From cffbcaea8cb1f5a6468d84d0714670002bd2713f Mon Sep 17 00:00:00 2001 From: michael Date: Mon, 14 Aug 2023 22:27:29 +1000 Subject: [PATCH] sshd setup --- .../ansible_connection.yaml | 4 +- .../ansible_credentials.yaml | 10 --- .../hv00.balsillie.house/credentials.yaml | 13 ++++ .../hv00.balsillie.house/hypervisor.yaml | 1 - .../hv00.balsillie.house/sshd_setup.yaml | 16 ++++ .../systemd_networkd.yaml | 4 +- .../inventory/host_vars/localhost/vault.yaml | 13 ---- .../localhost.yaml | 0 ansible/playbooks/vp2420.yaml | 32 ++++++-- ansible/roles/archinstall/tasks/main.yml | 9 ++- ansible/roles/hypervisor/defaults/main.yaml | 17 +++-- .../roles/hypervisor/tasks/libvirt_dir.yaml | 7 -- ...ir_mount.yaml => libvirt_drive_mount.yaml} | 45 +++++++---- ansible/roles/hypervisor/tasks/main.yaml | 28 +++++-- ansible/roles/sshd/defaults/main.yml | 6 -- ansible/roles/sshd/files/lab_authorized_keys | 1 - ansible/roles/sshd/handlers/main.yml | 6 -- ansible/roles/sshd/tasks/main.yml | 39 ---------- ansible/roles/sshd_setup/defaults/main.yaml | 16 ++++ ansible/roles/sshd_setup/handlers/main.yaml | 6 ++ ansible/roles/sshd_setup/tasks/main.yaml | 76 +++++++++++++++++++ .../templates/sshd_config.j2} | 48 ++++++------ .../templates/bridge.network.j2 | 5 ++ 23 files changed, 256 insertions(+), 146 deletions(-) delete mode 100644 ansible/inventory/host_vars/hv00.balsillie.house/ansible_credentials.yaml create mode 100644 ansible/inventory/host_vars/hv00.balsillie.house/credentials.yaml create mode 100644 ansible/inventory/host_vars/hv00.balsillie.house/sshd_setup.yaml delete mode 100644 ansible/inventory/host_vars/localhost/vault.yaml rename ansible/inventory/host_vars/{localhost => localhost_bak}/localhost.yaml (100%) rename ansible/roles/hypervisor/tasks/{libvirt_dir_mount.yaml => libvirt_drive_mount.yaml} (66%) delete mode 100644 ansible/roles/sshd/defaults/main.yml delete mode 100644 ansible/roles/sshd/files/lab_authorized_keys delete mode 100644 ansible/roles/sshd/handlers/main.yml delete mode 100644 ansible/roles/sshd/tasks/main.yml create mode 100644 ansible/roles/sshd_setup/defaults/main.yaml create mode 100644 ansible/roles/sshd_setup/handlers/main.yaml create mode 100644 ansible/roles/sshd_setup/tasks/main.yaml rename ansible/roles/{sshd/files/sshd_config_arch => sshd_setup/templates/sshd_config.j2} (69%) diff --git a/ansible/inventory/host_vars/hv00.balsillie.house/ansible_connection.yaml b/ansible/inventory/host_vars/hv00.balsillie.house/ansible_connection.yaml index 40ac8d4..f3132ab 100644 --- a/ansible/inventory/host_vars/hv00.balsillie.house/ansible_connection.yaml +++ b/ansible/inventory/host_vars/hv00.balsillie.house/ansible_connection.yaml @@ -1,5 +1,7 @@ ansible_connection: ssh -ansible_host: hv00.balsillie.house +ansible_host: 192.168.1.250 +ansible_fqdn: hv00.balsillie.house ansible_port: 22 ansible_become_method: sudo +static_fqdn: hv00.balsillie.house \ No newline at end of file diff --git a/ansible/inventory/host_vars/hv00.balsillie.house/ansible_credentials.yaml b/ansible/inventory/host_vars/hv00.balsillie.house/ansible_credentials.yaml deleted file mode 100644 index dd336a4..0000000 --- a/ansible/inventory/host_vars/hv00.balsillie.house/ansible_credentials.yaml +++ /dev/null @@ -1,10 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -39396638396432646535366136363633313138643130333565633334663764336333373235623336 -6561323733316666626134613234343231313866643934630a303137653935616562326136363465 -37343038613463366435346139616161636238373230643533343462646430636162333261666535 -6332646133313830390a306166363133383735346261636530633733313631356165313665346334 -66333138663962353665396430326138666266663337323662376235346661393065376430386261 -34613233313837303664343634666636623731323034353262643639623065333566363831393332 -36653737336164623838306531396466323832626331373737363135376136636565306565356266 -33666366383033313865633331363665633164623461636435343663303135616537353066663361 -32346262316133343037353334303733343465656363656461356634663433333530 diff --git a/ansible/inventory/host_vars/hv00.balsillie.house/credentials.yaml b/ansible/inventory/host_vars/hv00.balsillie.house/credentials.yaml new file mode 100644 index 0000000..70a8adf --- /dev/null +++ b/ansible/inventory/host_vars/hv00.balsillie.house/credentials.yaml @@ -0,0 +1,13 @@ +$ANSIBLE_VAULT;1.1;AES256 +65303065306531633065386131316639323033623166636331386435393231623763356336646337 +3430333966353561336334333332343130643065323663610a393664353431623037363731373837 +61653866666536383365393434613933393437343135346430643136396236313138613762316438 +3439303064366639380a316563666330306636613734666136633066656234363936623536383130 +65363364393937343231346133343435383336366464666661663432663663316337356637643165 +34303238653334663764633534393237643639636435633436353862663533346634396339343935 +34396363306461623564623566356139613564633136313965386337373138316365383732663139 +34396438636436376566323435316430376261323835303231663735373465326666666161616330 +33663132613733663337393636643736313863643566343366633032396134303462656162376432 +62666563376663323537396638306233346238306434643434366131656438303035666265613336 +37336135373061393036326633333137356531303038613061373638306435396135383365323265 +33623061633139626431 diff --git a/ansible/inventory/host_vars/hv00.balsillie.house/hypervisor.yaml b/ansible/inventory/host_vars/hv00.balsillie.house/hypervisor.yaml index c09f490..20f21d4 100644 --- a/ansible/inventory/host_vars/hv00.balsillie.house/hypervisor.yaml +++ b/ansible/inventory/host_vars/hv00.balsillie.house/hypervisor.yaml @@ -1,6 +1,5 @@ hypervisor: storage: dir - device: /dev/sda qemu_bridges: - br0 \ No newline at end of file diff --git a/ansible/inventory/host_vars/hv00.balsillie.house/sshd_setup.yaml b/ansible/inventory/host_vars/hv00.balsillie.house/sshd_setup.yaml new file mode 100644 index 0000000..d341f57 --- /dev/null +++ b/ansible/inventory/host_vars/hv00.balsillie.house/sshd_setup.yaml @@ -0,0 +1,16 @@ +sshd: + config_path: home + auth: + pubkey: 'yes' + password: 'no' + empty: 'no' + listen: + port: '22' + family: inet + ipv4: + - '192.168.1.250' + - '10.192.110.100' + forwarding: + agent: 'no' + x11: 'no' + nickname: vault diff --git a/ansible/inventory/host_vars/hv00.balsillie.house/systemd_networkd.yaml b/ansible/inventory/host_vars/hv00.balsillie.house/systemd_networkd.yaml index 8374f9e..fb1e550 100644 --- a/ansible/inventory/host_vars/hv00.balsillie.house/systemd_networkd.yaml +++ b/ansible/inventory/host_vars/hv00.balsillie.house/systemd_networkd.yaml @@ -63,7 +63,7 @@ systemd_networkd_configs: dhcp: false lldp: true vlans: - - vlan110 + - 110 - name: 20-vlan110.netdev src: vlan.netdev.j2 vlan_id: 110 @@ -74,7 +74,7 @@ systemd_networkd_configs: dhcp: false address: ipv4: - - 10.192.110.1/24 + - 10.192.110.100/24 gateway: ipv4: 10.192.110.254 nameserver: diff --git a/ansible/inventory/host_vars/localhost/vault.yaml