--- - name: Deploy pam-auth-update configuration file for enabling pam_umask copy: src=pam_umask dest=/usr/share/pam-configs/umask mode=644 owner=root group=root notify: Update PAM configuration - name: Set login UMASK lineinfile: dest=/etc/login.defs state=present backrefs=yes regexp='^UMASK(\s+)' line='UMASK\g<1>027' - name: Set home directory mask lineinfile: dest=/etc/adduser.conf state=present backrefs=yes regexp='^DIR_MODE=' line='DIR_MODE=0750' - name: Install sudo apt: name=sudo state=present - name: Install common packages apt: name="{{ item }}" state="present" with_items: common_packages - name: Set-up operating system groups group: name="{{ item.name }}" gid="{{ item.gid }}" state=present with_items: os_groups - name: Set-up operating system user groups group: name="{{ item.name }}" gid="{{ item.uid }}" state=present with_items: os_users - name: Set-up operating system users user: name="{{ item.name }}" uid="{{ item.uid }}" group="{{ item.name }}" groups="{{ item.additional_groups }}" append=yes shell=/bin/bash state=present password="{{ item.password }}" with_items: os_users - name: Set-up authorised keys authorized_key: user="{{ item.0.name }}" key="{{ item.1 }}" with_subelements: - os_users - authorized_keys - name: Disable remote logins for root lineinfile: dest="/etc/ssh/sshd_config" state=present regexp="^PermitRootLogin" line="PermitRootLogin no" notify: - Restart SSH - name: Disable remote login authentication via password lineinfile: dest="/etc/ssh/sshd_config" state=present regexp="^PasswordAuthentication" line="PasswordAuthentication no" notify: - Restart SSH - name: Allow users to traverse directories to TLS private key files file: path=/etc/ssl/private/ mode=o+x