add ssh role
This commit is contained in:
parent
49e40893e0
commit
0a26c830f1
|
@ -8,4 +8,5 @@
|
||||||
# - "../roles/ftp"
|
# - "../roles/ftp"
|
||||||
# - "../roles/nginx"
|
# - "../roles/nginx"
|
||||||
# - "../roles/rsync"
|
# - "../roles/rsync"
|
||||||
|
# - "../roles/ssh"
|
||||||
# TODO: - "../roles/mirrormanager"
|
# TODO: - "../roles/mirrormanager"
|
|
@ -102,5 +102,17 @@
|
||||||
follow: no
|
follow: no
|
||||||
force: yes
|
force: yes
|
||||||
|
|
||||||
# TODO: copy over merlin.service and start/enable service
|
- name: copy merlin.service
|
||||||
# this will create /mirror/merlin/run/merlin.sock
|
copy:
|
||||||
|
src: "{{ role_path }}/templates/mirror/merlin/merlin.service"
|
||||||
|
dest: "/etc/systemd/system/merlin.service"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0644"
|
||||||
|
|
||||||
|
# - name: start merlin.service
|
||||||
|
# # merlin is disabled on mirror
|
||||||
|
# systemd:
|
||||||
|
# name: merlin
|
||||||
|
# state: started
|
||||||
|
# # enabled: yes
|
|
@ -0,0 +1,73 @@
|
||||||
|
# TODO: create second virsh network interface
|
||||||
|
# for now we will just run the second ssh instance on port 23
|
||||||
|
|
||||||
|
- name: copy ssh daemon configs
|
||||||
|
copy:
|
||||||
|
src: "{{ role_path }}/templates/{{ item }}"
|
||||||
|
dest: "/etc/ssh/{{ item }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0644"
|
||||||
|
loop:
|
||||||
|
- sshd_config
|
||||||
|
- sshd_mirror_config
|
||||||
|
|
||||||
|
- name: copy ssh-mirror.service
|
||||||
|
copy:
|
||||||
|
src: "{{ role_path }}/templates/ssh-mirror.service"
|
||||||
|
dest: "/etc/systemd/system/ssh-mirror.service"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0644"
|
||||||
|
|
||||||
|
- name: generate keys for sshd
|
||||||
|
# is ssh_host_dsa_key or ssh_host_ecdsa_key used anywhere?
|
||||||
|
command:
|
||||||
|
cmd: >
|
||||||
|
ssh-keygen -q
|
||||||
|
-t {{ item.type }}
|
||||||
|
-f /etc/ssh/{{ item.file }}
|
||||||
|
-N ""
|
||||||
|
creates: /etc/ssh/{{ item.file }}
|
||||||
|
loop:
|
||||||
|
- { file: ssh_host_dsa_key, type: dsa }
|
||||||
|
- { file: ssh_host_ecdsa_key, type: ecdsa }
|
||||||
|
- { file: ssh_host_ed25519_key, type: ed25519 }
|
||||||
|
- { file: ssh_host_rsa_key, type: rsa }
|
||||||
|
- { file: ssh_mirror_ed25519_key, type: ed25519 }
|
||||||
|
- { file: ssh_mirror_rsa_key, type: rsa }
|
||||||
|
|
||||||
|
- name: create .ssh for mirror and push
|
||||||
|
file:
|
||||||
|
path: "/home/{{ item }}/.ssh"
|
||||||
|
owner: "{{ item }}"
|
||||||
|
group: "{{ item }}"
|
||||||
|
mode: "0700"
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: create authorized_keys files for mirror and push
|
||||||
|
file:
|
||||||
|
path: "/home/{{ item }}/.ssh/authorized_keys"
|
||||||
|
owner: "{{ item }}"
|
||||||
|
group: "{{ item }}"
|
||||||
|
mode: "0644"
|
||||||
|
|
||||||
|
- name: generate key for mirror user
|
||||||
|
command:
|
||||||
|
cmd: >
|
||||||
|
ssh-keygen -q
|
||||||
|
-t rsa
|
||||||
|
-f /home/mirror/.ssh/id_rsa
|
||||||
|
-N ""
|
||||||
|
creates: /home/mirror/.ssh/id_rsa
|
||||||
|
|
||||||
|
- name: start and enable ssh-mirror
|
||||||
|
systemd:
|
||||||
|
name: ssh-mirror
|
||||||
|
state: started
|
||||||
|
enabled: yes
|
||||||
|
|
||||||
