Refs #8025 Rol debian-base&guest. ssh task - unify generate SSH key pairs. Add witness task to control initial setup. Separate conf ssh files for failban & ssh task. Remove handler that uses shell, no need it for pam update.

2024-10-16 14:04:55 +02:00 · 2024-10-16 14:04:55 +02:00 · 921e3538cd
parent fa8a788a94
commit 921e3538cd
7 changed files with 41 additions and 23 deletions
--- a/roles/debian-base/defaults/main.yaml
+++ b/roles/debian-base/defaults/main.yaml
@ -57,3 +57,4 @@ master_cert_content: |
  vbLOVOOXArPis1naT1aW5s/At2NaNpA3a9HjauzZgfIiU+ekIWEccU0OyRGxCGA=
  -----END CERTIFICATE-----
 private_key_content: "{{ lookup(passbolt, 'fd-cert.pem', folder_parent_id=passbolt_folder).description }}"
+vn_witness: false
--- a/roles/debian-base/tasks/fail2ban.yml
+++ b/roles/debian-base/tasks/fail2ban.yml
@ -2,6 +2,17 @@
  apt:
    name: "{{ fail2ban_base_packages }}"
    state: present
+- name: Configure sshd_config settings
+  copy:
+    dest: /etc/ssh/sshd_config.d/vn-fail2ban.conf
+    content: |
+      # Do not edit this file! Ansible will overwrite it.
+      
+      SyslogFacility AUTH
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+  notify: restart sshd
 - name: Configure fail2ban service
  template:
    src: jail.local
--- a/roles/debian-base/tasks/main.yml
+++ b/roles/debian-base/tasks/main.yml
@ -1,3 +1,5 @@
+- import_tasks: witness.yml
+  tags: witness
 - import_tasks: resolv.yml
  tags: resolv
 - import_tasks: timesync.yml
--- a/roles/debian-base/tasks/ssh.yml
+++ b/roles/debian-base/tasks/ssh.yml
@ -1,29 +1,23 @@
- name: Generate a new SSH key pair
+- name: Generate SSH key pairs
  openssh_keypair:
-    path: /etc/ssh/ssh_host_rsa_key
-    type: rsa                        
-    size: 4096
-  register: new_pair
+    path: "/etc/ssh/ssh_host_{{ item.type }}_key"
+    type: "{{ item.type }}"
+    force: yes
+  when: vn_witness
+  loop:
+    - { type: 'rsa' }
+    - { type: 'ecdsa' }
+    - { type: 'ed25519' }
+  register: new_pairs
+  notify: restart sshd
 - name: Configure sshd_config settings
  copy:
-    dest: /etc/ssh/sshd_config.d/vn-custom.conf
+    dest: /etc/ssh/sshd_config.d/vn-listenipv4.conf
    content: |
      # Do not edit this file! Ansible will overwrite it.

      ListenAddress 0.0.0.0
-      SyslogFacility AUTH
    owner: root
    group: root
    mode: u=rw,g=r,o=r
  notify: restart sshd
- name: Delete old host SSH keys
-  file:
-    path: "{{ item }}"
-    state: absent
-  with_items:
-    - /etc/ssh/ssh_host_ecdsa_key
-    - /etc/ssh/ssh_host_ecdsa_key.pub
-    - /etc/ssh/ssh_host_ed25519_key
-    - /etc/ssh/ssh_host_ed25519_key.pub
-  when: new_pair is succeeded
-  notify: restart sshd
--- a/roles/debian-base/tasks/witness.yml
+++ b/roles/debian-base/tasks/witness.yml
@ -0,0 +1,12 @@
+- name: Check if witness have been generated
+  stat:
+    path: /etc/vn.witness
+  register: keys_generated_marker
+- name: Generate variable if not exists
+  set_fact:
+    vn_witness: "{{ not keys_generated_marker.stat.exists }}"
+- name: Create marker file to indicate vn happends
+  file:
+    path: /etc/vn.witness
+    state: touch
+  when: vn_witness
--- a/roles/debian-guest/handlers/main.yml
+++ b/roles/debian-guest/handlers/main.yml
@ -2,5 +2,3 @@
  service:
    name: nslcd
    state: restarted
- name: pam-update-ldap
-  shell: pam-auth-update --enable ldap
--- a/roles/debian-guest/tasks/auth.yml
+++ b/roles/debian-guest/tasks/auth.yml
@ -11,7 +11,7 @@
    mode: '0640'
  notify:
    - restart-nslcd
-    - pam-update-ldap
+  register: nslcd
 - name: Configure nsswitch to use NSLCD
  lineinfile:
    dest: /etc/nsswitch.conf