Skip to content

Instantly share code, notes, and snippets.

@lrvick
Created May 18, 2021 22:40
  • Star 3 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save lrvick/eb863505ebd6a5cb19ff939bd195caf0 to your computer and use it in GitHub Desktop.
Mac Ansible management example
---
- name: Check if Previously Run
stat:
path: /var/log/ansible.log
register: ansible_logfile
- name: Enable FileVault2
filevault: enabled=true
become_user: root
- name: Install Brew
block:
- name: Verify Brew installation status
stat:
path: /usr/local/bin/brew
register: brew
- name: Install Brew
script: brew_install.sh
when: not brew.stat.exists
- name: Disable Homebrew analytics
command: brew analytics off
- name: Close system preferences
command: killall "System Preferences" ; sleep 1
register: command_result
changed_when: command_result.rc != 0
ignore_errors: true
become_user: root
- name: Setup OSX Firewall & Network security settings
block:
- name: Enable Firewall
command: defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true
become_user: root
- name: Enable Stealth Mode
block:
- name: Verify Stealth Mode Status
command: defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled
register: firewall_stealth_enabled
changed_when: firewall_stealth_enabled != 1
- name: Enable Stealth Mode
command: defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true
when: firewall_stealth_enabled != 1
become_user: root
- name: Enable network whitelisting for Apple-signed apps
block:
- name: Verify network whitelist for Apple-signed apps
command: defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled
register: firewall_signed_apps
changed_when: firewall_signed_apps != 1
- name: Enable network whitelisting for Apple-signed apps
command: defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false
when: firewall_signed_apps != 1
become_user: root
- name: Disable Multicast Advertisements
command: defaults -currentHost write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool YES
become_user: root
- name: Disable captive portals
command: defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false
become_user: root
- name: Disable print sharing
command: cupsctl --no-share-printers
become_user: root
- name: Disable Airdrop
command: defaults write com.apple.NetworkBrowser DisableAirDrop -bool true
become_user: root
- name: Disable iCloud drive
command: bash -c 'defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false'
become_user: root
- name: Disable Apple Push notifications
command: bash -c 'launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist'
become_user: root
- name: Disable Remote Login
block:
- name: Verify Remote Login status
command: bash -c "systemsetup -getremotelogin | awk '{print $3}'"
register: disable_remote_login
ignore_errors: True
changed_when: disable_remote_login.stdout == 'On'
- name: Disable Remote Login
command: bash -c "systemsetup -f -setremotelogin off"
when: disable_remote_login.stdout == 'On'
become_user: root
- name: Disable Remote Apple Events
block:
- name: Verify Remote Apple Events status
command: bash -c "systemsetup -getremoteappleevents | awk '{print $4}'"
register: remote_events
- name: Disable Remote Apple Events
command: systemsetup -setremoteappleevents off
when: remote_events.stdout == 'On'
become_user: root
- name: Disable Internet sharing
block:
- name: Determine if internet sharing has been configured
stat: path=/Library/Preferences/SystemConfiguration/com.apple.nat.plist
register: internet_sharing_config
- name: Verify Internet Sharing status
command: bash -c "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'"
ignore_errors: True
register: internet_sharing
when: internet_sharing_config.stat.exists == True
- name: Disable Internet Sharing
command: bash -c "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"
when: internet_sharing_config.stat.exists == True and internet_sharing.stdout == '1'
ignore_errors: True
become_user: root
- name: Disable Wake-on-LAN
block:
- name: Verify Wake-on-LAN status
command: bash -c "systemsetup getwakeonnetworkaccess | awk '{print $5}'"
register: wol_disabled
- name: Disable Wake-on-LAN
