Verified Commit 8f72f658 authored by Todor Kondic's avatar Todor Kondic
Browse files

Complete access/authentication mechanism

parent c0c932d7
# GDM configuration storage
#
# See /usr/share/gdm/gdm.schemas for a list of available options.
[daemon]
# Uncomment the line below to force the login screen to use Xorg
#WaylandEnable=false
# Enabling automatic login
# AutomaticLoginEnable = true
# AutomaticLogin = user1
# Enabling timed login
# TimedLoginEnable = true
# TimedLogin = user1
# TimedLoginDelay = 10
[security]
AllowRemoteRoot=true
DisallowTCP=false
[xdmcp]
Enable=true
MaxSessions=30
[chooser]
[debug]
# Uncomment the line below to turn on debugging
# More verbose logs
# Additionally lets the X server dump core if it crashes
#Enable=true
service vncserver
{
disable = no
type = unlisted
port = 5950
socket_type = stream
protocol = tcp
group = tty
wait = no
user = nobody
server = /usr/bin/Xvnc
server_args = -inetd -query localhost -once -fp /usr/share/X11/fonts/misc -securitytypes=X509None -X509Key=/etc/custom-vnc/key.vnc.pem -X509Cert=/etc/custom-vnc/cert.vnc.pem
}
......@@ -3,3 +3,5 @@ alien-one ansible_host=188.166.115.156
[planb:vars]
ansible_python_interpreter=/usr/bin/python3
vault_password_file=meta/zubizareta
become=root
- hosts: planb
become: true
become: True
vars_files:
- vars/users.yml
- vars/passwords.yml
pre_tasks:
- name: Update repositories
apt: update_cache=yes
changed_when: False
tasks:
- name: Set hostname.
ansible.builtin.hostname:
name: "{{ inventory_hostname }}"
- include: tasks/apt.yml
- include: tasks/users.yml
- include: tasks/ufw.yml
handlers:
- name: Restart xinetd.
command: systemctl restart xinetd
......@@ -8,8 +8,12 @@
'wget',
'gzip',
'atop',
'git' ]
tags: upd-pack
'git',
'ufw',
'xfce4',
'gdm3',
'xinetd',]
tags: apt
- ufw:
state: enabled
# policy: allow
# Set logging
- ufw:
logging: on
# Sometimes it is desirable to let the sender know when traffic is
# being denied, rather than simply ignoring it. In these cases, use
# reject instead of deny. In addition, log rejected connections:
- ufw:
rule: deny
port: auth
log: yes
# ufw supports connection rate limiting, which is useful for protecting
# against brute-force login attacks. ufw will deny connections if an IP
# address has attempted to initiate 6 or more connections in the last
# 30 seconds. See http://www.debian-administration.org/articles/187
# for details. Typical usage is:
- ufw:
rule: limit
port: '22'
proto: tcp
# Allow OpenSSH. (Note that as ufw manages its own state, simply removing
# a rule=allow task can leave those ports exposed. Either use delete=yes
# or a separate state=reset task)
# - ufw:
# rule: allow
# name: OpenSSH
# Allow vnc.
- ufw:
rule: allow
port: '5950'
proto: tcp
# Allow all access to tcp port 80:
- ufw:
rule: allow
port: '80'
proto: tcp
# Allow all access from RFC1918 networks to this host:
- ufw:
rule: allow
src: '{{ item }}'
with_items:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
......@@ -9,6 +9,8 @@
comment: "{{ item.name }}"
groups: adm , cdrom , dip , plugdev , scratch
generate_ssh_key: yes
shell: /bin/bash
password: "{{ passwords[item.login] | password_hash('sha512') }}"
update_password: on_create
loop: "{{ users }}"
when: not item.sudo
......@@ -19,6 +21,8 @@
comment: "{{ item.name }}"
generate_ssh_key: yes
groups: sudo , adm , cdrom , dip , plugdev , scratch
shell: /bin/bash
password: "{{ passwords[item.login] | password_hash('sha512') }}"
update_password: on_create
loop: "{{ users }}"
when: item.sudo
......
- name: Copy gdm3 config files.
ansible.builtin.copy:
src: /files/etc/gdm3/custom.conf
dest: /etc/gdm3/custom.conf
owner: root
group: root
mode: '0644'
- name: Copy xinetd config files.
ansible.builtin.copy:
src: /files/etc/xinetd.d/vncserver
dest: /etc/xinetd.d/vncserver
owner: root
group: root
mode: '0644'
notify:
- Restart xinetd.
$ANSIBLE_VAULT;1.1;AES256
64386164623735383434343330326637343837653966623066343061626364323139636334346136
3537663335626461623833333234623134306632623461360a313462656433346537636365393162
34646334623631626262616666663364616537653561313337313965373337396163666231616638
3762383834343832350a643164306564303564663033386637323864333866303538356532303963
35323138616336323632643238303864333535333564346133633539663363303330653233323865
63613332633564303461656234663336623364346532313631366234653535383664646533333265
656236343134316264376165323235333838
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment