1
0

sshd setup

This commit is contained in:
michael 2023-08-14 22:27:29 +10:00
parent e1fb6b94ee
commit cffbcaea8c
23 changed files with 256 additions and 146 deletions

View File

@ -1,5 +1,7 @@
ansible_connection: ssh ansible_connection: ssh
ansible_host: hv00.balsillie.house ansible_host: 192.168.1.250
ansible_fqdn: hv00.balsillie.house
ansible_port: 22 ansible_port: 22
ansible_become_method: sudo ansible_become_method: sudo
static_fqdn: hv00.balsillie.house

View File

@ -1,10 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
39396638396432646535366136363633313138643130333565633334663764336333373235623336
6561323733316666626134613234343231313866643934630a303137653935616562326136363465
37343038613463366435346139616161636238373230643533343462646430636162333261666535
6332646133313830390a306166363133383735346261636530633733313631356165313665346334
66333138663962353665396430326138666266663337323662376235346661393065376430386261
34613233313837303664343634666636623731323034353262643639623065333566363831393332
36653737336164623838306531396466323832626331373737363135376136636565306565356266
33666366383033313865633331363665633164623461636435343663303135616537353066663361
32346262316133343037353334303733343465656363656461356634663433333530

View File

@ -0,0 +1,13 @@
$ANSIBLE_VAULT;1.1;AES256
65303065306531633065386131316639323033623166636331386435393231623763356336646337
3430333966353561336334333332343130643065323663610a393664353431623037363731373837
61653866666536383365393434613933393437343135346430643136396236313138613762316438
3439303064366639380a316563666330306636613734666136633066656234363936623536383130
65363364393937343231346133343435383336366464666661663432663663316337356637643165
34303238653334663764633534393237643639636435633436353862663533346634396339343935
34396363306461623564623566356139613564633136313965386337373138316365383732663139
34396438636436376566323435316430376261323835303231663735373465326666666161616330
33663132613733663337393636643736313863643566343366633032396134303462656162376432
62666563376663323537396638306233346238306434643434366131656438303035666265613336
37336135373061393036326633333137356531303038613061373638306435396135383365323265
33623061633139626431

View File

@ -1,6 +1,5 @@
hypervisor: hypervisor:
storage: dir storage: dir
device: /dev/sda
qemu_bridges: qemu_bridges:
- br0 - br0

View File

@ -0,0 +1,16 @@
sshd:
config_path: home
auth:
pubkey: 'yes'
password: 'no'
empty: 'no'
listen:
port: '22'
family: inet
ipv4:
- '192.168.1.250'
- '10.192.110.100'
forwarding:
agent: 'no'
x11: 'no'
nickname: vault

View File

@ -63,7 +63,7 @@ systemd_networkd_configs:
dhcp: false dhcp: false
lldp: true lldp: true
vlans: vlans:
- vlan110 - 110
- name: 20-vlan110.netdev - name: 20-vlan110.netdev
src: vlan.netdev.j2 src: vlan.netdev.j2
vlan_id: 110 vlan_id: 110
@ -74,7 +74,7 @@ systemd_networkd_configs:
dhcp: false dhcp: false
address: address:
ipv4: ipv4:
- 10.192.110.1/24 - 10.192.110.100/24
gateway: gateway:
ipv4: 10.192.110.254 ipv4: 10.192.110.254
nameserver: nameserver:

View File

@ -1,13 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
32663239363537353936346439323334373561303531343365356338626336626237386562376335
3637303166393236323236623637613632313831373065620a646639336130613534666633643633
33393032356261393764646166643465366164356236666464333439333039633934643732616666
6537396433663666650a316266393334656534323135643939336662626563646461363131336437
32383963366163323065376230633366383830626539396563323661643266643139316334616237
35633264626637346635613262383236396530313335346139653239316433646338613339303638
65326134306438333265636337376538313337356164663865653036343666353335663336376463
61616465333461656461313464623635336533363132626534373230633139373064636634613136
33633134313538326662323534386533363833326337383837393036653637663561323837373162
32613733353637313862323837653663343134323761363339333032383239643633666632663563
39366362663334316634346339663337386439386162636639393137306138303163333538616664
64333366663134356435