b/ansible/inventory/host_vars/localhost/vault.yaml deleted file mode 100644 index 28a75bc..0000000 --- a/ansible/inventory/host_vars/localhost/vault.yaml +++ /dev/null @@ -1,13 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -32663239363537353936346439323334373561303531343365356338626336626237386562376335 -3637303166393236323236623637613632313831373065620a646639336130613534666633643633 -33393032356261393764646166643465366164356236666464333439333039633934643732616666 -6537396433663666650a316266393334656534323135643939336662626563646461363131336437 -32383963366163323065376230633366383830626539396563323661643266643139316334616237 -35633264626637346635613262383236396530313335346139653239316433646338613339303638 -65326134306438333265636337376538313337356164663865653036343666353335663336376463 -61616465333461656461313464623635336533363132626534373230633139373064636634613136 -33633134313538326662323534386533363833326337383837393036653637663561323837373162 -32613733353637313862323837653663343134323761363339333032383239643633666632663563 -39366362663334316634346339663337386439386162636639393137306138303163333538616664 -64333366663134356435 diff --git a/ansible/inventory/host_vars/localhost/localhost.yaml b/ansible/inventory/host_vars/localhost_bak/localhost.yaml similarity index 100% rename from ansible/inventory/host_vars/localhost/localhost.yaml rename to ansible/inventory/host_vars/localhost_bak/localhost.yaml diff --git a/ansible/playbooks/vp2420.yaml b/ansible/playbooks/vp2420.yaml index 31c780a..3811fe4 100644 --- a/ansible/playbooks/vp2420.yaml +++ b/ansible/playbooks/vp2420.yaml @@ -4,22 +4,38 @@ # Systemd networking -- name: Setup systemd-networkd - hosts: hv00.balsillie.house - become: true - roles: - - name: systemd_networkd - vars: - ansible_host: 192.168.1.106 +# - name: Setup systemd-networkd +# hosts: hv00.balsillie.house +# become: true +# roles: +# - name: systemd_networkd +# vars: +# ansible_host: 192.168.1.106 # Serial console # - name: Setup serial console -# hosts: hv00_balsillie_house +# hosts: hv00.balsillie.house # become: true # roles: # - name: serial_console # Hypervisor setup +# - name: Configure hypervisor +# hosts: hv00.balsillie.house +# gather_facts: true +# become: true +# roles: +# - name: hypervisor + +# SSHd setup + +- name: Configure sshd + hosts: hv00.balsillie.house + gather_facts: true + become: true + roles: + - name: sshd_setup + # VM setup \ No newline at end of file diff --git a/ansible/roles/archinstall/tasks/main.yml b/ansible/roles/archinstall/tasks/main.yml index 5b5360f..bf8b771 100644 --- a/ansible/roles/archinstall/tasks/main.yml +++ b/ansible/roles/archinstall/tasks/main.yml @@ -39,7 +39,7 @@ # pacstrap # pacstrap -K /mnt/root base linux-lts linux-firmware nano openssh bind bash efibootmgr reflector screen pv pinentry sudo man-db man-pages texinfo ufw nftables intel-ucode e2fsprogs dosfstools curl cryptsetup -# sbctl sbsigntools fwupd fwupd-efi dmidecode udisks2 usbutils +# sbctl sbsigntools fwupd fwupd-efi dmidecode udisks2 usbutils inetutils # gen fstab # genfstab -L /mnt/root >> /mnt/root/etc/fstab @@ -51,6 +51,11 @@ # set hostname # echo hv00 > /etc/hostname + # TODO add entries to /etc/hosts + # 127.0.0.1 localhost + # ::1 localhost + # 127.0.1.1 static_fqdn + # link timezone # ln -sf /usr/share/zoneinfo/Australia/Brisbane /etc/localtime @@ -65,6 +70,8 @@ # locale-gen # echo LANG=en_US.UTF-8 > /etc/locale.conf + + # uncomment