From d26fe55aa9de5f0eb51152c22d12ff28a9c488d4 Mon Sep 17 00:00:00 2001 From: Emil Renner Berthing Date: Thu, 27 Feb 2020 14:44:24 +0100 Subject: space_server: use common secrets.yml in ansible root ..and generalize and move sshd tasks to fedora role. --- roles/debian/tasks/sshd.yml | 8 +++--- roles/fedora/tasks/main.yml | 2 ++ roles/fedora/tasks/sshd.yml | 51 ++++++++++++++++++++++++++++++++++++ roles/space_server/bootstrap.sh | 5 ---- roles/space_server/tasks/main.yml | 2 -- roles/space_server/tasks/sshd.yml | 54 --------------------------------------- space.yml | 5 +--- 7 files changed, 58 insertions(+), 69 deletions(-) create mode 100644 roles/fedora/tasks/sshd.yml delete mode 100644 roles/space_server/tasks/sshd.yml diff --git a/roles/debian/tasks/sshd.yml b/roles/debian/tasks/sshd.yml index 4c257fe..c342604 100644 --- a/roles/debian/tasks/sshd.yml +++ b/roles/debian/tasks/sshd.yml @@ -6,10 +6,10 @@ owner: root group: ssh_keys mode: 0640 - with_dict: '{{ ssh_host_keys }}' + with_dict: '{{ ssh_host_keys[hostname] }}' loop_control: label: '/etc/ssh/{{ item.key }}' - when: ssh_host_keys is defined + when: ssh_host_keys is defined and hostname in ssh_host_keys - name: Create public host keys copy: @@ -18,10 +18,10 @@ owner: root group: root mode: 0644 - with_dict: '{{ ssh_host_keys }}' + with_dict: '{{ ssh_host_keys[hostname] }}' loop_control: label: '/etc/ssh/{{ item.key }}.pub' - when: ssh_host_keys is defined + when: ssh_host_keys is defined and hostname in ssh_host_keys - name: Configure SSH daemon lineinfile: diff --git a/roles/fedora/tasks/main.yml b/roles/fedora/tasks/main.yml index 4492df5..de4c160 100644 --- a/roles/fedora/tasks/main.yml +++ b/roles/fedora/tasks/main.yml @@ -20,5 +20,7 @@ tags: networkd - import_tasks: timesyncd.yml tags: timesyncd +- import_tasks: sshd.yml + tags: sshd # vim: set ts=2 sw=2 et: diff --git a/roles/fedora/tasks/sshd.yml b/roles/fedora/tasks/sshd.yml new file mode 100644 index 0000000..603fbf9 --- /dev/null +++ b/roles/fedora/tasks/sshd.yml @@ -0,0 +1,51 @@ +--- +- name: Create private host keys + copy: + dest: '/etc/ssh/{{ item.key }}' + content: '{{ item.value.private }}' + owner: root + group: ssh_keys + mode: 0640 + with_dict: '{{ ssh_host_keys[hostname] }}' + loop_control: + label: '/etc/ssh/{{ item.key }}' + when: ssh_host_keys is defined and hostname in ssh_host_keys + +- name: Create public host keys + copy: + dest: '/etc/ssh/{{ item.key }}.pub' + content: '{{ item.value.public }}' + owner: root + group: root + mode: 0644 + with_dict: '{{ ssh_host_keys[hostname] }}' + loop_control: + label: '/etc/ssh/{{ item.key }}.pub' + when: ssh_host_keys is defined and hostname in ssh_host_keys + +- name: Configure SSH daemon + lineinfile: + path: '/etc/ssh/sshd_config' + regexp: '{{ item.regexp }}' + line: '{{ item.line }}' + with_items: + - regexp: '^[# ]*PermitRootLogin' + line: 'PermitRootLogin no' + - regexp: '^PasswordAuthentication' + line: 'PasswordAuthentication no' + - regexp: '^[# ]*GSSAPIAuthentication' + line: 'GSSAPIAuthentication no' + notify: restart sshd + +- name: Enable SSH daemon + systemd: + name: sshd.service + enabled: yes + masked: no + state: started + when: not chroot +- name: '- when in chroot' + command: systemctl enable sshd.service + when: chroot|bool + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/bootstrap.sh b/roles/space_server/bootstrap.sh index 6d09592..218815e 100755 --- a/roles/space_server/bootstrap.sh +++ b/roles/space_server/bootstrap.sh @@ -41,7 +41,6 @@ set -e set -x release=29 -secrets='/etc/ansible/secrets.yml' dest="/mnt/fedora$release" if [[ -e "$dest" ]]; then echo "Destination '$dest' already exists. Aborting." >&2 @@ -61,10 +60,6 @@ dnf \ --enablerepo=updates \ install glibc-langpack-en dnf git ansible python-unversioned-command -if [[ -f "$secrets" ]]; then - install -m660 "$secrets" "$dest$secrets" -fi - for i in /var/lib/machines /var/lib/portables; do if [[ -d "$dest$i" ]]; then btrfs subvolume delete "$dest$i" diff --git a/roles/space_server/tasks/main.yml b/roles/space_server/tasks/main.yml index 374a8b6..1c5ae7c 100644 --- a/roles/space_server/tasks/main.yml +++ b/roles/space_server/tasks/main.yml @@ -19,8 +19,6 @@ tags: networkd - import_tasks: nftables.yml tags: nftables -- import_tasks: sshd.yml - tags: sshd - import_tasks: bird.yml tags: bird - import_tasks: dhcpd.yml diff --git a/roles/space_server/tasks/sshd.yml b/roles/space_server/tasks/sshd.yml deleted file mode 100644 index 14597b4..0000000 --- a/roles/space_server/tasks/sshd.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- -- name: Create private host keys - copy: - dest: '/etc/ssh/{{ item.key }}' - content: '{{ item.value.private }}' - owner: root - group: ssh_keys - mode: 0640 - with_dict: '{{ ssh_host_keys }}' - loop_control: - label: '/etc/ssh/{{ item.key }}' - when: ssh_host_keys is defined - -- name: Create public host keys - copy: - dest: '/etc/ssh/{{ item.key }}.pub' - content: '{{ item.value.public }}' - owner: root - group: root - mode: 0644 - with_dict: '{{ ssh_host_keys }}' - loop_control: - label: '/etc/ssh/{{ item.key }}.pub' - when: ssh_host_keys is defined - -- name: Configure sshd - lineinfile: - path: '/etc/ssh/sshd_config' - regexp: '{{ item.regexp }}' - line: '{{ item.line }}' - with_items: - - regexp: '^[# ]*PermitRootLogin' - line: 'PermitRootLogin no' - - regexp: '^PasswordAuthentication' - line: 'PasswordAuthentication no' - - regexp: '^[# ]*GSSAPIAuthentication' - line: 'GSSAPIAuthentication no' - notify: - - restart sshd - -- name: Enable sshd service - systemd: - name: sshd.service - enabled: yes - masked: no - state: started - when: not chroot -- name: '- when in chroot' - command: systemctl enable sshd.service - args: - creates: '/etc/systemd/system/multi-user.target.wants/sshd.service' - when: chroot|bool - -# vim: set ts=2 sw=2 et: diff --git a/space.yml b/space.yml index 1243bad..cb935c9 100644 --- a/space.yml +++ b/space.yml @@ -6,10 +6,7 @@ chroot: "{{ ansible_connection == 'chroot' or 'container' in ansible_env }}" tags: always - name: Load secrets - include_vars: '{{ item }}' - with_first_found: - - /etc/ansible/secrets.yml - - secrets.yml + include_vars: 'secrets.yml' ignore_errors: yes tags: always roles: -- cgit v1.2.1