View File

@ -4,22 +4,38 @@
# Systemd networking # Systemd networking
- name: Setup systemd-networkd # - name: Setup systemd-networkd
hosts: hv00.balsillie.house # hosts: hv00.balsillie.house
become: true # become: true
roles: # roles:
- name: systemd_networkd # - name: systemd_networkd
vars: # vars:
ansible_host: 192.168.1.106 # ansible_host: 192.168.1.106
# Serial console # Serial console
# - name: Setup serial console # - name: Setup serial console
# hosts: hv00_balsillie_house # hosts: hv00.balsillie.house
# become: true # become: true
# roles: # roles:
# - name: serial_console # - name: serial_console
# Hypervisor setup # Hypervisor setup
# - name: Configure hypervisor
# hosts: hv00.balsillie.house
# gather_facts: true
# become: true
# roles:
# - name: hypervisor
# SSHd setup
- name: Configure sshd
hosts: hv00.balsillie.house
gather_facts: true
become: true
roles:
- name: sshd_setup
# VM setup # VM setup

View File

@ -39,7 +39,7 @@
# pacstrap # pacstrap
# pacstrap -K /mnt/root base linux-lts linux-firmware nano openssh bind bash efibootmgr reflector screen pv pinentry sudo man-db man-pages texinfo ufw nftables intel-ucode e2fsprogs dosfstools curl cryptsetup # pacstrap -K /mnt/root base linux-lts linux-firmware nano openssh bind bash efibootmgr reflector screen pv pinentry sudo man-db man-pages texinfo ufw nftables intel-ucode e2fsprogs dosfstools curl cryptsetup
# sbctl sbsigntools fwupd fwupd-efi dmidecode udisks2 usbutils # sbctl sbsigntools fwupd fwupd-efi dmidecode udisks2 usbutils inetutils
# gen fstab # gen fstab
# genfstab -L /mnt/root >> /mnt/root/etc/fstab # genfstab -L /mnt/root >> /mnt/root/etc/fstab
@ -51,6 +51,11 @@
# set hostname # set hostname
# echo hv00 > /etc/hostname # echo hv00 > /etc/hostname
# TODO add entries to /etc/hosts
# 127.0.0.1 localhost
# ::1 localhost
# 127.0.1.1 static_fqdn
# link timezone # link timezone
# ln -sf /usr/share/zoneinfo/Australia/Brisbane /etc/localtime # ln -sf /usr/share/zoneinfo/Australia/Brisbane /etc/localtime
@ -65,6 +70,8 @@
# locale-gen # locale-gen
# echo LANG=en_US.UTF-8 > /etc/locale.conf # echo LANG=en_US.UTF-8 > /etc/locale.conf
# uncomment wheel group in /etc/sudoers # uncomment wheel group in /etc/sudoers
# sed -i 's/# %wheel ALL=(ALL:ALL) ALL/%wheel ALL=(ALL:ALL) ALL/g' /etc/sudoers # sed -i 's/# %wheel ALL=(ALL:ALL) ALL/%wheel ALL=(ALL:ALL) ALL/g' /etc/sudoers

View File

@ -1,15 +1,16 @@
libvirt_packages: libvirt_packages:
arch: Archlinux:
qemu-base - qemu-base
openbsd-netcat - openbsd-netcat
swtpm - swtpm
gettext - gettext
libvirt - libvirt
libvirt-python - libvirt-python
- python-lxml
hypervisor: hypervisor:
storage: dir storage: dir
device: /dev/sda device: /dev/sdb
# hypervisor: # hypervisor:
# storage: zfs # storage: zfs

View File

@ -1,12 +1,5 @@
--- ---
- name: Format and mount the libvirt disk if it is not root
when:
- hypervisor.device not in (ansible_mounts | json_query('[?mount == `/`].device'))
- hypervisor.device not in (ansible_mounts | json_query('[?mount == `/var/lib/libvirt`].device'))
ansible.builtin.include_tasks:
file: libvirt_dir_mount.yaml
- name: Create the libvirt storage directories - name: Create the libvirt storage directories
ansible.builtin.file: ansible.builtin.file:
path: "{{ item }}" path: "{{ item }}"