command: systemsetup -setwakeonnetworkaccess off
when: wol_disabled.stdout == 'On'
become_user: root
# Apple won't let us have nice things
#- name: Destroy Filevault key on standby
# block:
# - name: Verify Filevault key on standbuy status
# command: bash -c "pmset -g | grep hibernatemode | awk '{print $2}'"
# register: pmset_hibernate
# - name: Destroy Filevault key on standby
# command: bash -c 'pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0'
# when: pmset_hibernate.stdout != '25'
# become_user: root
- name: Enable Automatic System Updates
block:
- name: Verify automatic system updates
command: softwareupdate --schedule | grep -i 'Automatic check is on'
register: software_updates_enabled
- name: Enable automatic system updates
command: softwareupdate --schedule on
when: software_updates_enabled != 0
become_user: root
- name: Activate screensaver/lock after 5 minutes
block:
# Apple totally broke this and replaced it with nothing:
# https://blog.kolide.com/screensaver-security-on-macos-10-13-is-broken-a385726e2ae2
# - name: Require password to wake from sleep
# block:
# - name: Verify requirement of password to wake from sleep
# command: defaults read com.apple.screensaver askForPassword
# register: screen_saver_password
# - name: Require password to wake from sleep
# command: defaults write com.apple.screensaver askForPassword -bool true
# when: screen_saver_password.stdout != 1
- name: Remove delay if screen_saver_delay < 0
command: defaults -currentHost write com.apple.screensaver askForPasswordDelay -bool false
- name: Verify status of screensaver lock
register: ss_idle_timer
shell: |
UUID=$(ioreg -rd1 -c IOPlatformExpertDevice | grep "IOPlatformUUID" | sed -e 's/^.*"\(.*\)"$/\1/')
for i in $(find /Users -type d -maxdepth 1); do
PREF="$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID"
if [ -e $PREF.plist ]; then
TIMEOUT=$(defaults read $PREF.plist idleTime)
if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 300 ]; then
echo 1
fi
else
echo 0
fi
done
- name: Enable screensaver lock after 5 minutes
shell: |
UUID=$(ioreg -rd1 -c IOPlatformExpertDevice | grep "IOPlatformUUID" | sed -e 's/^.*"\(.*\)"$/\1/')
for i in $(find /Users -type d -maxdepth 1); do
PREF="$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID"
if [ -e $PREF.plist ]; then
defaults -currentHost write $PREF.plist idleTime -int 300
fi
done
when: ss_idle_timer
become_user: root
- name: Enable Logging for the operating system.
block:
- name: Verify logging is enabled for the operating system
command: defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled
register: logging_enabled
- name: Enable logging for the operating system
command: defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true
when: logging_enabled.stdout != "1"
become_user: root
- name: Enable Gatekeeper Protection
block:
- name: Verify Gatekeeper protection status
command: bash -c "spctl --status | awk '{print $2}'"
register: gatekeeper_protection
- name: Enable Gatekeeper protection
command: bash -c "spctl --master-enable"
when: gatekeeper_protection != 'enabled'
become_user: root
- name: Disable IR Receiver
block:
- name: Verify IR receiver status
command: defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled
register: ir_disable
- name: Disable IR receiver
command: defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false
when: ir_disable == 1
become_user: root
- name: Require administrator password system-wide
command: bash -c 'security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c "Set :shared false" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist'
become_user: root
- name: Install Software
block:
- name: Ensure Homebrew Taps.
homebrew_tap:
name:
- homebrew/cask
- homebrew/cask-drivers
- name: Install casks.
homebrew_cask:
name:
- chromium
- thunderbird
- yubico-yubikey-manager
- yubico-authenticator
- iterm2
- vlc
- libreoffice
- qtpass
- element
- gimp
- name: Install Homebrew Packages
block:
- name: Install primary packages
homebrew:
name:
- git
- gnupg
- pass
- node
- go
- watchman
- nvm
- grunt
- grunt-cli
- curl
- tmux
- rsync
- binutils
- diffutils
- findutils
- coreutils
- gnu-indent
