From 4e542a8e15596421a9120cf700f0d4d12dbf6688 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Romain=20Gon=C3=A7alves?= Date: Sun, 5 Dec 2021 19:58:05 +0000 Subject: roles: Add sshd role for configuration generation --- roles/sshd/tasks/main.yml | 19 +++++++++++ roles/sshd/tasks/sync_keys.yml | 68 +++++++++++++++++++++++++++++++++++++ roles/sshd/templates/sshd_config.j2 | 22 ++++++++++++ 3 files changed, 109 insertions(+) create mode 100644 roles/sshd/tasks/main.yml create mode 100644 roles/sshd/tasks/sync_keys.yml create mode 100644 roles/sshd/templates/sshd_config.j2 diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml new file mode 100644 index 0000000..f9131e9 --- /dev/null +++ b/roles/sshd/tasks/main.yml @@ -0,0 +1,19 @@ +- name: generate sshd configuration + template: + src: sshd_config.j2 + dest: /etc/ssh/sshd_config + owner: 0 + group: 0 + mode: 0644 + +- name: enabled and restart sshd + service: + name: sshd + state: restarted + enabled: true + +- name: check ssh connection + wait_for: + port: 22 + delay: 1 + state: started diff --git a/roles/sshd/tasks/sync_keys.yml b/roles/sshd/tasks/sync_keys.yml new file mode 100644 index 0000000..73aa741 --- /dev/null +++ b/roles/sshd/tasks/sync_keys.yml @@ -0,0 +1,68 @@ +- name: retrieve all existing users + shell: cut -d ":" -f 1 /etc/passwd + register: sshd_users + changed_when: false + +- name: bind retrieved users output lines to list + set_fact: + sshd_users: "{{ sshd_users.stdout_lines }}" + +- name: get ssh keys for all user + find: + paths: "{{ inventory_dir }}/files/pubkeys" + pattern: "*.pub" + recurse: true + file_type: link + register: keys + delegate_to: localhost + +- name: show pubkeys + debug: + msg: | + {% for key in keys.files %} + {{ key.path }} + {% endfor %} + run_once: true + delegate_to: localhost + +- name: synchronize ssh keys + authorized_key: + user: "{{ item.path | dirname | basename }}" + state: present + key: "{{ lookup('file', item.path) }}" + when: item.path | dirname | basename in sshd_users + loop: "{{ keys.files }}" + loop_control: + label: "{{ item.path }}" + +- name: get users homedir + shell: echo $(getent passwd "{{ item.path | dirname | basename }}" | cut -d ":" -f 6) "{{ item.path | dirname | basename }}" + register: sshd_homedirs + when: item.path | dirname | basename in sshd_users + loop: "{{ keys.files }}" + changed_when: false + loop_control: + label: "{{ item.path | dirname | basename }}" + +- name: clean users homedir result + set_fact: + sshd_homedirs: "[{% for dir in sshd_homedirs.results if dir.stdout is defined %}\"{{ dir.stdout }}\", {% endfor %}]" + +- name: make users homedir unique + set_fact: + sshd_homedirs: "{{ sshd_homedirs | unique }}" + +- name: show sshd homedirs for users + debug: + var: sshd_homedirs + +- name: chown ssh file to correct user + file: + path: "{{ item.split(' ')[0] }}/.ssh/authorized_keys" + owner: "{{ item.split(' ')[1] }}" + mode: "0600" + ignore_errors: true + when: item.split(" ")[1] in sshd_users + loop: "{{ sshd_homedirs }}" + loop_control: + label: "{{ item }}" diff --git a/roles/sshd/templates/sshd_config.j2 b/roles/sshd/templates/sshd_config.j2 new file mode 100644 index 0000000..534ea39 --- /dev/null +++ b/roles/sshd/templates/sshd_config.j2 @@ -0,0 +1,22 @@ +# managed by Ansible + +# security +PermitRootLogin yes +MaxAuthTries 6 +MaxSessions 10 + +# auth +AuthorizedKeysFile .ssh/authorized_keys +PasswordAuthentication no +PermitEmptyPasswords no +ClientAliveInterval 180 + +{% if ansible_facts["os_family"] == "Debian" %} +Subsystem sftp /usr/lib/openssh/sftp-server +ChallengeResponseAuthentication no +UsePAM yes +PrintMotd no +UsePrivilegeSeparation sandbox +{% else %} +Subsystem sftp /usr/libexec/sftp-server +{% endif %} -- cgit v1.2.3