In this specific case, you can just add additional 'AllowGroups' lines in the ssh config. Just something I ran into last week as well... All the different AllowGroups (and AllowUsers, DenyGroups, DenyUsers) lines are appended, so there is no need to add entries to an existing line.
I just have a template now, with some conditionals based on what roles/groups a server is in. On Tue, Jan 20, 2015 at 11:44 PM, Magnus boden <[email protected]> wrote: > Hello, > > After a lot of fiddling around I found a way to do it, I was also after a > way to handle AllowGroups in sshd_config also that it shouldn't remove > other groups in the line just make sure to add the new ones. > > The first one registers the current AllowGroups in a variable which is > used by the later tasks. > The second one adds the AllowGroups line if it doesn't exist at all (the > regexp line will never do that) > The last line adds all the groups in the with_items: [ 'root', 'admins' ] > array. > > Hope someone can save a few hours work figuring this out. > > I only joined here to give you the answer, If you have any questions email > me at magnus(at)boden.cx > > Regards > Magnus > > # Ansible complains if grep fails so match something that is always there > too > - name: SSH groups > shell: 'cat /etc/ssh/sshd_config | egrep "(Port|AllowGroups)"' > register: ssh_groups > > # Add line if it doesnt exists groups will be filled in below > - name: SSH configure AllowGroups > lineinfile: dest=/etc/ssh/sshd_config line="AllowGroups" > when: ssh_groups.stdout is defined and > ssh_groups.stdout.find("AllowGroups") == -1 > notify: > - restart ssh > > - name: SSH configure AllowGroups > lineinfile: dest=/etc/ssh/sshd_config regexp="^\s*AllowGroups\s+(.*)$" > line="AllowGroups {{ item }} \1" backrefs=yes > when: ssh_groups.stdout is defined and ssh_groups.stdout.find("{{ item > }}") == -1 > with_items: [ 'root', 'admins' ] > notify: > - restart ssh > > > > > On Saturday, April 5, 2014 at 4:02:59 PM UTC+2, Antonio Marin wrote: >> >> Hello, >> >> I'm trying to create a lineinfile task to append a word in a line, when >> it's not present, like the following: >> >> # The line should start with AllowGroups >> # Follows an unknown length sequence of "\s\w+" >> # It's possible to find groupN within the previous sequence, in which >> case the task should return ok >> # If groupN is not present, the result will be AllowGroups, followed by >> the existing sequence, followed by " groupN" >> - name: Add group to ssh allowed >> lineinfile: backrefs=yes >> dest=/etc/ssh/sshd_config >> regex='^AllowGroups(.*)(?! groupN)(.*)' >> line='AllowGroups\\1\\3 groupN' >> state=present >> >> I have tried several approaches but none have been successful. >> >> I would appreciate any light to achieve it. >> >> BR, >> Tony >> > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/9605fd79-3f55-4870-9408-b9a8dd1566b2%40googlegroups.com > <https://groups.google.com/d/msgid/ansible-project/9605fd79-3f55-4870-9408-b9a8dd1566b2%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- Mark Janssen -- maniac(at)maniac.nl Unix / Linux Open-Source and Internet Consultant Maniac.nl Sig-IO.nl Vps.Stoned-IT.com -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAKs9msgGrxtWmWd5hEA8oxfP%3D36dfev38AZdxCRfQHh%3Dx9Hzdg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