|
- name: restart ssh
|
||||||
|
systemd:
|
||||||
|
name: ssh
|
||||||
|
state: restarted
|
|
@ -0,0 +1,18 @@
|
||||||
|
[Unit]
|
||||||
|
Description=(Mirror) OpenBSD Secure Shell server
|
||||||
|
After=network.target auditd.service
|
||||||
|
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
EnvironmentFile=-/etc/default/ssh
|
||||||
|
ExecStart=/usr/sbin/sshd -f /etc/ssh/sshd_mirror_config -D $SSHD_OPTS
|
||||||
|
ExecReload=/bin/kill -HUP $MAINPID
|
||||||
|
KillMode=process
|
||||||
|
Restart=on-failure
|
||||||
|
RestartPreventExitStatus=255
|
||||||
|
SyslogIdentifier=sshd-mirror
|
||||||
|
Type=notify
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
Alias=sshd-mirror.service
|
|
@ -0,0 +1,70 @@
|
||||||
|
# Package generated configuration file
|
||||||
|
# See the sshd(8) manpage for details
|
||||||
|
|
||||||
|
# vm does not have multiple ips
|
||||||
|
#
|
||||||
|
# # What ports, IPs and protocols we listen for
|
||||||
|
# ListenAddress 10.15.134.71
|
||||||
|
# ListenAddress 129.97.134.146
|
||||||
|
|
||||||
|
Port 22
|
||||||
|
|
||||||
|
# Use only protocol version 2
|
||||||
|
Protocol 2
|
||||||
|
|
||||||
|
# HostKeys for protocol version 2
|
||||||
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||||
|
HostKey /etc/ssh/ssh_host_rsa_key
|
||||||
|
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
||||||
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||||
|
# MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
|
||||||
|
|
||||||
|
# Privilege Separation is turned on for security
|
||||||
|
UsePrivilegeSeparation yes
|
||||||
|
|
||||||
|
# Logging
|
||||||
|
SyslogFacility AUTH
|
||||||
|
LogLevel INFO
|
||||||
|
|
||||||
|
# Authentication
|
||||||
|
UsePAM yes
|
||||||
|
StrictModes yes
|
||||||
|
PermitRootLogin yes
|
||||||
|
LoginGraceTime 120
|
||||||
|
MaxStartups 25:30:100
|
||||||
|
|
||||||
|
# password authentication via PAM (single sign-on initial case)
|
||||||
|
PasswordAuthentication yes
|
||||||
|
PermitEmptyPasswords no
|
||||||
|
|
||||||
|
# keyboard-interactive authentication (like password, works with +needchange)
|
||||||
|
ChallengeResponseAuthentication yes
|
||||||
|
|
||||||
|
# kerberos (single sign-on already authenticated case)
|
||||||
|
GSSAPIAuthentication yes
|
||||||
|
GSSAPIKeyExchange yes
|
||||||
|
GSSAPICleanupCredentials yes
|
||||||
|
GSSAPIStrictAcceptorCheck no
|
||||||
|
|
||||||
|
# public key authentication with authorized_keys
|
||||||
|
PubkeyAuthentication yes
|
||||||
|
|
||||||
|
# no single sign-on via hosts.equiv; we use kerberos
|
||||||
|
HostbasedAuthentication no
|
||||||
|
IgnoreRhosts yes
|
||||||
|
|
||||||
|
# no builtin kerberos auth with password, we do the same via pam_krb5
|
||||||
|
KerberosAuthentication no
|
||||||
|
|
||||||
|
# allow X forwarding
|
||||||
|
X11Forwarding yes
|
||||||
|
X11DisplayOffset 10
|
||||||
|
|
||||||
|
# PAM prints these already
|
||||||
|
PrintMotd no
|
||||||
|
PrintLastLog no
|
||||||
|
|
||||||
|
# Allow client to pass locale environment variables
|
||||||
|
AcceptEnv LANG LC_*
|
||||||
|
|
||||||
|
Subsystem sftp /usr/lib/openssh/sftp-server
|
|
@ -0,0 +1,105 @@
|
||||||
|
# Package generated configuration file
|
||||||
|
# See the sshd(8) manpage for details
|
