sshd setup
This commit is contained in:
parent
e1fb6b94ee
commit
cffbcaea8c
@ -1,5 +1,7 @@
|
|||||||
|
|
||||||
ansible_connection: ssh
|
ansible_connection: ssh
|
||||||
ansible_host: hv00.balsillie.house
|
ansible_host: 192.168.1.250
|
||||||
|
ansible_fqdn: hv00.balsillie.house
|
||||||
ansible_port: 22
|
ansible_port: 22
|
||||||
ansible_become_method: sudo
|
ansible_become_method: sudo
|
||||||
|
static_fqdn: hv00.balsillie.house
|
@ -1,10 +0,0 @@
|
|||||||
$ANSIBLE_VAULT;1.1;AES256
|
|
||||||
39396638396432646535366136363633313138643130333565633334663764336333373235623336
|
|
||||||
6561323733316666626134613234343231313866643934630a303137653935616562326136363465
|
|
||||||
37343038613463366435346139616161636238373230643533343462646430636162333261666535
|
|
||||||
6332646133313830390a306166363133383735346261636530633733313631356165313665346334
|
|
||||||
66333138663962353665396430326138666266663337323662376235346661393065376430386261
|
|
||||||
34613233313837303664343634666636623731323034353262643639623065333566363831393332
|
|
||||||
36653737336164623838306531396466323832626331373737363135376136636565306565356266
|
|
||||||
33666366383033313865633331363665633164623461636435343663303135616537353066663361
|
|
||||||
32346262316133343037353334303733343465656363656461356634663433333530
|
|
@ -0,0 +1,13 @@
|
|||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
65303065306531633065386131316639323033623166636331386435393231623763356336646337
|
||||||
|
3430333966353561336334333332343130643065323663610a393664353431623037363731373837
|
||||||
|
61653866666536383365393434613933393437343135346430643136396236313138613762316438
|
||||||
|
3439303064366639380a316563666330306636613734666136633066656234363936623536383130
|
||||||
|
65363364393937343231346133343435383336366464666661663432663663316337356637643165
|
||||||
|
34303238653334663764633534393237643639636435633436353862663533346634396339343935
|
||||||
|
34396363306461623564623566356139613564633136313965386337373138316365383732663139
|
||||||
|
34396438636436376566323435316430376261323835303231663735373465326666666161616330
|
||||||
|
33663132613733663337393636643736313863643566343366633032396134303462656162376432
|
||||||
|
62666563376663323537396638306233346238306434643434366131656438303035666265613336
|
||||||
|
37336135373061393036326633333137356531303038613061373638306435396135383365323265
|
||||||
|
33623061633139626431
|
@ -1,6 +1,5 @@
|
|||||||
hypervisor:
|
hypervisor:
|
||||||
storage: dir
|
storage: dir
|
||||||
device: /dev/sda
|
|
||||||
|
|
||||||
qemu_bridges:
|
qemu_bridges:
|
||||||
- br0
|
- br0
|
@ -0,0 +1,16 @@
|
|||||||
|
sshd:
|
||||||
|
config_path: home
|
||||||
|
auth:
|
||||||
|
pubkey: 'yes'
|
||||||
|
password: 'no'
|
||||||
|
empty: 'no'
|
||||||
|
listen:
|
||||||
|
port: '22'
|
||||||
|
family: inet
|
||||||
|
ipv4:
|
||||||
|
- '192.168.1.250'
|
||||||
|
- '10.192.110.100'
|
||||||
|
forwarding:
|
||||||
|
agent: 'no'
|
||||||
|
x11: 'no'
|
||||||
|
nickname: vault
|
@ -63,7 +63,7 @@ systemd_networkd_configs:
|
|||||||
dhcp: false
|
dhcp: false
|
||||||
lldp: true
|
lldp: true
|
||||||
vlans:
|
vlans:
|
||||||
- vlan110
|
- 110
|
||||||
- name: 20-vlan110.netdev
|
- name: 20-vlan110.netdev
|
||||||
src: vlan.netdev.j2
|
src: vlan.netdev.j2
|
||||||
vlan_id: 110
|
vlan_id: 110
|
||||||
@ -74,7 +74,7 @@ systemd_networkd_configs:
|
|||||||
dhcp: false
|
dhcp: false
|
||||||
address:
|
address:
|
||||||
ipv4:
|
ipv4:
|
||||||
- 10.192.110.1/24
|
- 10.192.110.100/24
|
||||||
gateway:
|
gateway:
|
||||||
ipv4: 10.192.110.254
|
ipv4: 10.192.110.254
|
||||||
nameserver:
|
nameserver:
|
||||||
|
@ -1,13 +0,0 @@
|
|||||||
$ANSIBLE_VAULT;1.1;AES256
|
|
||||||
32663239363537353936346439323334373561303531343365356338626336626237386562376335
|
|
||||||
3637303166393236323236623637613632313831373065620a646639336130613534666633643633
|
|
||||||
33393032356261393764646166643465366164356236666464333439333039633934643732616666
|
|
||||||
6537396433663666650a316266393334656534323135643939336662626563646461363131336437
|
|
||||||
32383963366163323065376230633366383830626539396563323661643266643139316334616237
|
|
||||||
35633264626637346635613262383236396530313335346139653239316433646338613339303638
|
|
||||||
65326134306438333265636337376538313337356164663865653036343666353335663336376463
|
|
||||||
61616465333461656461313464623635336533363132626534373230633139373064636634613136
|
|
||||||
33633134313538326662323534386533363833326337383837393036653637663561323837373162
|
|
||||||
32613733353637313862323837653663343134323761363339333032383239643633666632663563
|
|
||||||
39366362663334316634346339663337386439386162636639393137306138303163333538616664
|
|
||||||
64333366663134356435
|
|
@ -4,22 +4,38 @@
|
|||||||
|
|
||||||
# Systemd networking
|
# Systemd networking
|
||||||
|
|
||||||
- name: Setup systemd-networkd
|
# - name: Setup systemd-networkd
|
||||||
hosts: hv00.balsillie.house
|
# hosts: hv00.balsillie.house
|
||||||
become: true
|
# become: true
|
||||||
roles:
|
# roles:
|
||||||
- name: systemd_networkd
|
# - name: systemd_networkd
|
||||||
vars:
|
# vars:
|
||||||
ansible_host: 192.168.1.106
|
# ansible_host: 192.168.1.106
|
||||||
|
|
||||||
# Serial console
|
# Serial console
|
||||||
|
|
||||||
# - name: Setup serial console
|
# - name: Setup serial console
|
||||||
# hosts: hv00_balsillie_house
|
# hosts: hv00.balsillie.house
|
||||||
# become: true
|
# become: true
|
||||||
# roles:
|
# roles:
|
||||||
# - name: serial_console
|
# - name: serial_console
|
||||||
|
|
||||||
# Hypervisor setup
|
# Hypervisor setup
|
||||||
|
|
||||||
|
# - name: Configure hypervisor
|
||||||
|
# hosts: hv00.balsillie.house
|
||||||
|
# gather_facts: true
|
||||||
|
# become: true
|
||||||
|
# roles:
|
||||||
|
# - name: hypervisor
|
||||||
|
|
||||||
|
# SSHd setup
|
||||||
|
|
||||||
|
- name: Configure sshd
|
||||||
|
