add ssh role
This commit is contained in:
parent
49e40893e0
commit
0a26c830f1
|
@ -8,4 +8,5 @@
|
|||
# - "../roles/ftp"
|
||||
# - "../roles/nginx"
|
||||
# - "../roles/rsync"
|
||||
# - "../roles/ssh"
|
||||
# TODO: - "../roles/mirrormanager"
|
|
@ -102,5 +102,17 @@
|
|||
follow: no
|
||||
force: yes
|
||||
|
||||
# TODO: copy over merlin.service and start/enable service
|
||||
# this will create /mirror/merlin/run/merlin.sock
|
||||
- name: copy merlin.service
|
||||
copy:
|
||||
src: "{{ role_path }}/templates/mirror/merlin/merlin.service"
|
||||
dest: "/etc/systemd/system/merlin.service"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
|
||||
# - name: start merlin.service
|
||||
# # merlin is disabled on mirror
|
||||
# systemd:
|
||||
# name: merlin
|
||||
# state: started
|
||||
# # enabled: yes
|
|
@ -0,0 +1,73 @@
|
|||
# TODO: create second virsh network interface
|
||||
# for now we will just run the second ssh instance on port 23
|
||||
|
||||
- name: copy ssh daemon configs
|
||||
copy:
|
||||
src: "{{ role_path }}/templates/{{ item }}"
|
||||
dest: "/etc/ssh/{{ item }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
loop:
|
||||
- sshd_config
|
||||
- sshd_mirror_config
|
||||
|
||||
- name: copy ssh-mirror.service
|
||||
copy:
|
||||
src: "{{ role_path }}/templates/ssh-mirror.service"
|
||||
dest: "/etc/systemd/system/ssh-mirror.service"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
|
||||
- name: generate keys for sshd
|
||||
# is ssh_host_dsa_key or ssh_host_ecdsa_key used anywhere?
|
||||
command:
|
||||
cmd: >
|
||||
ssh-keygen -q
|
||||
-t {{ item.type }}
|
||||
-f /etc/ssh/{{ item.file }}
|
||||
-N ""
|
||||
creates: /etc/ssh/{{ item.file }}
|
||||
loop:
|
||||
- { file: ssh_host_dsa_key, type: dsa }
|
||||
- { file: ssh_host_ecdsa_key, type: ecdsa }
|
||||
- { file: ssh_host_ed25519_key, type: ed25519 }
|
||||
- { file: ssh_host_rsa_key, type: rsa }
|
||||
- { file: ssh_mirror_ed25519_key, type: ed25519 }
|
||||
- { file: ssh_mirror_rsa_key, type: rsa }
|
||||
|
||||
- name: create .ssh for mirror and push
|
||||
file:
|
||||
path: "/home/{{ item }}/.ssh"
|
||||
owner: "{{ item }}"
|
||||
group: "{{ item }}"
|
||||
mode: "0700"
|
||||
state: directory
|
||||
|
||||
- name: create authorized_keys files for mirror and push
|
||||
file:
|
||||
path: "/home/{{ item }}/.ssh/authorized_keys"
|
||||
owner: "{{ item }}"
|
||||
group: "{{ item }}"
|
||||
mode: "0644"
|
||||
|
||||
- name: generate key for mirror user
|
||||
command:
|
||||
cmd: >
|
||||
ssh-keygen -q
|
||||
-t rsa
|
||||
-f /home/mirror/.ssh/id_rsa
|
||||
-N ""
|
||||
creates: /home/mirror/.ssh/id_rsa
|
||||
|
||||
- name: start and enable ssh-mirror
|
||||
systemd:
|
||||
name: ssh-mirror
|
||||
state: started
|
||||
enabled: yes
|
||||
|
||||
- name: restart ssh
|
||||
systemd:
|
||||
name: ssh
|
||||
state: restarted
|
|
@ -0,0 +1,18 @@
|
|||
[Unit]
|
||||
Description=(Mirror) OpenBSD Secure Shell server
|
||||
After=network.target auditd.service
|
||||
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
|
||||
|
||||
[Service]
|
||||
EnvironmentFile=-/etc/default/ssh
|
||||
ExecStart=/usr/sbin/sshd -f /etc/ssh/sshd_mirror_config -D $SSHD_OPTS
|
||||
ExecReload=/bin/kill -HUP $MAINPID
|
||||
KillMode=process
|
||||
Restart=on-failure
|
||||
RestartPreventExitStatus=255
|
||||
SyslogIdentifier=sshd-mirror
|
||||
Type=notify
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Alias=sshd-mirror.service
|
|
@ -0,0 +1,70 @@
|
|||
# Package generated configuration file
|
||||
# See the sshd(8) manpage for details
|
||||
|
||||
# vm does not have multiple ips
|
||||
#
|
||||
# # What ports, IPs and protocols we listen for
|
||||
# ListenAddress 10.15.134.71
|
||||
# ListenAddress 129.97.134.146
|
||||
|
||||
Port 22
|
||||
|
||||
# Use only protocol version 2
|
||||
Protocol 2
|
||||
|
||||
# HostKeys for protocol version 2
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
HostKey /etc/ssh/ssh_host_rsa_key
|
||||
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||
# MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
|
||||
|
||||
# Privilege Separation is turned on for security
|
||||
UsePrivilegeSeparation yes
|
||||
|
||||
# Logging
|
||||
SyslogFacility AUTH
|
||||
LogLevel INFO
|
||||
|
||||
# Authentication
|
||||
UsePAM yes
|
||||
StrictModes yes
|
||||
PermitRootLogin yes
|
||||
LoginGraceTime 120
|
||||
MaxStartups 25:30:100
|
||||
|
||||
# password authentication via PAM (single sign-on initial case)
|
||||
PasswordAuthentication yes
|
||||
PermitEmptyPasswords no
|
||||
|
||||
# keyboard-interactive authentication (like password, works with +needchange)
|
||||
ChallengeResponseAuthentication yes
|
||||
|
||||
# kerberos (single sign-on already authenticated case)
|
||||
GSSAPIAuthentication yes
|
||||
GSSAPIKeyExchange yes
|
||||
GSSAPICleanupCredentials yes
|
||||
GSSAPIStrictAcceptorCheck no
|
||||
|
||||
# public key authentication with authorized_keys
|
||||
PubkeyAuthentication yes
|
||||
|
||||
# no single sign-on via hosts.equiv; we use kerberos
|
||||
HostbasedAuthentication no
|
||||
IgnoreRhosts yes
|
||||
|
||||
# no builtin kerberos auth with password, we do the same via pam_krb5
|
||||
KerberosAuthentication no
|
||||
|
||||
# allow X forwarding
|
||||
X11Forwarding yes
|
||||
X11DisplayOffset 10
|
||||
|
||||
# PAM prints these already
|
||||
PrintMotd no
|
||||
PrintLastLog no
|
||||
|
||||
# Allow client to pass locale environment variables
|
||||
AcceptEnv LANG LC_*
|
||||
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
|
@ -0,0 +1,105 @@
|
|||
# Package generated configuration file
|
||||
# See the sshd(8) manpage for details
|
||||
|
||||
# vm does not have multiple ips
|
||||
# this instance of sshd listens to port 23
|
||||
#
|
||||
# # What ports, IPs and protocols we listen for
|
||||
# ListenAddress 129.97.134.71
|
||||
# ListenAddress 2620:101:f000:4901:c5c::f:1055
|
||||
#
|
||||
# Port 22
|
||||
|
||||
Port 23
|
||||
|
||||
# Use only protocol version 2
|
||||
Protocol 2
|
||||
|
||||
# HostKeys for protocol version 2
|
||||
HostKey /etc/ssh/ssh_mirror_host_ed25519_key
|
||||
HostKey /etc/ssh/ssh_mirror_host_rsa_key
|
||||
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||
#MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
|
||||
|
||||
# Privilege Separation is turned on for security
|
||||
UsePrivilegeSeparation yes
|
||||
|
||||
# Logging
|
||||
SyslogFacility AUTH
|
||||
LogLevel INFO
|
||||
|
||||
# Authentication
|
||||
UsePAM yes
|
||||
StrictModes yes
|
||||
PermitRootLogin no
|
||||
LoginGraceTime 120
|
||||
MaxStartups 25:30:100
|
||||
|
||||
# allow password auth
|
||||
# # password authentication via PAM (single sign-on initial case)
|
||||
# PasswordAuthentication no
|
||||
PasswordAuthentication yes
|
||||
PermitEmptyPasswords no
|
||||
|
||||
# keyboard-interactive authentication (like password, works with +needchange)
|
||||
ChallengeResponseAuthentication no
|
||||
|
||||
# kerberos (single sign-on already authenticated case)
|
||||
GSSAPIAuthentication no
|
||||
GSSAPIKeyExchange no
|
||||
GSSAPICleanupCredentials yes
|
||||
GSSAPIStrictAcceptorCheck no
|
||||
|
||||
# public key authentication with authorized_keys
|
||||
PubkeyAuthentication yes
|
||||
|
||||
# no single sign-on via hosts.equiv; we use kerberos
|
||||
HostbasedAuthentication no
|
||||
IgnoreRhosts yes
|
||||
|
||||
# no builtin kerberos auth with password, we do the same via pam_krb5
|
||||
KerberosAuthentication no
|
||||
|
||||
# allow X forwarding
|
||||
X11Forwarding no
|
||||
X11DisplayOffset 10
|
||||
|
||||
# PAM prints these already
|
||||
PrintMotd no
|
||||
PrintLastLog no
|
||||
|
||||
# Allow client to pass locale environment variables
|
||||
# AcceptEnv LANG LC_*
|
||||
|
||||
#Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
|
||||
# Disallow forwarding
|
||||
AllowTcpForwarding no
|
||||
AllowStreamLocalForwarding no
|
||||
AllowAgentForwarding no
|
||||
|
||||
# Don't execute rc
|
||||
PermitUserRC no
|
||||
|
||||
# Disable TTY (might need to re-enable if needed)
|
||||
PermitTTY no
|
||||
|
||||
# Don't print the last log, pointless in this environment
|
||||
PrintLastLog no
|
||||
|
||||
# UseDNS
|
||||
# To restrict keys to a certain host
|
||||
UseDNS yes
|
||||
|
||||
# Allow users of the mirror group
|
||||
AllowGroups push
|
||||
DenyUsers mirror
|
||||
|
||||
# chroot
|
||||
# we may want this
|
||||
ChrootDirectory /mirror/merlin
|
||||
|
||||
Match group push
|
||||
AuthorizedKeysFile /home/%u/.ssh/authorized_keys
|
||||
|
|
@ -9,28 +9,23 @@
|
|||
- { group: syscom, gid: 10001 }
|
||||
- { group: csc-mirror, gid: 10014 }
|
||||
|
||||
- name: create push user
|
||||
# push home should be /
|
||||
user:
|
||||
uid: 1002
|
||||
name: push
|
||||
group: push
|
||||
shell: /bin/sh
|
||||
create_home: no
|
||||
|
||||
- name: create other users
|
||||
- name: create users
|
||||
# syscom and csc-mirror homes are on /users
|
||||
# can login to every user using password
|
||||
user:
|
||||
uid: "{{ item.uid }}"
|
||||
name: "{{ item.user }}"
|
||||
group: "{{ item.user }}"
|
||||
shell: /bin/bash
|
||||
shell: "{{ item.shell }}"
|
||||
create_home: "{{ item.home }}"
|
||||
password: "{{ 'password' | password_hash('sha512') }}"
|
||||
update_password: on_create
|
||||
loop:
|
||||
- { user: local, uid: 1000, home: yes }
|
||||
- { user: mirror, uid: 1001, home: yes }
|
||||
- { user: syscom, uid: 10001, home: no }
|
||||
- { user: csc-mirror, uid: 10014, home: no }
|
||||
- { user: local, uid: 1000, shell: /bin/bash, home: yes }
|
||||
- { user: mirror, uid: 1001, shell: /bin/bash, home: yes }
|
||||
- { user: push, uid: 1002, shell: /bin/sh, home: no }
|
||||
- { user: syscom, uid: 10001, shell: /bin/bash, home: no }
|
||||
- { user: csc-mirror, uid: 10014, shell: /bin/bash, home: no }
|
||||
|
||||
- name: add mirror to push group
|
||||
user:
|
||||
|
@ -38,11 +33,6 @@
|
|||
groups: push
|
||||
append: yes
|
||||
|
||||
# TODO: ssh to push user should chroot to /mirror/merlin
|
||||
# mirror does not have entry in sshd_config as would have expected
|
||||
|
||||
# why are the file permissions like this?
|
||||
|
||||
- name: create /mirror
|
||||
file:
|
||||
path: /mirror
|
||||
|
@ -68,14 +58,14 @@
|
|||
mode: "0775"
|
||||
|
||||
- name: create zfs mountpoint
|
||||
# inconsistency: only .cscmirror1 is owned by mirror
|
||||
# .cscmirror(2|3) is owned by root
|
||||
# only .cscmirror1 is owned by mirror
|
||||
# .cscmirror(2|3) are owned by root
|
||||
file:
|
||||
path: /mirror/root/.cscmirror
|
||||
state: directory
|
||||
owner: mirror
|
||||
group: mirror
|
||||
mode: "0755"
|
||||
state: directory
|
||||
|
||||
- name: install zfs
|
||||
apt:
|
||||
|
@ -120,7 +110,3 @@
|
|||
raidz2
|
||||
{{ disk_arg }}
|
||||
when: zpool_exists.rc != 0
|
||||
|
||||
# - name: mount zool
|
||||
# command: zfs mount -a
|
||||
# when: zpool_exists.rc != 0
|
Loading…
Reference in New Issue