mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2024-09-22 04:42:02 +02:00
Restrict the users on mail.a.o to the passwd command
The users are only meant as a way to change the mail password and setting up forwarding (~/.forward), the latter will be handled by the DevOps team now.
This commit is contained in:
parent
4104404f2d
commit
db2a1bf348
@ -15,7 +15,7 @@
|
||||
- { role: rspamd, rspamd_dkim_domain: archlinux.org, tags: ["mail"] }
|
||||
- { role: unbound, unbound_port: 5353, tags: ["mail"] }
|
||||
- { role: postfwd, tags: ['mail'] }
|
||||
- { role: archusers }
|
||||
- { role: archusers, archusers_ssh_options: 'command="/usr/bin/passwd",restrict,pty' }
|
||||
- { role: fail2ban }
|
||||
- { role: prometheus_exporters }
|
||||
- { role: promtail }
|
||||
|
@ -1,9 +1,16 @@
|
||||
#jinja2: lstrip_blocks: True
|
||||
{{ lookup('file', '../pubkeys/' + item.value.ssh_key) }}
|
||||
{% set keys = [item.value.ssh_key] %}
|
||||
{% if item.value.additional_ssh_keys is defined %}
|
||||
{% for key in item.value.additional_ssh_keys %}
|
||||
{% if inventory_hostname in key.hosts or 'all' in key.hosts %}
|
||||
{{ lookup('file', '../pubkeys/' + key.name) }}
|
||||
{{- keys.append(key.name) -}}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% for key in keys %}
|
||||
{% if archusers_ssh_options is defined %}
|
||||
{{ lookup('file', '../pubkeys/' + key) | regex_replace('(.*\S.*)', archusers_ssh_options + ' \\1') }}
|
||||
{% else %}
|
||||
{{ lookup('file', '../pubkeys/' + key) }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
Loading…
Reference in New Issue
Block a user