hosts: hv00.balsillie.house
|
||||||
|
gather_facts: true
|
||||||
|
become: true
|
||||||
|
roles:
|
||||||
|
- name: sshd_setup
|
||||||
|
|
||||||
# VM setup
|
# VM setup
|
@ -39,7 +39,7 @@
|
|||||||
|
|
||||||
# pacstrap
|
# pacstrap
|
||||||
# pacstrap -K /mnt/root base linux-lts linux-firmware nano openssh bind bash efibootmgr reflector screen pv pinentry sudo man-db man-pages texinfo ufw nftables intel-ucode e2fsprogs dosfstools curl cryptsetup
|
# pacstrap -K /mnt/root base linux-lts linux-firmware nano openssh bind bash efibootmgr reflector screen pv pinentry sudo man-db man-pages texinfo ufw nftables intel-ucode e2fsprogs dosfstools curl cryptsetup
|
||||||
# sbctl sbsigntools fwupd fwupd-efi dmidecode udisks2 usbutils
|
# sbctl sbsigntools fwupd fwupd-efi dmidecode udisks2 usbutils inetutils
|
||||||
|
|
||||||
# gen fstab
|
# gen fstab
|
||||||
# genfstab -L /mnt/root >> /mnt/root/etc/fstab
|
# genfstab -L /mnt/root >> /mnt/root/etc/fstab
|
||||||
@ -51,6 +51,11 @@
|
|||||||
# set hostname
|
# set hostname
|
||||||
# echo hv00 > /etc/hostname
|
# echo hv00 > /etc/hostname
|
||||||
|
|
||||||
|
# TODO add entries to /etc/hosts
|
||||||
|
# 127.0.0.1 localhost
|
||||||
|
# ::1 localhost
|
||||||
|
# 127.0.1.1 static_fqdn
|
||||||
|
|
||||||
# link timezone
|
# link timezone
|
||||||
# ln -sf /usr/share/zoneinfo/Australia/Brisbane /etc/localtime
|
# ln -sf /usr/share/zoneinfo/Australia/Brisbane /etc/localtime
|
||||||
|
|
||||||
@ -65,6 +70,8 @@
|
|||||||
# locale-gen
|
# locale-gen
|
||||||
# echo LANG=en_US.UTF-8 > /etc/locale.conf
|
# echo LANG=en_US.UTF-8 > /etc/locale.conf
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# uncomment wheel group in /etc/sudoers
|
# uncomment wheel group in /etc/sudoers
|
||||||
# sed -i 's/# %wheel ALL=(ALL:ALL) ALL/%wheel ALL=(ALL:ALL) ALL/g' /etc/sudoers
|
# sed -i 's/# %wheel ALL=(ALL:ALL) ALL/%wheel ALL=(ALL:ALL) ALL/g' /etc/sudoers
|
||||||
|
|
||||||
|
@ -1,15 +1,16 @@
|
|||||||
libvirt_packages:
|
libvirt_packages:
|
||||||
arch:
|
Archlinux:
|
||||||
qemu-base
|
- qemu-base
|
||||||
openbsd-netcat
|
- openbsd-netcat
|
||||||
swtpm
|
- swtpm
|
||||||
gettext
|
- gettext
|
||||||
libvirt
|
- libvirt
|
||||||
libvirt-python
|
- libvirt-python
|
||||||
|
- python-lxml
|
||||||
|
|
||||||
hypervisor:
|
hypervisor:
|
||||||
storage: dir
|
storage: dir
|
||||||
device: /dev/sda
|
device: /dev/sdb
|
||||||
|
|
||||||
# hypervisor:
|
# hypervisor:
|
||||||
# storage: zfs
|
# storage: zfs
|
||||||
|
@ -1,12 +1,5 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
- name: Format and mount the libvirt disk if it is not root
|
|
||||||
when:
|
|
||||||
- hypervisor.device not in (ansible_mounts | json_query('[?mount == `/`].device'))
|
|
||||||
- hypervisor.device not in (ansible_mounts | json_query('[?mount == `/var/lib/libvirt`].device'))
|
|
||||||
ansible.builtin.include_tasks:
|
|
||||||
file: libvirt_dir_mount.yaml
|
|
||||||
|
|
||||||
