diff --git a/hosts b/hosts index 68bb0d0..8f0efbc 100644 --- a/hosts +++ b/hosts @@ -106,4 +106,4 @@ file-mbr.mbr-bln.netz ansible_user=root file-mbr.mbr-bln.netz ansible_user=root [samba_server] -#file-mbr.mbr-bln.netz ansible_user=root +file-mbr.mbr-bln.netz ansible_user=root diff --git a/roles/common/tasks/basic.yml b/roles/common/tasks/basic.yml index f3433fd..43737af 100644 --- a/roles/common/tasks/basic.yml +++ b/roles/common/tasks/basic.yml @@ -43,3 +43,26 @@ - etc_systemd_system_conf.stat.exists == true tags: - systemd-nofiles + +- name: (basic.yml) Check file '/etc/security/limits.conf.ORIG' exists + stat: + path: /etc/security/limits.conf.ORIG + register: etc_security_limits_conf_ORIG + tags: + - limits-conf + +- name: (basic.yml) Backup installation version of file '/etc/security/limits.conf' + command: cp -a /etc/security/limits.conf /etc/security/limits.conf.ORIG + when: etc_security_limits_conf_ORIG.stat.exists == False + tags: + - limits-conf + +- name: (basic.yml) Create new sshd_config from template limits.conf.j2 + template: + src: etc/security/limits.conf.j2 + dest: /etc/security/limits.conf + owner: root + group: root + mode: 0644 + tags: + - limits-conf diff --git a/roles/common/templates/etc/security/limits.conf.j2 b/roles/common/templates/etc/security/limits.conf.j2 new file mode 100644 index 0000000..79cc914 --- /dev/null +++ b/roles/common/templates/etc/security/limits.conf.j2 @@ -0,0 +1,62 @@ +# {{ ansible_managed }} + +# /etc/security/limits.conf +# +#Each line describes a limit for a user in the form: +# +# +# +#Where: +# can be: +# - a user name +# - a group name, with @group syntax +# - the wildcard *, for default entry +# - the wildcard %, can be also used with %group syntax, +# for maxlogin limit +# - NOTE: group and wildcard limits are not applied to root. +# To apply a limit to the root user, must be +# the literal username root. +# +# can have the two values: +# - "soft" for enforcing the soft limits +# - "hard" for enforcing hard limits +# +# can be one of the following: +# - core - limits the core file size (KB) +# - data - max data size (KB) +# - fsize - maximum filesize (KB) +# - memlock - max locked-in-memory address space (KB) +# - nofile - max number of open file descriptors +# - rss - max resident set size (KB) +# - stack - max stack size (KB) +# - cpu - max CPU time (MIN) +# - nproc - max number of processes +# - as - address space limit (KB) +# - maxlogins - max number of logins for this user +# - maxsyslogins - max number of logins on the system +# - priority - the priority to run user process with +# - locks - max number of file locks the user can hold +# - sigpending - max number of pending signals +# - msgqueue - max memory used by POSIX message queues (bytes) +# - nice - max nice priority allowed to raise to values: [-20, 19] +# - rtprio - max realtime priority +# - chroot - change root to directory (Debian-specific) +# +# +# + +#* soft core 0 +#root hard core 100000 +#* hard rss 10000 +#@student hard nproc 20 +#@faculty soft nproc 20 +#@faculty hard nproc 50 +#ftp hard nproc 0 +#ftp - chroot /ftp +#@student - maxlogins 4 + +* - nofile 1048576 +root - nofile 1048576 + + +# End of file diff --git a/roles/common/templates/etc/ssh/sshd_config.j2 b/roles/common/templates/etc/ssh/sshd_config.j2 index bf36834..67cfc8a 100644 --- a/roles/common/templates/etc/ssh/sshd_config.j2 +++ b/roles/common/templates/etc/ssh/sshd_config.j2 @@ -186,7 +186,7 @@ AllowUsers {{ fact_sshd_allowed_users }} # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -UsePAM yes +UsePAM {{ sshd_use_pam }} # Specifies whether login(1) is used for interactive login sessions. # Note that login(1) is never used for remote command execution.