View File

@ -12,6 +12,8 @@
part_start: 0% part_start: 0%
state: present state: present
# TODO disk encryption
- name: Format filesystem - name: Format filesystem
community.general.filesystem: community.general.filesystem:
device: "{{ hypervisor.device }}1" device: "{{ hypervisor.device }}1"
@ -19,12 +21,24 @@
resizefs: true resizefs: true
state: present state: present
- name: Stop the libvirt service - name: Get list of services
ansible.builtin.service_facts:
- name: Stop the libvirt services
when: item in ansible_facts.services
ansible.builtin.service: ansible.builtin.service:
name: libvirtd name: "{{ item }}"
state: stopped state: stopped
loop:
- libvirtd.service
- name: Check if libvirt storage directory exists
ansible.builtin.stat:
path: /var/lib/libvirt/
register: libvirt_storage
- name: Temp mount and copy block - name: Temp mount and copy block
when: libvirt_storage.stat.exists
block: block:
- name: Temporarily mount hypervisor storage - name: Temporarily mount hypervisor storage
@ -42,6 +56,17 @@
remote_src: true remote_src: true
mode: preserve mode: preserve
- name: Remove existing libvirt storage
ansible.builtin.file:
path: /var/lib/libvirt/
state: "{{ item }}"
owner: root
group: root
mode: '0775'
loop:
- absent
- directory
always: always:
- name: Unmount from temporary mount point - name: Unmount from temporary mount point
@ -49,17 +74,6 @@
path: /mnt/libvirt_temp/ path: /mnt/libvirt_temp/
state: absent state: absent
- name: Remove existing libvirt storage
ansible.builtin.file:
path: /var/lib/libvirt/
state: "{{ item }}"
owner: root
group: root
mode: '0775'
loop:
- absent
- directory
- name: Mount hypervisor storage - name: Mount hypervisor storage
ansible.posix.mount: ansible.posix.mount:
path: /var/lib/libvirt/ path: /var/lib/libvirt/
@ -69,6 +83,9 @@
boot: true boot: true
- name: Start the libvirt service - name: Start the libvirt service
when: item in ansible_facts.services
ansible.builtin.service: ansible.builtin.service:
name: libvirtd name: "{{ item }}"
state: started state: started
loop:
- libvirtd.service

View File

@ -1,18 +1,32 @@
--- ---
- name: Install libvirt packages (Arch) - name: Format and mount the libvirt disk if it is not root
when: ansible_os_distribution == 'Archlinux' when:
- hypervisor.device is defined
- hypervisor.device not in (ansible_mounts | json_query('[?mount == `/var/lib/libvirt`].device'))
ansible.builtin.include_tasks:
file: libvirt_drive_mount.yaml
- name: Install libvirt packages (Archlinux)
when: ansible_distribution == 'Archlinux'
community.general.pacman: community.general.pacman:
name: "{{ libvirt_packages['Arch'] }}" name: "{{ libvirt_packages['Archlinux'] }}"
state: present state: present
update_cache: true update_cache: true
- name: Add user to libvirt group - name: Add user to libvirt group
ansible.builtin.user: ansible.builtin.user:
name: "{{ ansible_user }}" name: "{{ ansible_user }}"
groups: libvirt groups:
- libvirt
- libvirt-qemu
append: true append: true
- name: Load br_netfilter kernel module so sysctl flags can be set
community.general.modprobe:
name: br_netfilter
state: present
- name: Set required sysctl flags for bridging - name: Set required sysctl flags for bridging
ansible.posix.sysctl: ansible.posix.sysctl:
name: "{{ item.name }}" name: "{{ item.name }}"
@ -20,7 +34,7 @@
state: present state: present
sysctl_file: /etc/sysctl.d/bridge.conf sysctl_file: /etc/sysctl.d/bridge.conf
sysctl_set: true sysctl_set: true
value: "{{ item.value }}}}" value: "{{ item.value }}"
loop: loop:
- name: net.ipv4.ip_forward - name: net.ipv4.ip_forward
value: 1 value: 1
@ -77,11 +91,11 @@
community.libvirt.virt_pool: community.libvirt.virt_pool:
command: facts command: facts
- name: Define the standard libvirt storage pools - name: Define the standard libvirt storage pools # TODO add when condition against existing pools
community.libvirt.virt_pool: community.libvirt.virt_pool:
name: "{{ item.name }}" name: "{{ item.name }}"
command: define command: define
xml: "{{ lookup('template', 'dir_pool.xml.j2') }}" xml: "{{ lookup('template', 'dir_libvirt_pool.xml.j2') }}"
loop: loop:
- name: isos - name: isos
path: /var/lib/libvirt/isos/ path: /var/lib/libvirt/isos/