||||||
|
|
||||||
|
# vm does not have multiple ips
|
||||||
|
# this instance of sshd listens to port 23
|
||||||
|
#
|
||||||
|
# # What ports, IPs and protocols we listen for
|
||||||
|
# ListenAddress 129.97.134.71
|
||||||
|
# ListenAddress 2620:101:f000:4901:c5c::f:1055
|
||||||
|
#
|
||||||
|
# Port 22
|
||||||
|
|
||||||
|
Port 23
|
||||||
|
|
||||||
|
# Use only protocol version 2
|
||||||
|
Protocol 2
|
||||||
|
|
||||||
|
# HostKeys for protocol version 2
|
||||||
|
HostKey /etc/ssh/ssh_mirror_host_ed25519_key
|
||||||
|
HostKey /etc/ssh/ssh_mirror_host_rsa_key
|
||||||
|
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
||||||
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||||
|
#MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
|
||||||
|
|
||||||
|
# Privilege Separation is turned on for security
|
||||||
|
UsePrivilegeSeparation yes
|
||||||
|
|
||||||
|
# Logging
|
||||||
|
SyslogFacility AUTH
|
||||||
|
LogLevel INFO
|
||||||
|
|
||||||
|
# Authentication
|
||||||
|
UsePAM yes
|
||||||
|
StrictModes yes
|
||||||
|
PermitRootLogin no
|
||||||
|
LoginGraceTime 120
|
||||||
|
MaxStartups 25:30:100
|
||||||
|
|
||||||
|
# allow password auth
|
||||||
|
# # password authentication via PAM (single sign-on initial case)
|
||||||
|
# PasswordAuthentication no
|
||||||
|
PasswordAuthentication yes
|
||||||
|
PermitEmptyPasswords no
|
||||||
|
|
||||||
|
# keyboard-interactive authentication (like password, works with +needchange)
|
||||||
|
ChallengeResponseAuthentication no
|
||||||
|
|
||||||
|
# kerberos (single sign-on already authenticated case)
|
||||||
|
GSSAPIAuthentication no
|
||||||
|
GSSAPIKeyExchange no
|
||||||
|
GSSAPICleanupCredentials yes
|
||||||
|
GSSAPIStrictAcceptorCheck no
|
||||||
|
|
||||||
|
# public key authentication with authorized_keys
|
||||||
|
PubkeyAuthentication yes
|
||||||
|
|
||||||
|
# no single sign-on via hosts.equiv; we use kerberos
|
||||||
|
HostbasedAuthentication no
|
||||||
|
IgnoreRhosts yes
|
||||||
|
|
||||||
|
# no builtin kerberos auth with password, we do the same via pam_krb5
|
||||||
|
KerberosAuthentication no
|
||||||
|
|
||||||
|
# allow X forwarding
|
||||||
|
X11Forwarding no
|
||||||
|
X11DisplayOffset 10
|
||||||
|
|
||||||
|
# PAM prints these already
|
||||||
|
PrintMotd no
|
||||||
|
PrintLastLog no
|
||||||
|
|
||||||
|
# Allow client to pass locale environment variables
|
||||||
|
# AcceptEnv LANG LC_*
|
||||||
|
|
||||||
|
#Subsystem sftp /usr/lib/openssh/sftp-server
|
||||||
|
|
||||||
|
# Disallow forwarding
|
||||||
|
AllowTcpForwarding no
|
||||||
|
AllowStreamLocalForwarding no
|
||||||
|
AllowAgentForwarding no
|
||||||
|
|
||||||
|
# Don't execute rc
|
||||||
|
PermitUserRC no
|
||||||
|
|
||||||
|
# Disable TTY (might need to re-enable if needed)
|
||||||
|
PermitTTY no
|
||||||
|
|
||||||
|
# Don't print the last log, pointless in this environment
|
||||||
|
PrintLastLog no
|
||||||
|
|
||||||
|
# UseDNS
|
||||||
|
# To restrict keys to a certain host
|
||||||
|
UseDNS yes
|
||||||
|
|
||||||
|
# Allow users of the mirror group
|
||||||
|
AllowGroups push
|
||||||
|
DenyUsers mirror
|
||||||
|
|
||||||
|
# chroot
|
||||||
|
# we may want this
|
||||||
|
ChrootDirectory /mirror/merlin
|
