diff --git a/roles/debian-base/defaults/main.yaml b/roles/debian-base/defaults/main.yaml index 85f86af..b31ba85 100644 --- a/roles/debian-base/defaults/main.yaml +++ b/roles/debian-base/defaults/main.yaml @@ -57,3 +57,4 @@ master_cert_content: | vbLOVOOXArPis1naT1aW5s/At2NaNpA3a9HjauzZgfIiU+ekIWEccU0OyRGxCGA= -----END CERTIFICATE----- private_key_content: "{{ lookup(passbolt, 'fd-cert.pem', folder_parent_id=passbolt_folder).description }}" +vn_witness: false diff --git a/roles/debian-base/tasks/fail2ban.yml b/roles/debian-base/tasks/fail2ban.yml index 2b84b89..b0123d3 100644 --- a/roles/debian-base/tasks/fail2ban.yml +++ b/roles/debian-base/tasks/fail2ban.yml @@ -2,6 +2,17 @@ apt: name: "{{ fail2ban_base_packages }}" state: present +- name: Configure sshd_config settings + copy: + dest: /etc/ssh/sshd_config.d/vn-fail2ban.conf + content: | + # Do not edit this file! Ansible will overwrite it. + + SyslogFacility AUTH + owner: root + group: root + mode: u=rw,g=r,o=r + notify: restart sshd - name: Configure fail2ban service template: src: jail.local diff --git a/roles/debian-base/tasks/main.yml b/roles/debian-base/tasks/main.yml index ca79ad2..4db5680 100644 --- a/roles/debian-base/tasks/main.yml +++ b/roles/debian-base/tasks/main.yml @@ -1,3 +1,5 @@ +- import_tasks: witness.yml + tags: witness - import_tasks: resolv.yml tags: resolv - import_tasks: timesync.yml diff --git a/roles/debian-base/tasks/ssh.yml b/roles/debian-base/tasks/ssh.yml index d776420..442fc15 100644 --- a/roles/debian-base/tasks/ssh.yml +++ b/roles/debian-base/tasks/ssh.yml @@ -1,29 +1,23 @@ -- name: Generate a new SSH key pair +- name: Generate SSH key pairs openssh_keypair: - path: /etc/ssh/ssh_host_rsa_key - type: rsa - size: 4096 - register: new_pair + path: "/etc/ssh/ssh_host_{{ item.type }}_key" + type: "{{ item.type }}" + force: yes + when: vn_witness + loop: + - { type: 'rsa' } + - { type: 'ecdsa' } + - { type: 'ed25519' } + register: new_pairs + notify: restart sshd - name: Configure sshd_config settings copy: - dest: /etc/ssh/sshd_config.d/vn-custom.conf + dest: /etc/ssh/sshd_config.d/vn-listenipv4.conf content: | # Do not edit this file! Ansible will overwrite it. - + ListenAddress 0.0.0.0 - SyslogFacility AUTH owner: root group: root mode: u=rw,g=r,o=r - notify: restart sshd -- name: Delete old host SSH keys - file: - path: "{{ item }}" - state: absent - with_items: - - /etc/ssh/ssh_host_ecdsa_key - - /etc/ssh/ssh_host_ecdsa_key.pub - - /etc/ssh/ssh_host_ed25519_key - - /etc/ssh/ssh_host_ed25519_key.pub - when: new_pair is succeeded - notify: restart sshd + notify: restart sshd \ No newline at end of file diff --git a/roles/debian-base/tasks/witness.yml b/roles/debian-base/tasks/witness.yml new file mode 100644 index 0000000..26129d8 --- /dev/null +++ b/roles/debian-base/tasks/witness.yml @@ -0,0 +1,12 @@ +- name: Check if witness have been generated + stat: + path: /etc/vn.witness + register: keys_generated_marker +- name: Generate variable if not exists + set_fact: + vn_witness: "{{ not keys_generated_marker.stat.exists }}" +- name: Create marker file to indicate vn happends + file: + path: /etc/vn.witness + state: touch + when: vn_witness \ No newline at end of file diff --git a/roles/debian-guest/handlers/main.yml b/roles/debian-guest/handlers/main.yml index 1764d05..2da7a1c 100644 --- a/roles/debian-guest/handlers/main.yml +++ b/roles/debian-guest/handlers/main.yml @@ -2,5 +2,3 @@ service: name: nslcd state: restarted -- name: pam-update-ldap - shell: pam-auth-update --enable ldap diff --git a/roles/debian-guest/tasks/auth.yml b/roles/debian-guest/tasks/auth.yml index 7930b91..62506be 100644 --- a/roles/debian-guest/tasks/auth.yml +++ b/roles/debian-guest/tasks/auth.yml @@ -11,7 +11,7 @@ mode: '0640' notify: - restart-nslcd - - pam-update-ldap + register: nslcd - name: Configure nsswitch to use NSLCD lineinfile: dest: /etc/nsswitch.conf