- name: Create the libvirt storage directories
|
- name: Create the libvirt storage directories
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: "{{ item }}"
|
path: "{{ item }}"
|
||||||
|
@ -12,6 +12,8 @@
|
|||||||
part_start: 0%
|
part_start: 0%
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
|
# TODO disk encryption
|
||||||
|
|
||||||
- name: Format filesystem
|
- name: Format filesystem
|
||||||
community.general.filesystem:
|
community.general.filesystem:
|
||||||
device: "{{ hypervisor.device }}1"
|
device: "{{ hypervisor.device }}1"
|
||||||
@ -19,12 +21,24 @@
|
|||||||
resizefs: true
|
resizefs: true
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Stop the libvirt service
|
- name: Get list of services
|
||||||
|
ansible.builtin.service_facts:
|
||||||
|
|
||||||
|
- name: Stop the libvirt services
|
||||||
|
when: item in ansible_facts.services
|
||||||
ansible.builtin.service:
|
ansible.builtin.service:
|
||||||
name: libvirtd
|
name: "{{ item }}"
|
||||||
state: stopped
|
state: stopped
|
||||||
|
loop:
|
||||||
|
- libvirtd.service
|
||||||
|
|
||||||
|
- name: Check if libvirt storage directory exists
|
||||||
|
ansible.builtin.stat:
|
||||||
|
path: /var/lib/libvirt/
|
||||||
|
register: libvirt_storage
|
||||||
|
|
||||||
- name: Temp mount and copy block
|
- name: Temp mount and copy block
|
||||||
|
when: libvirt_storage.stat.exists
|
||||||
block:
|
block:
|
||||||
|
|
||||||
- name: Temporarily mount hypervisor storage
|
- name: Temporarily mount hypervisor storage
|
||||||
@ -42,6 +56,17 @@
|
|||||||
remote_src: true
|
remote_src: true
|
||||||
mode: preserve
|
mode: preserve
|
||||||
|
|
||||||
|
- name: Remove existing libvirt storage
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: /var/lib/libvirt/
|
||||||
|
state: "{{ item }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0775'
|
||||||
|
loop:
|
||||||
|
- absent
|
||||||
|
- directory
|
||||||
|
|
||||||
always:
|
always:
|
||||||
|
|
||||||
- name: Unmount from temporary mount point
|
- name: Unmount from temporary mount point
|
||||||
@ -49,17 +74,6 @@
|
|||||||
path: /mnt/libvirt_temp/
|
path: /mnt/libvirt_temp/
|
||||||
state: absent
|
state: absent
|
||||||
|
|
||||||
- name: Remove existing libvirt storage
|
|
||||||
ansible.builtin.file:
|
|
||||||
path: /var/lib/libvirt/
|
|
||||||
state: "{{ item }}"
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: '0775'
|
|
||||||
loop:
|
|
||||||
- absent
|
|
||||||
- directory
|
|
||||||
|
|
||||||
- name: Mount hypervisor storage
|
- name: Mount hypervisor storage
|
||||||
ansible.posix.mount:
|
ansible.posix.mount:
|
||||||
path: /var/lib/libvirt/
|
path: /var/lib/libvirt/
|
||||||
@ -69,6 +83,9 @@
|
|||||||
boot: true
|
boot: true
|
||||||
|
|
||||||
- name: Start the libvirt service
|
- name: Start the libvirt service
|
||||||
|
when: item in ansible_facts.services
|
||||||
ansible.builtin.service:
|
ansible.builtin.service:
|
||||||