- gnu-sed
- gnu-tar
- gnu-which
- gnutls
- gawk
- grep
- watch
- pv
- wdiff
- wget
- diffutils
- ed
- htop
- vim
- jq
- ykman
- ykpers
- pinentry
- pinentry-mac
- swig
- python
- cmake
- python3
- libu2f-host
- libusb
- dockutil
- name: Link gnupg package
homebrew:
state: linked
install_options: overwrite
name: gnupg
ignore_errors: true
- name: Setup Dock
tags: [dock]
when: not ansible_logfile.stat.exists
vars:
dock_apps:
- name: Chromium
path: /Applications/Chromium.app
- name: Riot
path: /Applications/Element.app
- name: Thunderbird
path: /Applications/Thunderbird.app
- name: iTerm
path: /Applications/iTerm.app
- name: Yubico Authenticator
path: /Applications/Yubico Authenticator.app
- name: VLC
path: /Applications/VLC.app
- name: Gimp
path: /Applications/Gimp.app
- name: LibreOffice
path: /Applications/LibreOffice.app
- name: QtPass
path: /Applications/QtPass.app
block:
- name: Removed discouraged items from dock
shell: dockutil --no-restart --remove '{{item}}'
with_items:
- Siri
- Launchpad
- Mail
- Safari
- Contacts
- Reminders
- Maps
- Photos
- Messages
- FaceTime
- iTunes
- iBooks
- System Preferences
- Calendar
- name: Add items to dock
include_role:
name: dock
- name: Shell Configuration
block:
- file: path="$HOME/.gnupg" state=directory
- name: Set pinentry-mac to default gpg pinentry
lineinfile:
create: yes
path: "$HOME/.gnupg/gpg-agent.conf"
line: "pinentry-program /usr/local/bin/pinentry-mac"
- name: Put python packages in $PATH
lineinfile:
create: yes
path: "$HOME/.bash_profile"
line: "PATH=$HOME/Library/Python/2.7/bin:$PATH"
- name: add .local/bin to $PATH
lineinfile:
create: yes
path: "$HOME/.bash_profile"
line: "PATH=$HOME/Library/Python/2.7/bin:$PATH"
- name: Setup gpg-agent for ssh use
blockinfile:
path: "$HOME/.bash_profile"
insertafter: EOF
state: present
content: |
envfile="$HOME/.gnupg/gpg-agent.env"
if ( [[ ! -e "$HOME/.gnupg/S.gpg-agent" ]] && \
[[ ! -e "/var/run/user/$(id -u)/gnupg/S.gpg-agent" ]] );
then
killall pinentry > /dev/null 2>&1
gpgconf --reload scdaemon > /dev/null 2>&1
pkill -x -INT gpg-agent > /dev/null 2>&1
gpg-agent --daemon --enable-ssh-support > $envfile
fi
# Wake up smartcard to avoid races
gpg --card-status > /dev/null 2>&1
source "$envfile"
- name: Automatically Update/Run Ansible from Git
block:
- name: Install trusted author PGP keys
block:
- copy: src=keys/pgp/{{ item }}.key dest=/usr/local/etc/ansible/keys/authors/
with_items:
- lance
- cyrus
- vittorio
- file: path=/usr/local/etc/ansible/keys/gnupg state=directory
- shell: |
GNUPGHOME=/usr/local/etc/ansible/keys/gnupg \
gpg --import /usr/local/etc/ansible/keys/authors/*.key
args:
executable: /bin/bash
become_user: root
- name: Install ansible-pull config
copy:
dest: /usr/local/etc/ansible/ansible-pull.env
content: |
GIT_REPO=git@github.com:your-repo/workstations.git
GIT_BRANCH=master
GIT_PATH=/usr/local/etc/ansible/repos/workstation-config
GIT_PRIVATE_KEY_PATH=/usr/local/etc/ansible/ansible-pull.key
PLAYBOOK_FILE=main.yml
KEY_FILE=/usr/local/etc/ansible/ansible-pull.key
GNUPGHOME=/usr/local/etc/ansible/keys/gnupg/
SUDO_USER={{ ansible_user_id }}
become_user: root
- name: Ensure github.com is a known host
lineinfile:
dest: /var/root/.ssh/known_hosts
create: yes
state: present
line: "{{ lookup('pipe', 'ssh-keyscan -t rsa github.com') }}"
regexp: "^github\\.com"
become_user: root
- name: Install ansible-pull read-only private key
copy:
mode: "400"
dest: /usr/local/etc/ansible/ansible-pull.key
content: |
-----BEGIN EC PRIVATE KEY-----
your-deploy-key-here
-----END EC PRIVATE KEY-----
become_user: root
- name: Install ansible-pull as cron job
block:
- copy:
dest: /usr/local/bin/ansible-pull.sh
mode: "a+x"
content: |
#!/bin/bash
source /etc/profile
export $( cat /usr/local/etc/ansible/ansible-pull.env | xargs )
/usr/local/bin/ansible-pull \
-U $GIT_REPO \
-C $GIT_BRANCH \
-d $GIT_PATH \
-i 'localhost,' \
--verify-commit \
--key-file $GIT_PRIVATE_KEY_PATH \
$PLAYBOOK_FILE >> /var/log/ansible.log 2>&1
- cron:
name: "run ansible-pull"
minute: "0"
hour: "13"
user: root
job: /usr/local/bin/ansible-pull.sh
become_user: root
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment