diff options
| author | Romain Gonçalves <me@rgoncalves.se> | 2022-12-12 22:51:55 +0100 |
|---|---|---|
| committer | Romain Gonçalves <me@rgoncalves.se> | 2022-12-17 17:02:24 +0100 |
| commit | 970a107492c31a43bb77f6f5e0096b41adc2c2f4 (patch) | |
| tree | 614ee1b08379eb5838aaf004e58f31880127bc9d | |
| parent | db698b595e7ff088c96d00ef5285a0d634aff1be (diff) | |
| download | infrastructure-970a107492c31a43bb77f6f5e0096b41adc2c2f4.tar.gz | |
refactor: split sshd and ssh key synchronization
| -rw-r--r-- | inventory.ini | 4 | ||||
| -rw-r--r-- | roles/sshd/defaults/main.yml | 5 | ||||
| -rw-r--r-- | roles/sshd/tasks/main.yml | 13 | ||||
| -rw-r--r-- | roles/sshd/templates/sshd_config.j2 | 7 | ||||
| -rw-r--r-- | roles/sshd_keys/meta/main.yml | 5 | ||||
| -rw-r--r-- | roles/sshd_keys/tasks/main.yml (renamed from roles/sshd/tasks/synchronize_keys.yml) | 0 | ||||
| -rw-r--r-- | site.workstation.yml | 3 |
7 files changed, 30 insertions, 7 deletions
diff --git a/inventory.ini b/inventory.ini index 1c5f66d..7d6fdc0 100644 --- a/inventory.ini +++ b/inventory.ini @@ -17,3 +17,7 @@ stack0 stack0-dc1 stack0-cld0 stack0-dev0 + +[workstations] +ws-think03 +ws-work01 diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml new file mode 100644 index 0000000..87933b9 --- /dev/null +++ b/roles/sshd/defaults/main.yml @@ -0,0 +1,5 @@ +--- + +sshd_configuration_file: /etc/ssh/sshd_config +sshd_listen_port: 22 +sshd_enable_x11_forwarding: false diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml index df5d845..b895958 100644 --- a/roles/sshd/tasks/main.yml +++ b/roles/sshd/tasks/main.yml @@ -1,15 +1,18 @@ --- +- name: install openssh + ansible.builtin.package: + name: openssh + state: present + when: ansible_distribution in ["Archlinux"] + - name: generate sshd configuration ansible.builtin.template: src: sshd_config.j2 dest: /etc/ssh/sshd_config owner: 0 group: 0 - mode: 0644 - -- name: include key synchronization tasks - ansible.builtin.include_tasks: synchronize_keys.yml + mode: "0644" - name: enable and restart sshd ansible.builtin.service: @@ -19,6 +22,6 @@ - name: check ssh connection ansible.builtin.wait_for: - port: "{{ ansible_port }}" + port: "{{ sshd_listen_port }}" delay: 1 state: started diff --git a/roles/sshd/templates/sshd_config.j2 b/roles/sshd/templates/sshd_config.j2 index f40e160..b8affa8 100644 --- a/roles/sshd/templates/sshd_config.j2 +++ b/roles/sshd/templates/sshd_config.j2 @@ -1,7 +1,7 @@ # managed by Ansible # network -Port {{ ansible_port }} +Port {{ sshd_listen_port }} # security PermitRootLogin yes @@ -13,13 +13,16 @@ AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no PermitEmptyPasswords no ClientAliveInterval 180 +X11Forwarding {{ "yes" if sshd_enable_x11_forwarding else "no" }} -{% if ansible_facts["os_family"] == "Debian" %} +{% if ansible_distribution == "Debian" %} Subsystem sftp /usr/lib/openssh/sftp-server ChallengeResponseAuthentication no UsePAM yes PrintMotd no UsePrivilegeSeparation sandbox +{% elif ansible_distribution == "Archlinux" %} +Subsystem sftp /usr/lib/ssh/sftp-server {% else %} Subsystem sftp /usr/libexec/sftp-server {% endif %} diff --git a/roles/sshd_keys/meta/main.yml b/roles/sshd_keys/meta/main.yml new file mode 100644 index 0000000..46c62ed --- /dev/null +++ b/roles/sshd_keys/meta/main.yml @@ -0,0 +1,5 @@ +--- + +dependencies: + - role: sshd + tags: dependency diff --git a/roles/sshd/tasks/synchronize_keys.yml b/roles/sshd_keys/tasks/main.yml index 32f6b5a..32f6b5a 100644 --- a/roles/sshd/tasks/synchronize_keys.yml +++ b/roles/sshd_keys/tasks/main.yml diff --git a/site.workstation.yml b/site.workstation.yml index 37118a2..1664015 100644 --- a/site.workstation.yml +++ b/site.workstation.yml @@ -43,6 +43,9 @@ - role: _workstation/xorg when: ansible_distribution in ["Archlinux", "OpenBSD"] + - role: sshd + when: '"work" in ansible_hostname' + - role: _workstation/smartcard when: ansible_distribution in ["Archlinux", "OpenBSD"] - role: _workstation/pipewire |