ansible
+  notify: Reload sshd
+
+- name: Deploy sudo configurations
+  ansible.builtin.copy:
+    dest: /etc/sudoers.d/90-lmn-security
+    owner: root
+    group: root
+    mode: '0700'
+    content: |
+      {% for user, programs in sudo_permissions.items() %}
+      {{ user }} ALL=(root) NOPASSWD: {% for program in programs %}{{ program }}{% if not loop.last %}, {% endif %}{% endfor %}
+      {% endfor %}
+  when: sudo_permissions is defined
+
+- name: Deploy polkit configurations
+  ansible.builtin.template:
+    src: polkit_rules.j2
+    dest: /etc/polkit-1/rules.d/lmn-security.rules
+    mode: '0644'
+  notify: Restart polkit
+  when: polkit_rules is defined

roles/lmn_security/templates/polkit_rules.j2

@@ -0,0 +1,12 @@
+// /etc/polkit-1/rules.d/lmn-security.rules
+
+polkit.addRule(function(action, subject) {
+{% for group, privlist in polkit_rules.items() %}
+    if (subject.isInGroup("{{ group }}")){
+    {% for priv in privlist %}
+        if (action.id == "{{ priv }}") { return polkit.Result.YES; }
+    {% endfor %}
+    }
+{% endfor %}
+});
+