wheel group in /etc/sudoers # sed -i 's/# %wheel ALL=(ALL:ALL) ALL/%wheel ALL=(ALL:ALL) ALL/g' /etc/sudoers diff --git a/ansible/roles/hypervisor/defaults/main.yaml b/ansible/roles/hypervisor/defaults/main.yaml index aec255e..6dd892c 100644 --- a/ansible/roles/hypervisor/defaults/main.yaml +++ b/ansible/roles/hypervisor/defaults/main.yaml @@ -1,15 +1,16 @@ libvirt_packages: - arch: - qemu-base - openbsd-netcat - swtpm - gettext - libvirt - libvirt-python + Archlinux: + - qemu-base + - openbsd-netcat + - swtpm + - gettext + - libvirt + - libvirt-python + - python-lxml hypervisor: storage: dir - device: /dev/sda + device: /dev/sdb # hypervisor: # storage: zfs diff --git a/ansible/roles/hypervisor/tasks/libvirt_dir.yaml b/ansible/roles/hypervisor/tasks/libvirt_dir.yaml index c563323..206150e 100644 --- a/ansible/roles/hypervisor/tasks/libvirt_dir.yaml +++ b/ansible/roles/hypervisor/tasks/libvirt_dir.yaml @@ -1,12 +1,5 @@ --- -- name: Format and mount the libvirt disk if it is not root - when: - - hypervisor.device not in (ansible_mounts | json_query('[?mount == `/`].device')) - - hypervisor.device not in (ansible_mounts | json_query('[?mount == `/var/lib/libvirt`].device')) - ansible.builtin.include_tasks: - file: libvirt_dir_mount.yaml - - name: Create the libvirt storage directories ansible.builtin.file: path: "{{ item }}" diff --git a/ansible/roles/hypervisor/tasks/libvirt_dir_mount.yaml b/ansible/roles/hypervisor/tasks/libvirt_drive_mount.yaml similarity index 66% rename from ansible/roles/hypervisor/tasks/libvirt_dir_mount.yaml rename to ansible/roles/hypervisor/tasks/libvirt_drive_mount.yaml index 84feaf7..8d82299 100644 --- a/ansible/roles/hypervisor/tasks/libvirt_dir_mount.yaml +++ b/ansible/roles/hypervisor/tasks/libvirt_drive_mount.yaml @@ -12,6 +12,8 @@ part_start: 0% state: present +# TODO disk encryption + - name: Format filesystem community.general.filesystem: device: "{{ hypervisor.device }}1" @@ -19,12 +21,24 @@ resizefs: true state: present -- name: Stop the libvirt service +- name: Get list of services + ansible.builtin.service_facts: + +- name: Stop the libvirt services + when: item in ansible_facts.services ansible.builtin.service: - name: libvirtd + name: "{{ item }}" state: stopped + loop: + - libvirtd.service + +- name: Check if libvirt storage directory exists + ansible.builtin.stat: + path: /var/lib/libvirt/ + register: libvirt_storage - name: Temp mount and copy block + when: libvirt_storage.stat.exists block: - name: Temporarily mount hypervisor storage @@ -42,6 +56,17 @@ remote_src: true mode: preserve + - name: Remove existing libvirt storage + ansible.builtin.file: + path: /var/lib/libvirt/ + state: "{{ item }}" + owner: root + group: root + mode: '0775' + loop: + - absent + - directory + always: - name: Unmount from temporary mount point @@ -49,17 +74,6 @@ path: /mnt/libvirt_temp/ state: absent -- name: Remove existing libvirt storage - ansible.builtin.file: - path: /var/lib/libvirt/ - state: "{{ item }}" - owner: root - group: root - mode: '0775' - loop: - - absent - - directory - - name: Mount hypervisor storage ansible.posix.mount: path: /var/lib/libvirt/ @@ -69,6 +83,9 @@ boot: true - name: Start the libvirt service + when: item in ansible_facts.services ansible.builtin.service: - name: libvirtd + name: "{{ item }}" state: started + loop: + - libvirtd.service diff --git a/ansible/roles/hypervisor/tasks/main.yaml b/ansible/roles/hypervisor/tasks/main.yaml index 