verdnatura/vn-ansible
verdnatura
/
vn-ansible
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Refs #8025 Rol debian-base&guest. ssh task - unify generate SSH key pairs. Add witness task to control initial setup. Separate conf ssh files for failban & ssh task. Remove handler that uses shell, no need it for pam update.

This commit is contained in:
Xavi Lleó 2024-10-16 14:04:55 +02:00
parent fa8a788a94
commit 921e3538cd
7 changed files with 41 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
roles/debian-base/defaults/main.yaml
View File

@ -57,3 +57,4 @@ master_cert_content: |
vbLOVOOXArPis1naT1aW5s/At2NaNpA3a9HjauzZgfIiU+ekIWEccU0OyRGxCGA= vbLOVOOXArPis1naT1aW5s/At2NaNpA3a9HjauzZgfIiU+ekIWEccU0OyRGxCGA=
-----END CERTIFICATE----- -----END CERTIFICATE-----
private_key_content: "{{ lookup(passbolt, 'fd-cert.pem', folder_parent_id=passbolt_folder).description }}" private_key_content: "{{ lookup(passbolt, 'fd-cert.pem', folder_parent_id=passbolt_folder).description }}"
vn_witness: false

11
roles/debian-base/tasks/fail2ban.yml
View File

@ -2,6 +2,17 @@
apt: apt:
name: "{{ fail2ban_base_packages }}" name: "{{ fail2ban_base_packages }}"
state: present state: present
- name: Configure sshd_config settings
copy:
dest: /etc/ssh/sshd_config.d/vn-fail2ban.conf
content: |
# Do not edit this file! Ansible will overwrite it.
SyslogFacility AUTH
owner: root
group: root
mode: u=rw,g=r,o=r
notify: restart sshd
- name: Configure fail2ban service - name: Configure fail2ban service
template: template:
src: jail.local src: jail.local

2
roles/debian-base/tasks/main.yml
View File

@ -1,3 +1,5 @@
- import_tasks: witness.yml
tags: witness
- import_tasks: resolv.yml - import_tasks: resolv.yml
tags: resolv tags: resolv
- import_tasks: timesync.yml - import_tasks: timesync.yml

34
roles/debian-base/tasks/ssh.yml
View File

@ -1,29 +1,23 @@
- name: Generate a new SSH key pair - name: Generate SSH key pairs
openssh_keypair: openssh_keypair:
path: /etc/ssh/ssh_host_rsa_key path: "/etc/ssh/ssh_host_{{ item.type }}_key"
type: rsa type: "{{ item.type }}"
size: 4096 force: yes
register: new_pair when: vn_witness
loop:
- { type: 'rsa' }
- { type: 'ecdsa' }
- { type: 'ed25519' }
register: new_pairs
notify: restart sshd
- name: Configure sshd_config settings - name: Configure sshd_config settings
copy: copy:
dest: /etc/ssh/sshd_config.d/vn-custom.conf dest: /etc/ssh/sshd_config.d/vn-listenipv4.conf
content: | content: |
# Do not edit this file! Ansible will overwrite it. # Do not edit this file! Ansible will overwrite it.
ListenAddress 0.0.0.0 ListenAddress 0.0.0.0
SyslogFacility AUTH
owner: root owner: root
group: root group: root
mode: u=rw,g=r,o=r mode: u=rw,g=r,o=r
notify: restart sshd notify: restart sshd
- name: Delete old host SSH keys
file:
path: "{{ item }}"
state: absent
with_items:
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ecdsa_key.pub
- /etc/ssh/ssh_host_ed25519_key
- /etc/ssh/ssh_host_ed25519_key.pub
when: new_pair is succeeded
notify: restart sshd

12
roles/debian-base/tasks/witness.yml Normal file
View File

@ -0,0 +1,12 @@
- name: Check if witness have been generated
stat:
path: /etc/vn.witness
register: keys_generated_marker
- name: Generate variable if not exists
set_fact:
vn_witness: "{{ not keys_generated_marker.stat.exists }}"
- name: Create marker file to indicate vn happends
file:
path: /etc/vn.witness
state: touch
when: vn_witness

2
roles/debian-guest/handlers/main.yml
View File

@ -2,5 +2,3 @@
service: service:
name: nslcd name: nslcd
state: restarted state: restarted
- name: pam-update-ldap
shell: pam-auth-update --enable ldap

2
roles/debian-guest/tasks/auth.yml
View File

@ -11,7 +11,7 @@
mode: '0640' mode: '0640'
notify: notify:
- restart-nslcd - restart-nslcd
- pam-update-ldap register: nslcd
- name: Configure nsswitch to use NSLCD - name: Configure nsswitch to use NSLCD
lineinfile: lineinfile:
dest: /etc/nsswitch.conf dest: /etc/nsswitch.conf