name: libvirtd
|
name: "{{ item }}"
|
||||||
state: started
|
state: started
|
||||||
|
loop:
|
||||||
|
- libvirtd.service
|
@ -1,18 +1,32 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
- name: Install libvirt packages (Arch)
|
- name: Format and mount the libvirt disk if it is not root
|
||||||
when: ansible_os_distribution == 'Archlinux'
|
when:
|
||||||
|
- hypervisor.device is defined
|
||||||
|
- hypervisor.device not in (ansible_mounts | json_query('[?mount == `/var/lib/libvirt`].device'))
|
||||||
|
ansible.builtin.include_tasks:
|
||||||
|
file: libvirt_drive_mount.yaml
|
||||||
|
|
||||||
|
- name: Install libvirt packages (Archlinux)
|
||||||
|
when: ansible_distribution == 'Archlinux'
|
||||||
community.general.pacman:
|
community.general.pacman:
|
||||||
name: "{{ libvirt_packages['Arch'] }}"
|
name: "{{ libvirt_packages['Archlinux'] }}"
|
||||||
state: present
|
state: present
|
||||||
update_cache: true
|
update_cache: true
|
||||||
|
|
||||||
- name: Add user to libvirt group
|
- name: Add user to libvirt group
|
||||||
ansible.builtin.user:
|
ansible.builtin.user:
|
||||||
name: "{{ ansible_user }}"
|
name: "{{ ansible_user }}"
|
||||||
groups: libvirt
|
groups:
|
||||||
|
- libvirt
|
||||||
|
- libvirt-qemu
|
||||||
append: true
|
append: true
|
||||||
|
|
||||||
|
- name: Load br_netfilter kernel module so sysctl flags can be set
|
||||||
|
community.general.modprobe:
|
||||||
|
name: br_netfilter
|
||||||
|
state: present
|
||||||
|
|
||||||
- name: Set required sysctl flags for bridging
|
- name: Set required sysctl flags for bridging
|
||||||
ansible.posix.sysctl:
|
ansible.posix.sysctl:
|
||||||
name: "{{ item.name }}"
|
name: "{{ item.name }}"
|
||||||
@ -20,7 +34,7 @@
|
|||||||
state: present
|
state: present
|
||||||
sysctl_file: /etc/sysctl.d/bridge.conf
|
sysctl_file: /etc/sysctl.d/bridge.conf
|
||||||
sysctl_set: true
|
sysctl_set: true
|
||||||
value: "{{ item.value }}}}"
|
value: "{{ item.value }}"
|
||||||
loop:
|
loop:
|
||||||
- name: net.ipv4.ip_forward
|
- name: net.ipv4.ip_forward
|
||||||
value: 1
|
value: 1
|
||||||
@ -77,11 +91,11 @@
|
|||||||
community.libvirt.virt_pool:
|
community.libvirt.virt_pool:
|
||||||
command: facts
|
command: facts
|
||||||
|
|
||||||
- name: Define the standard libvirt storage pools
|
- name: Define the standard libvirt storage pools # TODO add when condition against existing pools
|
||||||
community.libvirt.virt_pool:
|
community.libvirt.virt_pool:
|
||||||
name: "{{ item.name }}"
|
name: "{{ item.name }}"
|
||||||
command: define
|
command: define
|
||||||
xml: "{{ lookup('template', 'dir_pool.xml.j2') }}"
|
xml: "{{ lookup('template', 'dir_libvirt_pool.xml.j2') }}"
|
||||||
loop:
|
loop:
|
||||||
- name: isos
|
- name: isos
|
||||||
path: /var/lib/libvirt/isos/
|
path: /var/lib/libvirt/isos/
|
||||||
|
@ -1,6 +0,0 @@
|
|||||||
---
|
|
||||||
openssh_packages:
|
|
||||||
- openssh
|
|
||||||
openssh_service: sshd.service