1c9826b..cfcda72 100644 --- a/ansible/roles/hypervisor/tasks/main.yaml +++ b/ansible/roles/hypervisor/tasks/main.yaml @@ -1,18 +1,32 @@ --- -- name: Install libvirt packages (Arch) - when: ansible_os_distribution == 'Archlinux' +- name: Format and mount the libvirt disk if it is not root + when: + - hypervisor.device is defined + - hypervisor.device not in (ansible_mounts | json_query('[?mount == `/var/lib/libvirt`].device')) + ansible.builtin.include_tasks: + file: libvirt_drive_mount.yaml + +- name: Install libvirt packages (Archlinux) + when: ansible_distribution == 'Archlinux' community.general.pacman: - name: "{{ libvirt_packages['Arch'] }}" + name: "{{ libvirt_packages['Archlinux'] }}" state: present update_cache: true - name: Add user to libvirt group ansible.builtin.user: name: "{{ ansible_user }}" - groups: libvirt + groups: + - libvirt + - libvirt-qemu append: true +- name: Load br_netfilter kernel module so sysctl flags can be set + community.general.modprobe: + name: br_netfilter + state: present + - name: Set required sysctl flags for bridging ansible.posix.sysctl: name: "{{ item.name }}" @@ -20,7 +34,7 @@ state: present sysctl_file: /etc/sysctl.d/bridge.conf sysctl_set: true - value: "{{ item.value }}}}" + value: "{{ item.value }}" loop: - name: net.ipv4.ip_forward value: 1 @@ -77,11 +91,11 @@ community.libvirt.virt_pool: command: facts -- name: Define the standard libvirt storage pools +- name: Define the standard libvirt storage pools # TODO add when condition against existing pools community.libvirt.virt_pool: name: "{{ item.name }}" command: define - xml: "{{ lookup('template', 'dir_pool.xml.j2') }}" + xml: "{{ lookup('template', 'dir_libvirt_pool.xml.j2') }}" loop: - name: isos path: /var/lib/libvirt/isos/ diff --git a/ansible/roles/sshd/defaults/main.yml b/ansible/roles/sshd/defaults/main.yml deleted file mode 100644 index cf172ba..0000000 --- a/ansible/roles/sshd/defaults/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -openssh_packages: - - openssh -openssh_service: sshd.service -openssh_configuration_file: /etc/ssh/sshd_config -openssh_configuration_mode: 0644 \ No newline at end of file diff --git a/ansible/roles/sshd/files/lab_authorized_keys b/ansible/roles/sshd/files/lab_authorized_keys deleted file mode 100644 index 42520d3..0000000 --- a/ansible/roles/sshd/files/lab_authorized_keys +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHDSByUetRCOrrCRpyc0HMPVX8mKeJfXUcYH8+6NL2Md ladmin@lab.balsillie.net diff --git a/ansible/roles/sshd/handlers/main.yml b/ansible/roles/sshd/handlers/main.yml deleted file mode 100644 index 68967ed..0000000 --- a/ansible/roles/sshd/handlers/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- - -- name: restart openssh - ansible.builtin.service: - name: "{{ openssh_service }}" - state: restarted \ No newline at end of file diff --git a/ansible/roles/sshd/tasks/main.yml b/ansible/roles/sshd/tasks/main.yml deleted file mode 100644 index a63ba3b..0000000 --- a/ansible/roles/sshd/tasks/main.