add ssh role

master
Andrew Wang 1 year ago
parent 49e40893e0
commit 0a26c830f1
  1. 1
      mirror/main.yml
  2. 16
      roles/mirror/tasks/main.yml
  3. 73
      roles/ssh/tasks/main.yml
  4. 18
      roles/ssh/templates/ssh-mirror.service
  5. 70
      roles/ssh/templates/sshd_config
  6. 105
      roles/ssh/templates/sshd_mirror_config
  7. 42
      roles/system/tasks/main.yml

@ -8,4 +8,5 @@
# - "../roles/ftp"
# - "../roles/nginx"
# - "../roles/rsync"
# - "../roles/ssh"
# TODO: - "../roles/mirrormanager"

@ -102,5 +102,17 @@
follow: no
force: yes
# TODO: copy over merlin.service and start/enable service
# this will create /mirror/merlin/run/merlin.sock
- name: copy merlin.service
copy:
src: "{{ role_path }}/templates/mirror/merlin/merlin.service"
dest: "/etc/systemd/system/merlin.service"
owner: root
group: root
mode: "0644"
# - name: start merlin.service
# # merlin is disabled on mirror
# systemd:
# name: merlin
# state: started
# # enabled: yes

@ -0,0 +1,73 @@
# TODO: create second virsh network interface
# for now we will just run the second ssh instance on port 23
- name: copy ssh daemon configs
copy:
src: "{{ role_path }}/templates/{{ item }}"
dest: "/etc/ssh/{{ item }}"
owner: root
group: root
mode: "0644"
loop:
- sshd_config
- sshd_mirror_config
- name: copy ssh-mirror.service
copy:
src: "{{ role_path }}/templates/ssh-mirror.service"
dest: "/etc/systemd/system/ssh-mirror.service"
owner: root
group: root
mode: "0644"
- name: generate keys for sshd
# is ssh_host_dsa_key or ssh_host_ecdsa_key used anywhere?
command:
cmd: >
ssh-keygen -q
-t {{ item.type }}
-f /etc/ssh/{{ item.file }}
-N ""
creates: /etc/ssh/{{ item.file }}
loop:
- { file: ssh_host_dsa_key, type: dsa }
- { file: ssh_host_ecdsa_key, type: ecdsa }
- { file: ssh_host_ed25519_key, type: ed25519 }
- { file: ssh_host_rsa_key, type: rsa }
- { file: ssh_mirror_ed25519_key, type: ed25519 }
- { file: ssh_mirror_rsa_key, type: rsa }
- name: create .ssh for mirror and push
file:
path: "/home/{{ item }}/.ssh"
owner: "{{ item }}"
group: "{{ item }}"
mode: "0700"
state: directory
- name: create authorized_keys files for mirror and push
file:
path: "/home/{{ item }}/.ssh/authorized_keys"
owner: "{{ item }}"
group: "{{ item }}"
mode: "0644"
- name: generate key for mirror user
command:
cmd: >
ssh-keygen -q
-t rsa
-f /home/mirror/.ssh/id_rsa
-N ""
creates: /home/mirror/.ssh/id_rsa
- name: start and enable ssh-mirror
systemd:
name: ssh-mirror
state: started
enabled: yes
- name: restart ssh
systemd:
name: ssh
state: restarted

@ -0,0 +1,18 @@
[Unit]
Description=(Mirror) OpenBSD Secure Shell server
After=network.target auditd.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
[Service]
EnvironmentFile=-/etc/default/ssh
ExecStart=/usr/sbin/sshd -f /etc/ssh/sshd_mirror_config -D $SSHD_OPTS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
SyslogIdentifier=sshd-mirror
Type=notify
[Install]
WantedBy=multi-user.target
Alias=sshd-mirror.service

@ -0,0 +1,70 @@
# Package generated configuration file
# See the sshd(8) manpage for details
# vm does not have multiple ips
#
# # What ports, IPs and protocols we listen for
# ListenAddress 10.15.134.71
# ListenAddress 129.97.134.146
Port 22
# Use only protocol version 2
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
# MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
# Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication
UsePAM yes
StrictModes yes
PermitRootLogin yes
LoginGraceTime 120
MaxStartups 25:30:100
# password authentication via PAM (single sign-on initial case)
PasswordAuthentication yes
PermitEmptyPasswords no
# keyboard-interactive authentication (like password, works with +needchange)
ChallengeResponseAuthentication yes
# kerberos (single sign-on already authenticated case)
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck no
# public key authentication with authorized_keys
PubkeyAuthentication yes
# no single sign-on via hosts.equiv; we use kerberos
HostbasedAuthentication no
IgnoreRhosts yes
# no builtin kerberos auth with password, we do the same via pam_krb5
KerberosAuthentication no
# allow X forwarding
X11Forwarding yes
X11DisplayOffset 10
# PAM prints these already
PrintMotd no
PrintLastLog no
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server