View File

@ -1,6 +0,0 @@
---
openssh_packages:
- openssh
openssh_service: sshd.service
openssh_configuration_file: /etc/ssh/sshd_config
openssh_configuration_mode: 0644

View File

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHDSByUetRCOrrCRpyc0HMPVX8mKeJfXUcYH8+6NL2Md ladmin@lab.balsillie.net

View File

@ -1,6 +0,0 @@
---
- name: restart openssh
ansible.builtin.service:
name: "{{ openssh_service }}"
state: restarted

View File

@ -1,39 +0,0 @@
---
- name: install openssh arch
become: true
community.general.pacman:
name: "{{ openssh_packages }}"
state: latest
update_cache: true
reason: explicit
when:
- ansible_os_family == 'Arch'
- name: add authorized keys
ansible.builtin.copy:
dest: "/home/{{ ansible_user }}/.ssh/authorized_keys"
src: "{{ authorized_keys_file }}"
mode: 0600
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
- name: configure openssh
become: true
ansible.builtin.copy:
dest: "{{ openssh_configuration_file }}"
src: "{{ openssh_configuration_src }}"
mode: "{{ openssh_configuration_mode }}"
owner: root
group: root
notify:
- restart openssh
- name: start and enable openssh
become: true
ansible.builtin.service:
name: "{{ openssh_service }}"
state: started
enabled: yes
- name: flush handlers
ansible.builtin.meta: flush_handlers

View File

@ -0,0 +1,16 @@
sshd:
config_path: default
auth:
pubkey: 'yes'
password: 'no'
empty: 'no'
listen:
port: '22'
family: any # 'any', 'inet' or 'inet6'
ipv4:
- '0.0.0.0'
ipv6:
- '::'
forwarding:
agent: 'no'
x11: 'no'

View File

@ -0,0 +1,6 @@
---
- name: Restart sshd
ansible.builtin.service:
name: sshd.service
state: restarted

View File

@ -0,0 +1,76 @@
---
# - name: Debug ansible facts
# ansible.builtin.debug:
# msg: "{{ ansible_facts }}"
# - name: Debug host vars
# ansible.builtin.debug:
# msg: "{{ hostvars[inventory_hostname]['ansible_fqdn'] }}"
- name: Ensure ssh config dir exists
delegate_to: localhost
become: false
ansible.builtin.file:
path: "{{ lookup('env', 'HOME') }}/.ssh/conf.d/{{ sshd.config_path }}"
state: directory
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
mode: '0700'
- name: Generate local SSH key pair
delegate_to: localhost
become: false
community.crypto.openssh_keypair:
backend: opensshbin
comment: "{{ ansible_user }}@{{ static_fqdn }}"
mode: '0600'
passphrase: "{{ ssh_keygen_passphrase }}"
path: "{{ lookup('env', 'HOME') }}/.ssh/conf.d/{{ sshd.config_path }}/{{ static_fqdn }}"
regenerate: full_idempotence
size: 521
state: present
type: ecdsa
register: ssh_keygen
- name: Copy SSH pubkey to target
ansible.posix.authorized_key:
key: "{{ ssh_keygen.public_key }}"
user: "{{ ansible_user }}"
state: present
- name: Template out sshd_config
ansible.builtin.template:
src: sshd_config.j2
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: '0644'
notify:
- Restart sshd
- name: Flush handlers for immediate shhd restart
ansible.builtin.meta: flush_handlers
- name: Add local ssh client config
delegate_to: localhost
become: false
community.general.ssh_config:
host: "{{ sshd.nickname | default(omit) }} {{ static_fqdn }}"
hostname: "{{ static_fqdn }}"
identity_file: "{{ ssh_keygen.filename }}"
port: "{{ sshd.listen.port | default('22') }}"
remote_user: "{{ ansible_user }}"
ssh_config_file: "{{ lookup('env', 'HOME') }}/.ssh/conf.d/{{ sshd.config_path }}/{{ static_fqdn }}.conf"
state: present
- name: Include generated ssh config in default config file
delegate_to: localhost
become: false
ansible.builtin.lineinfile:
path: "{{ lookup('env', 'HOME') }}/.ssh/config"
line: "Include {{ lookup('env', 'HOME') }}/.ssh/conf.d/{{ sshd.config_path }}/{{ static_fqdn }}.conf"
mode: '0600'
state: present
create: true
insertafter: ^Include\s.*$