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -- name: install openssh arch - become: true - community.general.pacman: - name: "{{ openssh_packages }}" - state: latest - update_cache: true - reason: explicit - when: - - ansible_os_family == 'Arch' - -- name: add authorized keys - ansible.builtin.copy: - dest: "/home/{{ ansible_user }}/.ssh/authorized_keys" - src: "{{ authorized_keys_file }}" - mode: 0600 - owner: "{{ ansible_user }}" - group: "{{ ansible_user }}" - -- name: configure openssh - become: true - ansible.builtin.copy: - dest: "{{ openssh_configuration_file }}" - src: "{{ openssh_configuration_src }}" - mode: "{{ openssh_configuration_mode }}" - owner: root - group: root - notify: - - restart openssh - -- name: start and enable openssh - become: true - ansible.builtin.service: - name: "{{ openssh_service }}" - state: started - enabled: yes - -- name: flush handlers - ansible.builtin.meta: flush_handlers \ No newline at end of file diff --git a/ansible/roles/sshd_setup/defaults/main.yaml b/ansible/roles/sshd_setup/defaults/main.yaml new file mode 100644 index 0000000..6cce136 --- /dev/null +++ b/ansible/roles/sshd_setup/defaults/main.yaml @@ -0,0 +1,16 @@ +sshd: + config_path: default + auth: + pubkey: 'yes' + password: 'no' + empty: 'no' + listen: + port: '22' + family: any # 'any', 'inet' or 'inet6' + ipv4: + - '0.0.0.0' + ipv6: + - '::' + forwarding: + agent: 'no' + x11: 'no' diff --git a/ansible/roles/sshd_setup/handlers/main.yaml b/ansible/roles/sshd_setup/handlers/main.yaml new file mode 100644 index 0000000..ddce92d --- /dev/null +++ b/ansible/roles/sshd_setup/handlers/main.yaml @@ -0,0 +1,6 @@ +--- + +- name: Restart sshd + ansible.builtin.service: + name: sshd.service + state: restarted diff --git a/ansible/roles/sshd_setup/tasks/main.yaml b/ansible/roles/sshd_setup/tasks/main.yaml new file mode 100644 index 0000000..21ad2ac --- /dev/null +++ b/ansible/roles/sshd_setup/tasks/main.yaml @@ -0,0 +1,76 @@ +--- + +# - name: Debug ansible facts +# ansible.builtin.debug: +# msg: "{{ ansible_facts }}" + +# - name: Debug host vars +# ansible.builtin.debug: +# msg: "{{ hostvars[inventory_hostname]['ansible_fqdn'] }}" + +- name: Ensure ssh config dir exists + delegate_to: localhost + become: false + ansible.builtin.file: + path: "{{ lookup('env', 'HOME') }}/.ssh/conf.d/{{ sshd.config_path }}" + state: directory + owner: "{{ lookup('env', 'USER') }}" + group: "{{ lookup('env', 'USER') }}" + mode: '0700' + +- name: Generate local SSH key pair + delegate_to: localhost + become: false + community.crypto.openssh_keypair: + backend: opensshbin + comment: "{{ ansible_user }}@{{ static_fqdn }}" + mode: '0600' + passphrase: "{{ ssh_keygen_passphrase }}" + path: "{{ lookup('env', 'HOME') }}/.ssh/conf.d/{{ sshd.config_path }}/{{ static_fqdn }}" + regenerate: full_idempotence + size: 521 + state: present + type: ecdsa + register: ssh_keygen + +- name: Copy SSH pubkey to target + ansible.posix.authorized_key: + key: "{{ ssh_keygen.public_key }}" + user: "{{ ansible_user }}" + state: present + +- name: Template out sshd_config + ansible.builtin.template: + src: sshd_config.j2 + dest: /etc/ssh/sshd_config + owner: root + group: root + mode: '0644' + notify: + - Restart sshd + +- name: Flush handlers for immediate shhd restart + ansible.builtin.meta: flush_handlers + +- name: Add local ssh client config + delegate_to: localhost + become: false + community.general.ssh_config: + host: "{{ sshd.nickname | default(omit) }} {{ static_fqdn }}" + hostname: "{{ static_fqdn }}" + identity_file: "{{ ssh_keygen.filename }}" + port: "{{ sshd.listen.port | default('22') }}" + remote_user: "{{ ansible_user }}" + ssh_config_file: "{{ lookup('env', 'HOME') }}/.ssh/conf.d/{{ sshd.config_path }}/{{ static_fqdn }}.conf" + state: present + +- name: Include generated ssh config in default config file + delegate_to: localhost + become: false + ansible.builtin.lineinfile: + path: "{{ lookup('env', 'HOME') }}/.ssh/config" + line: "Include {{ lookup('env', 'HOME') }}/.ssh/conf.d/{{ sshd.config_path }}/{{ static_fqdn }}.conf" + mode: '0600' + state: present + create: true + insertafter: ^Include\s.