|
|
||||||
openssh_configuration_file: /etc/ssh/sshd_config
|
|
||||||
openssh_configuration_mode: 0644
|
|
@ -1 +0,0 @@
|
|||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHDSByUetRCOrrCRpyc0HMPVX8mKeJfXUcYH8+6NL2Md ladmin@lab.balsillie.net
|
|
@ -1,6 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
- name: restart openssh
|
|
||||||
ansible.builtin.service:
|
|
||||||
name: "{{ openssh_service }}"
|
|
||||||
state: restarted
|
|
@ -1,39 +0,0 @@
|
|||||||
---
|
|
||||||
- name: install openssh arch
|
|
||||||
become: true
|
|
||||||
community.general.pacman:
|
|
||||||
name: "{{ openssh_packages }}"
|
|
||||||
state: latest
|
|
||||||
update_cache: true
|
|
||||||
reason: explicit
|
|
||||||
when:
|
|
||||||
- ansible_os_family == 'Arch'
|
|
||||||
|
|
||||||
- name: add authorized keys
|
|
||||||
ansible.builtin.copy:
|
|
||||||
dest: "/home/{{ ansible_user }}/.ssh/authorized_keys"
|
|
||||||
src: "{{ authorized_keys_file }}"
|
|
||||||
mode: 0600
|
|
||||||
owner: "{{ ansible_user }}"
|
|
||||||
group: "{{ ansible_user }}"
|
|
||||||
|
|
||||||
- name: configure openssh
|
|
||||||
become: true
|
|
||||||
ansible.builtin.copy:
|
|
||||||
dest: "{{ openssh_configuration_file }}"
|
|
||||||
src: "{{ openssh_configuration_src }}"
|
|
||||||
mode: "{{ openssh_configuration_mode }}"
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
notify:
|
|
||||||
- restart openssh
|
|
||||||
|
|
||||||
- name: start and enable openssh
|
|
||||||
become: true
|
|
||||||
ansible.builtin.service:
|
|
||||||
name: "{{ openssh_service }}"
|
|
||||||
state: started
|
|
||||||
enabled: yes
|
|
||||||
|
|
||||||
- name: flush handlers
|
|
||||||
ansible.builtin.meta: flush_handlers
|
|
16
ansible/roles/sshd_setup/defaults/main.yaml
Normal file
16
ansible/roles/sshd_setup/defaults/main.yaml
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
sshd:
|
||||||
|
config_path: default
|
||||||
|
auth:
|
||||||
|
pubkey: 'yes'
|
||||||
|
password: 'no'
|
||||||
|
empty: 'no'
|
||||||
|
listen:
|
||||||
|
port: '22'
|
||||||
|
family: any # 'any', 'inet' or 'inet6'
|
||||||
|
ipv4:
|
||||||
|
- '0.0.0.0'
|
||||||
|
ipv6:
|
||||||
|
- '::'
|
||||||
|
forwarding:
|
||||||
|
agent: 'no'
|
||||||
|
x11: 'no'
|
6
ansible/roles/sshd_setup/handlers/main.yaml
Normal file
6
ansible/roles/sshd_setup/handlers/main.yaml
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Restart sshd
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: sshd.service
|
||||||
|
state: restarted
|
76
ansible/roles/sshd_setup/tasks/main.yaml
Normal file
76
ansible/roles/sshd_setup/tasks/main.yaml
Normal file
@ -0,0 +1,76 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
# - name: Debug ansible facts
|
||||||
|
# ansible.builtin.debug:
|
||||||
|
# msg: "{{ ansible_facts }}"
|
||||||
|
|
||||||
|
# - name: Debug host vars
|
||||||
|
# ansible.builtin.debug:
|
||||||
|
# msg: "{{ hostvars[inventory_hostname]['ansible_fqdn'] }}"
|