View File

@ -1,19 +1,23 @@
# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $ Port {{ sshd.listen.port | default('22') }}
AddressFamily {{ sshd.listen.family | default('any') }}
# This is the sshd server system-wide configuration file. See {% if (sshd.listen.family is defined and sshd.listen.family == 'inet') or (sshd.listen.family is defined and sshd.listen.family == 'any') -%}
# sshd_config(5) for more information. {% if sshd.listen.ipv4 is defined -%}
{% for address in sshd.listen.ipv4 -%}
# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/bin ListenAddress {{ address }}
{% endfor -%}
# The strategy used for options in the default sshd_config shipped with {% else -%}
# OpenSSH is to specify options with their default value where ListenAddress 0.0.0.0
# possible, but leave them commented. Uncommented options override the {% endif -%}
# default value. {% endif -%}
{% if (sshd.listen.family is defined and sshd.listen.family == 'inet6') or (sshd.listen.family is defined and sshd.listen.family == 'any') -%}
#Port 22 {% if sshd.listen.ipv6 is defined -%}
#AddressFamily any {% for address in sshd.listen.ipv6 -%}
#ListenAddress 0.0.0.0 ListenAddress {{ address }}
#ListenAddress :: {% endfor -%}
{% else -%}
ListenAddress ::
{% endif -%}
{% endif -%}
#HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key
@ -34,7 +38,7 @@
#MaxAuthTries 6 #MaxAuthTries 6
#MaxSessions 10 #MaxSessions 10
PubkeyAuthentication yes PubkeyAuthentication {{ sshd.auth.pubkey | default('yes') }}
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys # but this is overridden so installations will only check .ssh/authorized_keys
@ -54,8 +58,8 @@ AuthorizedKeysFile .ssh/authorized_keys
#IgnoreRhosts yes #IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here! # To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no PasswordAuthentication {{ sshd.auth.password | default('yes') }}
#PermitEmptyPasswords no PermitEmptyPasswords {{ sshd.auth.empty | default('no') }}
# Change to no to disable s/key passwords # Change to no to disable s/key passwords
KbdInteractiveAuthentication no KbdInteractiveAuthentication no
@ -81,10 +85,10 @@ KbdInteractiveAuthentication no
# and KbdInteractiveAuthentication to 'no'. # and KbdInteractiveAuthentication to 'no'.
UsePAM yes UsePAM yes
#AllowAgentForwarding yes AllowAgentForwarding {{ sshd.forwarding.agent | default('no') }}
#AllowTcpForwarding yes #AllowTcpForwarding yes
#GatewayPorts no #GatewayPorts no
#X11Forwarding no X11Forwarding {{ sshd.forwarding.x11 | default('no') }}
#X11DisplayOffset 10 #X11DisplayOffset 10
#X11UseLocalhost yes #X11UseLocalhost yes
#PermitTTY yes #PermitTTY yes
@ -103,7 +107,7 @@ PrintMotd no # pam does that
#VersionAddendum none #VersionAddendum none
# no default banner path # no default banner path
#Banner none # Banner Connected to {{ ansible_fqdn | default('host.') }}
# override default of no subsystems # override default of no subsystems
Subsystem sftp /usr/lib/ssh/sftp-server Subsystem sftp /usr/lib/ssh/sftp-server

View File

@ -10,6 +10,11 @@ LinkLocalAddressing=False
LLDP={{ item.lldp | default(true) }} LLDP={{ item.lldp | default(true) }}
{% if item.vlans is defined -%} {% if item.vlans is defined -%}
{% for vlan in item.vlans -%} {% for vlan in item.vlans -%}
VLAN=vlan{{ vlan }}
{% endfor -%}
[BridgeVLAN]
{% for vlan in item.vlans -%}
VLAN={{ vlan }} VLAN={{ vlan }}
{% endfor -%} {% endfor -%}
{% endif -%} {% endif -%}