*$ diff --git a/ansible/roles/sshd/files/sshd_config_arch b/ansible/roles/sshd_setup/templates/sshd_config.j2 similarity index 69% rename from ansible/roles/sshd/files/sshd_config_arch rename to ansible/roles/sshd_setup/templates/sshd_config.j2 index 43ab249..687e6d8 100644 --- a/ansible/roles/sshd/files/sshd_config_arch +++ b/ansible/roles/sshd_setup/templates/sshd_config.j2 @@ -1,19 +1,23 @@ -# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/bin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options override the -# default value. - -#Port 22 -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: +Port {{ sshd.listen.port | default('22') }} +AddressFamily {{ sshd.listen.family | default('any') }} +{% if (sshd.listen.family is defined and sshd.listen.family == 'inet') or (sshd.listen.family is defined and sshd.listen.family == 'any') -%} +{% if sshd.listen.ipv4 is defined -%} +{% for address in sshd.listen.ipv4 -%} +ListenAddress {{ address }} +{% endfor -%} +{% else -%} +ListenAddress 0.0.0.0 +{% endif -%} +{% endif -%} +{% if (sshd.listen.family is defined and sshd.listen.family == 'inet6') or (sshd.listen.family is defined and sshd.listen.family == 'any') -%} +{% if sshd.listen.ipv6 is defined -%} +{% for address in sshd.listen.ipv6 -%} +ListenAddress {{ address }} +{% endfor -%} +{% else -%} +ListenAddress :: +{% endif -%} +{% endif -%} #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key @@ -34,7 +38,7 @@ #MaxAuthTries 6 #MaxSessions 10 -PubkeyAuthentication yes +PubkeyAuthentication {{ sshd.auth.pubkey | default('yes') }} # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys @@ -54,8 +58,8 @@ AuthorizedKeysFile .ssh/authorized_keys #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! -PasswordAuthentication no -#PermitEmptyPasswords no +PasswordAuthentication {{ sshd.auth.password | default('yes') }} +PermitEmptyPasswords {{ sshd.auth.empty | default('no') }} # Change to no to disable s/key passwords KbdInteractiveAuthentication no @@ -81,10 +85,10 @@ KbdInteractiveAuthentication no # and KbdInteractiveAuthentication to 'no'. UsePAM yes -#AllowAgentForwarding yes +AllowAgentForwarding {{ sshd.forwarding.agent | default('no') }} #AllowTcpForwarding yes #GatewayPorts no -#X11Forwarding no +X11Forwarding {{ sshd.forwarding.x11 | default('no') }} #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes @@ -103,7 +107,7 @@ PrintMotd no # pam does that #VersionAddendum none # no default banner path -#Banner none +# Banner Connected to {{ ansible_fqdn | default('host.') }} # override default of no subsystems Subsystem sftp /usr/lib/ssh/sftp-server diff --git a/ansible/roles/systemd_networkd/templates/bridge.network.j2 b/ansible/roles/systemd_networkd/templates/bridge.network.j2 index 85ad018..5f34e92 100644 --- a/ansible/roles/systemd_networkd/templates/bridge.network.j2 +++ b/ansible/roles/systemd_networkd/templates/bridge.network.j2 @@ -10,6 +10,11 @@ LinkLocalAddressing=False LLDP={{ item.lldp | default(true) }} {% if item.vlans is defined -%} {% for vlan in item.vlans -%} +VLAN=vlan{{ vlan }} +{% endfor -%} + +[BridgeVLAN] +{% for vlan in item.vlans -%} VLAN={{ vlan }} {% endfor -%} {% endif -%} \ No newline at end of file