From 970a107492c31a43bb77f6f5e0096b41adc2c2f4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Romain=20Gon=C3=A7alves?= <me@rgoncalves.se>
Date: Mon, 12 Dec 2022 22:51:55 +0100
Subject: refactor: split sshd and ssh key synchronization

---
 inventory.ini                         |  4 ++++
 roles/sshd/defaults/main.yml          |  5 +++++
 roles/sshd/tasks/main.yml             | 13 ++++++++-----
 roles/sshd/tasks/synchronize_keys.yml | 20 --------------------
 roles/sshd/templates/sshd_config.j2   |  7 +++++--
 roles/sshd_keys/meta/main.yml         |  5 +++++
 roles/sshd_keys/tasks/main.yml        | 20 ++++++++++++++++++++
 site.workstation.yml                  |  3 +++
 8 files changed, 50 insertions(+), 27 deletions(-)
 create mode 100644 roles/sshd/defaults/main.yml
 delete mode 100644 roles/sshd/tasks/synchronize_keys.yml
 create mode 100644 roles/sshd_keys/meta/main.yml
 create mode 100644 roles/sshd_keys/tasks/main.yml

diff --git a/inventory.ini b/inventory.ini
index 1c5f66d..7d6fdc0 100644
--- a/inventory.ini
+++ b/inventory.ini
@@ -17,3 +17,7 @@ stack0
 stack0-dc1
 stack0-cld0
 stack0-dev0
+
+[workstations]
+ws-think03
+ws-work01
diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml
new file mode 100644
index 0000000..87933b9
--- /dev/null
+++ b/roles/sshd/defaults/main.yml
@@ -0,0 +1,5 @@
+---
+
+sshd_configuration_file: /etc/ssh/sshd_config
+sshd_listen_port: 22
+sshd_enable_x11_forwarding: false
diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml
index df5d845..b895958 100644
--- a/roles/sshd/tasks/main.yml
+++ b/roles/sshd/tasks/main.yml
@@ -1,15 +1,18 @@
 ---
 
+- name: install openssh
+  ansible.builtin.package:
+    name: openssh
+    state: present
+  when: ansible_distribution in ["Archlinux"]
+
 - name: generate sshd configuration
   ansible.builtin.template:
     src: sshd_config.j2
     dest: /etc/ssh/sshd_config
     owner: 0
     group: 0
-    mode: 0644
-
-- name: include key synchronization tasks
-  ansible.builtin.include_tasks: synchronize_keys.yml
+    mode: "0644"
 
 - name: enable and restart sshd
   ansible.builtin.service:
@@ -19,6 +22,6 @@
 
 - name: check ssh connection
   ansible.builtin.wait_for:
-    port: "{{ ansible_port }}"
+    port: "{{ sshd_listen_port }}"
     delay: 1
     state: started
diff --git a/roles/sshd/tasks/synchronize_keys.yml b/roles/sshd/tasks/synchronize_keys.yml
deleted file mode 100644
index 32f6b5a..0000000
--- a/roles/sshd/tasks/synchronize_keys.yml
+++ /dev/null
@@ -1,20 +0,0 @@
----
-
-- name: get ssh keys for all users
-  ansible.builtin.find:
-    paths: files/keys
-    file_type: link
-    recurse: true
-  delegate_to: localhost
-  run_once: true
-  register: result
-
-- name: synchronize ssh keys
-  ansible.posix.authorized_key:
-    user: "{{ item.path | dirname | basename }}"
-    state: present
-    key: "{{ lookup('file', item.path) }}"
-  loop_control:
-    label: "{{ item.path }} -> user: {{ item.path | dirname | basename }}"
-  loop: "{{ result.files }}"
-  failed_when: false
diff --git a/roles/sshd/templates/sshd_config.j2 b/roles/sshd/templates/sshd_config.j2
index f40e160..b8affa8 100644
--- a/roles/sshd/templates/sshd_config.j2
+++ b/roles/sshd/templates/sshd_config.j2
@@ -1,7 +1,7 @@
 # managed by Ansible
 
 # network
-Port {{ ansible_port }}
+Port {{ sshd_listen_port }}
 
 # security
 PermitRootLogin yes
@@ -13,13 +13,16 @@ AuthorizedKeysFile .ssh/authorized_keys
 PasswordAuthentication no
 PermitEmptyPasswords no
 ClientAliveInterval 180
+X11Forwarding {{ "yes" if sshd_enable_x11_forwarding else "no" }}
 
-{% if ansible_facts["os_family"] == "Debian" %}
+{% if ansible_distribution == "Debian" %}
 Subsystem sftp /usr/lib/openssh/sftp-server
 ChallengeResponseAuthentication no
 UsePAM yes
 PrintMotd no
 UsePrivilegeSeparation sandbox
+{% elif ansible_distribution == "Archlinux" %}
+Subsystem sftp /usr/lib/ssh/sftp-server
 {% else %}
 Subsystem sftp /usr/libexec/sftp-server
 {% endif %}
diff --git a/roles/sshd_keys/meta/main.yml b/roles/sshd_keys/meta/main.yml
new file mode 100644
index 0000000..46c62ed
--- /dev/null
+++ b/roles/sshd_keys/meta/main.yml
@@ -0,0 +1,5 @@
+---
+
+dependencies:
+  - role: sshd
+    tags: dependency
diff --git a/roles/sshd_keys/tasks/main.yml b/roles/sshd_keys/tasks/main.yml
new file mode 100644
index 0000000..32f6b5a
--- /dev/null
+++ b/roles/sshd_keys/tasks/main.yml
@@ -0,0 +1,20 @@
+---
+
+- name: get ssh keys for all users
+  ansible.builtin.find:
+    paths: files/keys
+    file_type: link
+    recurse: true
+  delegate_to: localhost
+  run_once: true
+  register: result
+
+- name: synchronize ssh keys
+  ansible.posix.authorized_key:
+    user: "{{ item.path | dirname | basename }}"
+    state: present
+    key: "{{ lookup('file', item.path) }}"
+  loop_control:
+    label: "{{ item.path }} -> user: {{ item.path | dirname | basename }}"
+  loop: "{{ result.files }}"
+  failed_when: false
diff --git a/site.workstation.yml b/site.workstation.yml
index 37118a2..1664015 100644
--- a/site.workstation.yml
+++ b/site.workstation.yml
@@ -43,6 +43,9 @@
     - role: _workstation/xorg
       when: ansible_distribution in ["Archlinux", "OpenBSD"]
 
+    - role: sshd
+      when: '"work" in ansible_hostname'
+
     - role: _workstation/smartcard
       when: ansible_distribution in ["Archlinux", "OpenBSD"]
     - role: _workstation/pipewire
-- 
cgit v1.2.3