Refs #8025 Rol debian-base&guest. ssh task - unify generate SSH key pairs. Add witness task to control initial setup. Separate conf ssh files for failban & ssh task. Remove handler that uses shell, no need it for pam update.
This commit is contained in:
parent
fa8a788a94
commit
921e3538cd
|
@ -57,3 +57,4 @@ master_cert_content: |
|
||||||
vbLOVOOXArPis1naT1aW5s/At2NaNpA3a9HjauzZgfIiU+ekIWEccU0OyRGxCGA=
|
vbLOVOOXArPis1naT1aW5s/At2NaNpA3a9HjauzZgfIiU+ekIWEccU0OyRGxCGA=
|
||||||
-----END CERTIFICATE-----
|
-----END CERTIFICATE-----
|
||||||
private_key_content: "{{ lookup(passbolt, 'fd-cert.pem', folder_parent_id=passbolt_folder).description }}"
|
private_key_content: "{{ lookup(passbolt, 'fd-cert.pem', folder_parent_id=passbolt_folder).description }}"
|
||||||
|
vn_witness: false
|
||||||
|
|
|
@ -2,6 +2,17 @@
|
||||||
apt:
|
apt:
|
||||||
name: "{{ fail2ban_base_packages }}"
|
name: "{{ fail2ban_base_packages }}"
|
||||||
state: present
|
state: present
|
||||||
|
- name: Configure sshd_config settings
|
||||||
|
copy:
|
||||||
|
dest: /etc/ssh/sshd_config.d/vn-fail2ban.conf
|
||||||
|
content: |
|
||||||
|
# Do not edit this file! Ansible will overwrite it.
|
||||||
|
|
||||||
|
SyslogFacility AUTH
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: u=rw,g=r,o=r
|
||||||
|
notify: restart sshd
|
||||||
- name: Configure fail2ban service
|
- name: Configure fail2ban service
|
||||||
template:
|
template:
|
||||||
src: jail.local
|
src: jail.local
|
||||||
|
|
|
@ -1,3 +1,5 @@
|
||||||
|
- import_tasks: witness.yml
|
||||||
|
tags: witness
|
||||||
- import_tasks: resolv.yml
|
- import_tasks: resolv.yml
|
||||||
tags: resolv
|
tags: resolv
|
||||||
- import_tasks: timesync.yml
|
- import_tasks: timesync.yml
|
||||||
|
|
|
@ -1,29 +1,23 @@
|
||||||
- name: Generate a new SSH key pair
|
- name: Generate SSH key pairs
|
||||||
openssh_keypair:
|
openssh_keypair:
|
||||||
path: /etc/ssh/ssh_host_rsa_key
|
path: "/etc/ssh/ssh_host_{{ item.type }}_key"
|
||||||
type: rsa
|
type: "{{ item.type }}"
|
||||||
size: 4096
|
force: yes
|
||||||
register: new_pair
|
when: vn_witness
|
||||||
|
loop:
|
||||||
|
- { type: 'rsa' }
|
||||||
|
- { type: 'ecdsa' }
|
||||||
|
- { type: 'ed25519' }
|
||||||
|
register: new_pairs
|
||||||
|
notify: restart sshd
|
||||||
- name: Configure sshd_config settings
|
- name: Configure sshd_config settings
|
||||||
copy:
|
copy:
|
||||||
dest: /etc/ssh/sshd_config.d/vn-custom.conf
|
dest: /etc/ssh/sshd_config.d/vn-listenipv4.conf
|
||||||
content: |
|
content: |
|
||||||
# Do not edit this file! Ansible will overwrite it.
|
# Do not edit this file! Ansible will overwrite it.
|
||||||
|
|
||||||
ListenAddress 0.0.0.0
|
ListenAddress 0.0.0.0
|
||||||
SyslogFacility AUTH
|
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: u=rw,g=r,o=r
|
mode: u=rw,g=r,o=r
|
||||||
notify: restart sshd
|
notify: restart sshd
|
||||||
- name: Delete old host SSH keys
|
|
||||||
file:
|
|
||||||
path: "{{ item }}"
|
|
||||||
state: absent
|
|
||||||
with_items:
|
|
||||||
- /etc/ssh/ssh_host_ecdsa_key
|
|
||||||
- /etc/ssh/ssh_host_ecdsa_key.pub
|
|
||||||
- /etc/ssh/ssh_host_ed25519_key
|
|
||||||
- /etc/ssh/ssh_host_ed25519_key.pub
|
|
||||||
when: new_pair is succeeded
|
|
||||||
notify: restart sshd
|
|
||||||
|
|
|
@ -0,0 +1,12 @@
|
||||||
|
- name: Check if witness have been generated
|
||||||
|
stat:
|
||||||
|
path: /etc/vn.witness
|
||||||
|
register: keys_generated_marker
|
||||||
|
- name: Generate variable if not exists
|
||||||
|
set_fact:
|
||||||
|
vn_witness: "{{ not keys_generated_marker.stat.exists }}"
|
||||||
|
- name: Create marker file to indicate vn happends
|
||||||
|
file:
|
||||||
|
path: /etc/vn.witness
|
||||||
|
state: touch
|
||||||
|
when: vn_witness
|
|
@ -2,5 +2,3 @@
|
||||||
service:
|
service:
|
||||||
name: nslcd
|
name: nslcd
|
||||||
state: restarted
|
state: restarted
|
||||||
- name: pam-update-ldap
|
|
||||||
shell: pam-auth-update --enable ldap
|
|
||||||
|
|
|
@ -11,7 +11,7 @@
|
||||||
mode: '0640'
|
mode: '0640'
|
||||||
notify:
|
notify:
|
||||||
- restart-nslcd
|
- restart-nslcd
|
||||||
- pam-update-ldap
|
register: nslcd
|
||||||
- name: Configure nsswitch to use NSLCD
|
- name: Configure nsswitch to use NSLCD
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: /etc/nsswitch.conf
|
dest: /etc/nsswitch.conf
|
||||||
|
|
Loading…
Reference in New Issue