||||||
|
|
||||||
|
- name: Ensure ssh config dir exists
|
||||||
|
delegate_to: localhost
|
||||||
|
become: false
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "{{ lookup('env', 'HOME') }}/.ssh/conf.d/{{ sshd.config_path }}"
|
||||||
|
state: directory
|
||||||
|
owner: "{{ lookup('env', 'USER') }}"
|
||||||
|
group: "{{ lookup('env', 'USER') }}"
|
||||||
|
mode: '0700'
|
||||||
|
|
||||||
|
- name: Generate local SSH key pair
|
||||||
|
delegate_to: localhost
|
||||||
|
become: false
|
||||||
|
community.crypto.openssh_keypair:
|
||||||
|
backend: opensshbin
|
||||||
|
comment: "{{ ansible_user }}@{{ static_fqdn }}"
|
||||||
|
mode: '0600'
|
||||||
|
passphrase: "{{ ssh_keygen_passphrase }}"
|
||||||
|
path: "{{ lookup('env', 'HOME') }}/.ssh/conf.d/{{ sshd.config_path }}/{{ static_fqdn }}"
|
||||||
|
regenerate: full_idempotence
|
||||||
|
size: 521
|
||||||
|
state: present
|
||||||
|
type: ecdsa
|
||||||
|
register: ssh_keygen
|
||||||
|
|
||||||
|
- name: Copy SSH pubkey to target
|
||||||
|
ansible.posix.authorized_key:
|
||||||
|
key: "{{ ssh_keygen.public_key }}"
|
||||||
|
user: "{{ ansible_user }}"
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Template out sshd_config
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: sshd_config.j2
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0644'
|
||||||
|
notify:
|
||||||
|
- Restart sshd
|
||||||
|
|
||||||
|
- name: Flush handlers for immediate shhd restart
|
||||||
|
ansible.builtin.meta: flush_handlers
|
||||||
|
|
||||||
|
- name: Add local ssh client config
|
||||||
|
delegate_to: localhost
|
||||||
|
become: false
|
||||||
|
community.general.ssh_config:
|
||||||
|
host: "{{ sshd.nickname | default(omit) }} {{ static_fqdn }}"
|
||||||
|
hostname: "{{ static_fqdn }}"
|
||||||
|
identity_file: "{{ ssh_keygen.filename }}"
|
||||||
|
port: "{{ sshd.listen.port | default('22') }}"
|
||||||
|
remote_user: "{{ ansible_user }}"
|
||||||
|
ssh_config_file: "{{ lookup('env', 'HOME') }}/.ssh/conf.d/{{ sshd.config_path }}/{{ static_fqdn }}.conf"
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Include generated ssh config in default config file
|
||||||
|
delegate_to: localhost
|
||||||
|
become: false
|
||||||
|
ansible.builtin.lineinfile:
|
||||||
|
path: "{{ lookup('env', 'HOME') }}/.ssh/config"
|
||||||
|
line: "Include {{ lookup('env', 'HOME') }}/.ssh/conf.d/{{ sshd.config_path }}/{{ static_fqdn }}.conf"
|
||||||
|
mode: '0600'
|
||||||
|
state: present
|
||||||
|
create: true
|
||||||
|
insertafter: ^Include\s.*$
|
@ -1,19 +1,23 @@
|
|||||||
# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
|
Port {{ sshd.listen.port | default('22') }}
|
||||||
|
AddressFamily {{ sshd.listen.family | default('any') }}
|
||||||
# This is the sshd server system-wide configuration file. See
|
{% if (sshd.listen.family is defined and sshd.listen.family == 'inet') or (sshd.listen.family is defined and sshd.listen.family == 'any') -%}