||||||
|
|
||||||
|
Match group push
|
||||||
|
AuthorizedKeysFile /home/%u/.ssh/authorized_keys
|
||||||
|
|
|
@ -9,28 +9,23 @@
|
||||||
- { group: syscom, gid: 10001 }
|
- { group: syscom, gid: 10001 }
|
||||||
- { group: csc-mirror, gid: 10014 }
|
- { group: csc-mirror, gid: 10014 }
|
||||||
|
|
||||||
- name: create push user
|
- name: create users
|
||||||
# push home should be /
|
|
||||||
user:
|
|
||||||
uid: 1002
|
|
||||||
name: push
|
|
||||||
group: push
|
|
||||||
shell: /bin/sh
|
|
||||||
create_home: no
|
|
||||||
|
|
||||||
- name: create other users
|
|
||||||
# syscom and csc-mirror homes are on /users
|
# syscom and csc-mirror homes are on /users
|
||||||
|
# can login to every user using password
|
||||||
user:
|
user:
|
||||||
uid: "{{ item.uid }}"
|
uid: "{{ item.uid }}"
|
||||||
name: "{{ item.user }}"
|
name: "{{ item.user }}"
|
||||||
group: "{{ item.user }}"
|
group: "{{ item.user }}"
|
||||||
shell: /bin/bash
|
shell: "{{ item.shell }}"
|
||||||
create_home: "{{ item.home }}"
|
create_home: "{{ item.home }}"
|
||||||
|
password: "{{ 'password' | password_hash('sha512') }}"
|
||||||
|
update_password: on_create
|
||||||
loop:
|
loop:
|
||||||
- { user: local, uid: 1000, home: yes }
|
- { user: local, uid: 1000, shell: /bin/bash, home: yes }
|
||||||
- { user: mirror, uid: 1001, home: yes }
|
- { user: mirror, uid: 1001, shell: /bin/bash, home: yes }
|
||||||
- { user: syscom, uid: 10001, home: no }
|
- { user: push, uid: 1002, shell: /bin/sh, home: no }
|
||||||
- { user: csc-mirror, uid: 10014, home: no }
|
- { user: syscom, uid: 10001, shell: /bin/bash, home: no }
|
||||||
|
- { user: csc-mirror, uid: 10014, shell: /bin/bash, home: no }
|
||||||
|
|
||||||
- name: add mirror to push group
|
- name: add mirror to push group
|
||||||
user:
|
user:
|
||||||
|
@ -38,11 +33,6 @@
|
||||||
groups: push
|
groups: push
|
||||||
append: yes
|
append: yes
|
||||||
|
|
||||||
# TODO: ssh to push user should chroot to /mirror/merlin
|
|
||||||
# mirror does not have entry in sshd_config as would have expected
|
|
||||||
|
|
||||||
# why are the file permissions like this?
|
|
||||||
|
|
||||||
- name: create /mirror
|
- name: create /mirror
|
||||||
file:
|
file:
|
||||||
path: /mirror
|
path: /mirror
|
||||||
|
@ -68,14 +58,14 @@
|
||||||
mode: "0775"
|
mode: "0775"
|
||||||
|
|
||||||
- name: create zfs mountpoint
|
- name: create zfs mountpoint
|
||||||
# inconsistency: only .cscmirror1 is owned by mirror
|
# only .cscmirror1 is owned by mirror
|
||||||
# .cscmirror(2|3) is owned by root
|
# .cscmirror(2|3) are owned by root
|
||||||
file:
|
file:
|
||||||
path: /mirror/root/.cscmirror
|
path: /mirror/root/.cscmirror
|
||||||
|
state: directory
|
||||||
owner: mirror
|
owner: mirror
|
||||||
group: mirror
|
group: mirror
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
state: directory
|
|
||||||
|
|
||||||
- name: install zfs
|
- name: install zfs
|
||||||
apt:
|
apt:
|
||||||
|
@ -120,7 +110,3 @@
|
||||||
raidz2
|
raidz2
|
||||||
{{ disk_arg }}
|
{{ disk_arg }}
|
||||||
when: zpool_exists.rc != 0
|
when: zpool_exists.rc != 0
|
||||||
|
|
||||||
# - name: mount zool
|
|
||||||
# command: zfs mount -a
|
|
||||||
# when: zpool_exists.rc != 0
|
|
Loading…
Reference in New Issue