@ -0,0 +1,105 @@
# Package generated configuration file
# See the sshd(8) manpage for details
# vm does not have multiple ips
# this instance of sshd listens to port 23
#
# # What ports, IPs and protocols we listen for
# ListenAddress 129.97.134.71
# ListenAddress 2620:101:f000:4901:c5c::f:1055
#
# Port 22
Port 23
# Use only protocol version 2
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_mirror_host_ed25519_key
HostKey /etc/ssh/ssh_mirror_host_rsa_key
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
#MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
# Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication
UsePAM yes
StrictModes yes
PermitRootLogin no
LoginGraceTime 120
MaxStartups 25:30:100
# allow password auth
# # password authentication via PAM (single sign-on initial case)
# PasswordAuthentication no
PasswordAuthentication yes
PermitEmptyPasswords no
# keyboard-interactive authentication (like password, works with +needchange)
ChallengeResponseAuthentication no
# kerberos (single sign-on already authenticated case)
GSSAPIAuthentication no
GSSAPIKeyExchange no
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck no
# public key authentication with authorized_keys
PubkeyAuthentication yes
# no single sign-on via hosts.equiv; we use kerberos
HostbasedAuthentication no
IgnoreRhosts yes
# no builtin kerberos auth with password, we do the same via pam_krb5
KerberosAuthentication no
# allow X forwarding
X11Forwarding no
X11DisplayOffset 10
# PAM prints these already
PrintMotd no
PrintLastLog no
# Allow client to pass locale environment variables
# AcceptEnv LANG LC_*
#Subsystem sftp /usr/lib/openssh/sftp-server
# Disallow forwarding
AllowTcpForwarding no
AllowStreamLocalForwarding no
AllowAgentForwarding no
# Don't execute rc
PermitUserRC no
# Disable TTY (might need to re-enable if needed)
PermitTTY no
# Don't print the last log, pointless in this environment
PrintLastLog no
# UseDNS
# To restrict keys to a certain host
UseDNS yes
# Allow users of the mirror group
AllowGroups push
DenyUsers mirror
# chroot
# we may want this
ChrootDirectory /mirror/merlin
Match group push
AuthorizedKeysFile /home/%u/.ssh/authorized_keys

@ -9,28 +9,23 @@
- { group: syscom, gid: 10001 }
- { group: csc-mirror, gid: 10014 }
- name: create push user
# push home should be /
user:
uid: 1002
name: push
group: push
shell: /bin/sh
create_home: no
- name: create other users
- name: create users
# syscom and csc-mirror homes are on /users
# can login to every user using password
user:
uid: "{{ item.uid }}"
name: "{{ item.user }}"
group: "{{ item.user }}"
shell: /bin/bash
shell: "{{ item.shell }}"
create_home: "{{ item.home }}"
password: "{{ 'password' | password_hash('sha512') }}"
update_password: on_create
loop:
- { user: local, uid: 1000, home: yes }
- { user: mirror, uid: 1001, home: yes }
- { user: syscom, uid: 10001, home: no }
- { user: csc-mirror, uid: 10014, home: no }
- { user: local, uid: 1000, shell: /bin/bash, home: yes }
- { user: mirror, uid: 1001, shell: /bin/bash, home: yes }
- { user: push, uid: 1002, shell: /bin/sh, home: no }
- { user: syscom, uid: 10001, shell: /bin/bash, home: no }
- { user: csc-mirror, uid: 10014, shell: /bin/bash, home: no }
- name: add mirror to push group
user:
@ -38,11 +33,6 @@
groups: push
append: yes
# TODO: ssh to push user should chroot to /mirror/merlin
# mirror does not have entry in sshd_config as would have expected
# why are the file permissions like this?
- name: create /mirror
file:
path: /mirror
@ -68,14 +58,14 @@
mode: "0775"
- name: create zfs mountpoint
# inconsistency: only .cscmirror1 is owned by mirror
# .cscmirror(2|3) is owned by root
# only .cscmirror1 is owned by mirror
# .cscmirror(2|3) are owned by root
file:
path: /mirror/root/.cscmirror
state: directory
owner: mirror
group: mirror
mode: "0755"
state: directory
- name: install zfs
apt:
@ -119,8 +109,4 @@
cscmirror
raidz2
{{ disk_arg }}
when: zpool_exists.rc != 0
# - name: mount zool
# command: zfs mount -a
# when: zpool_exists.rc != 0
when: zpool_exists.rc != 0
Loading…
Cancel
Save