From 424fe250d80aa66e5ff6cb46ff1125c07a0f5dba Mon Sep 17 00:00:00 2001 From: michael Date: Fri, 2 Sep 2022 23:16:21 +1200 Subject: [PATCH] ansible openssh --- ansible/ansible.cfg | 11 ++ ansible/inventory/hosts.yaml | 26 +++++ ansible/roles/sshd/defaults/main.yml | 7 ++ ansible/roles/sshd/files/lab_authorized_keys | 1 + ansible/roles/sshd/files/sshd_config_arch | 116 +++++++++++++++++++ ansible/roles/sshd/tasks/main.yml | 7 ++ 6 files changed, 168 insertions(+) create mode 100644 ansible/ansible.cfg create mode 100644 ansible/inventory/hosts.yaml create mode 100644 ansible/roles/sshd/defaults/main.yml create mode 100644 ansible/roles/sshd/files/lab_authorized_keys create mode 100644 ansible/roles/sshd/files/sshd_config_arch create mode 100644 ansible/roles/sshd/tasks/main.yml diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg new file mode 100644 index 0000000..55bde9e --- /dev/null +++ b/ansible/ansible.cfg @@ -0,0 +1,11 @@ +[defaults] +inventory = ./inventory/hosts.yaml +jinja2_extensions = jinja2.ext.do,jinja2.ext.i18n +library = modules +module_utils = module_utils +display_skipped_hosts = false +interpreter_python = auto_silent +collections_paths = ./collections +collections_path = ./collections +roles_path = ./roles +vault_password_file = ../.vault_password.txt \ No newline at end of file diff --git a/ansible/inventory/hosts.yaml b/ansible/inventory/hosts.yaml new file mode 100644 index 0000000..e9a75e1 --- /dev/null +++ b/ansible/inventory/hosts.yaml @@ -0,0 +1,26 @@ +all: + children: + hosts: + server: + ansible_host: server.balsillie.net + ansible_os_family: Arch + lab: + ansible_host: lab.balsillie.net + ansible_os_family: Arch + nodes: + node1: + ansible_host: node1.balsillie.net + node2: + ansible_host: node2.balsillie.net + node3: + ansible_host: node3.balsillie.net + guests: + router: + ansible_host: router.balsillie.net + workstations: + lat5420: + ansible_host: lat5420.balsillie.net + sff: + ansible_host: sff.balsillie.net + bridie: + ansible_host: bridie.balsillie.net \ No newline at end of file diff --git a/ansible/roles/sshd/defaults/main.yml b/ansible/roles/sshd/defaults/main.yml new file mode 100644 index 0000000..f9dc331 --- /dev/null +++ b/ansible/roles/sshd/defaults/main.yml @@ -0,0 +1,7 @@ +--- +openssh_packages: + - openssh +openssh_service: sshd.service +openssh_configuration_file: /etc/ssh/sshd_config +openssh_template_src: sshd_config_arch +openssh_template_mode: "644" \ No newline at end of file diff --git a/ansible/roles/sshd/files/lab_authorized_keys b/ansible/roles/sshd/files/lab_authorized_keys new file mode 100644 index 0000000..42520d3 --- /dev/null +++ b/ansible/roles/sshd/files/lab_authorized_keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHDSByUetRCOrrCRpyc0HMPVX8mKeJfXUcYH8+6NL2Md ladmin@lab.balsillie.net diff --git a/ansible/roles/sshd/files/sshd_config_arch b/ansible/roles/sshd/files/sshd_config_arch new file mode 100644 index 0000000..43ab249 --- /dev/null +++ b/ansible/roles/sshd/files/sshd_config_arch @@ -0,0 +1,116 @@ +# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/bin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin prohibit-password +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +KbdInteractiveAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the KbdInteractiveAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via KbdInteractiveAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and KbdInteractiveAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no # pam does that +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/lib/ssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server diff --git a/ansible/roles/sshd/tasks/main.yml b/ansible/roles/sshd/tasks/main.yml new file mode 100644 index 0000000..9e2beaa --- /dev/null +++ b/ansible/roles/sshd/tasks/main.yml @@ -0,0 +1,7 @@ +--- +- name: install openssh + ansible.general.pacman: + name: "{{ openssh_packages }}" + state: latest + update_cache: true + reason: explicit \ No newline at end of file