|
||||||
# sshd_config(5) for more information.
|
{% if sshd.listen.ipv4 is defined -%}
|
||||||
|
{% for address in sshd.listen.ipv4 -%}
|
||||||
# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
|
ListenAddress {{ address }}
|
||||||
|
{% endfor -%}
|
||||||
# The strategy used for options in the default sshd_config shipped with
|
{% else -%}
|
||||||
# OpenSSH is to specify options with their default value where
|
ListenAddress 0.0.0.0
|
||||||
# possible, but leave them commented. Uncommented options override the
|
{% endif -%}
|
||||||
# default value.
|
{% endif -%}
|
||||||
|
{% if (sshd.listen.family is defined and sshd.listen.family == 'inet6') or (sshd.listen.family is defined and sshd.listen.family == 'any') -%}
|
||||||
#Port 22
|
{% if sshd.listen.ipv6 is defined -%}
|
||||||
#AddressFamily any
|
{% for address in sshd.listen.ipv6 -%}
|
||||||
#ListenAddress 0.0.0.0
|
ListenAddress {{ address }}
|
||||||
#ListenAddress ::
|
{% endfor -%}
|
||||||
|
{% else -%}
|
||||||
|
ListenAddress ::
|
||||||
|
{% endif -%}
|
||||||
|
{% endif -%}
|
||||||
|
|
||||||
#HostKey /etc/ssh/ssh_host_rsa_key
|
#HostKey /etc/ssh/ssh_host_rsa_key
|
||||||
#HostKey /etc/ssh/ssh_host_ecdsa_key
|
#HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||||
@ -34,7 +38,7 @@
|
|||||||
#MaxAuthTries 6
|
#MaxAuthTries 6
|
||||||
#MaxSessions 10
|
#MaxSessions 10
|
||||||
|
|
||||||
PubkeyAuthentication yes
|
PubkeyAuthentication {{ sshd.auth.pubkey | default('yes') }}
|
||||||
|
|
||||||
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
||||||
# but this is overridden so installations will only check .ssh/authorized_keys
|
# but this is overridden so installations will only check .ssh/authorized_keys
|
||||||
@ -54,8 +58,8 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|||||||
#IgnoreRhosts yes
|
#IgnoreRhosts yes
|
||||||
|
|
||||||
# To disable tunneled clear text passwords, change to no here!
|
# To disable tunneled clear text passwords, change to no here!
|
||||||
PasswordAuthentication no
|
PasswordAuthentication {{ sshd.auth.password | default('yes') }}
|
||||||
#PermitEmptyPasswords no
|
PermitEmptyPasswords {{ sshd.auth.empty | default('no') }}
|
||||||
|
|
||||||
# Change to no to disable s/key passwords
|
# Change to no to disable s/key passwords
|
||||||
KbdInteractiveAuthentication no
|
KbdInteractiveAuthentication no
|
||||||
@ -81,10 +85,10 @@ KbdInteractiveAuthentication no
|
|||||||
# and KbdInteractiveAuthentication to 'no'.
|
# and KbdInteractiveAuthentication to 'no'.
|
||||||
UsePAM yes
|
UsePAM yes
|
||||||
|
|
||||||
#AllowAgentForwarding yes
|
AllowAgentForwarding {{ sshd.forwarding.agent | default('no') }}
|
||||||
#AllowTcpForwarding yes
|
#AllowTcpForwarding yes
|
||||||
#GatewayPorts no
|
#GatewayPorts no
|
||||||
#X11Forwarding no
|
X11Forwarding {{ sshd.forwarding.x11 | default('no') }}
|
||||||
#X11DisplayOffset 10
|
#X11DisplayOffset 10
|
||||||
#X11UseLocalhost yes
|
#X11UseLocalhost yes
|
||||||
#PermitTTY yes
|
#PermitTTY yes
|
||||||
@ -103,7 +107,7 @@ PrintMotd no # pam does that
|
|||||||
#VersionAddendum none
|
#VersionAddendum none
|
||||||
|
|
||||||
# no default banner path
|
# no default banner path
|
||||||
#Banner none
|
# Banner Connected to {{ ansible_fqdn | default('host.') }}
|
||||||
|
|
||||||
# override default of no subsystems
|
# override default of no subsystems
|
||||||
Subsystem sftp /usr/lib/ssh/sftp-server
|
Subsystem sftp /usr/lib/ssh/sftp-server
|
@ -10,6 +10,11 @@ LinkLocalAddressing=False
|
|||||||
LLDP={{ item.lldp | default(true) }}
|
LLDP={{ item.lldp | default(true) }}
|
||||||
{% if item.vlans is defined -%}
|
{% if item.vlans is defined -%}
|
||||||
{% for vlan in item.vlans -%}
|
{% for vlan in item.vlans -%}
|
||||||
|
VLAN=vlan{{ vlan }}
|
||||||
|
{% endfor -%}
|
||||||
|
|
||||||
|
[BridgeVLAN]
|
||||||
|
{% for vlan in item.vlans -%}
|
||||||
VLAN={{ vlan }}
|
VLAN={{ vlan }}
|
||||||
{% endfor -%}
|
{% endfor -%}
|
||||||
{% endif -%}
|
{% endif -%}
|
Loading…
Reference in New Issue
Block a user