mirror of
https://github.com/trailofbits/algo.git
synced 2025-06-07 15:43:54 +02:00
Add the SSH role to the users-update playbook #92 fixed
This commit is contained in:
Jack Ivanov
parent
ad9d7d6ddb
commit
105cb601e4
1 changed files with 75 additions and 99 deletions
174
users.yml
174
users.yml
|
|
@ -18,7 +18,7 @@
|
||||||
|
|
||||||
- name: "ssh_tunneling_enabled"
|
- name: "ssh_tunneling_enabled"
|
||||||
prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
|
prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
|
||||||
default: "y"
|
default: "n"
|
||||||
private: no
|
private: no
|
||||||
|
|
||||||
- name: "easyrsa_p12_export_password"
|
- name: "easyrsa_p12_export_password"
|
||||||
|
|
@ -56,115 +56,91 @@
|
||||||
- set_fact:
|
- set_fact:
|
||||||
IP_subject_alt_name: "{{ IP_subject }}"
|
IP_subject_alt_name: "{{ IP_subject }}"
|
||||||
|
|
||||||
|
roles:
|
||||||
|
- { role: ssh_tunneling, tags: [ 'ssh_tunneling' ], when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: Build the client's pair
|
- name: Build the client's pair
|
||||||
shell: >
|
shell: >
|
||||||
./easyrsa build-client-full {{ item }} nopass &&
|
./easyrsa build-client-full {{ item }} nopass &&
|
||||||
touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized'
|
touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized'
|
||||||
args:
|
args:
|
||||||
chdir: '{{ easyrsa_dir }}/easyrsa3/'
|
chdir: '{{ easyrsa_dir }}/easyrsa3/'
|
||||||
creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized'
|
creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized'
|
||||||
with_items: "{{ users }}"
|
with_items: "{{ users }}"
|
||||||
|
|
||||||
- name: Build the client's p12
|
- name: Build the client's p12
|
||||||
shell: >
|
shell: >
|
||||||
openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:{{ easyrsa_p12_export_password }} &&
|
openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:{{ easyrsa_p12_export_password }} &&
|
||||||
touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized'
|
touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized'
|
||||||
args:
|
args:
|
||||||
chdir: '{{ easyrsa_dir }}/easyrsa3/'
|
chdir: '{{ easyrsa_dir }}/easyrsa3/'
|
||||||
creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized'
|
creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized'
|
||||||
with_items: "{{ users }}"
|
with_items: "{{ users }}"
|
||||||
|
|
||||||
- name: Get active users
|
- name: Get active users
|
||||||
shell: >
|
shell: >
|
||||||
grep ^V pki/index.txt | grep -v "{{ IP_subject_alt_name }}" | awk '{print $5}' | sed 's/\/CN=//g'
|
grep ^V pki/index.txt | grep -v "{{ IP_subject_alt_name }}" | awk '{print $5}' | sed 's/\/CN=//g'
|
||||||
args:
|
args:
|
||||||
chdir: '{{ easyrsa_dir }}/easyrsa3/'
|
chdir: '{{ easyrsa_dir }}/easyrsa3/'
|
||||||
register: valid_certs
|
register: valid_certs
|
||||||
|
|
||||||
- name: Revoke non-existing users
|
- name: Revoke non-existing users
|
||||||
shell: >
|
shell: >
|
||||||
ipsec pki --signcrl --cacert {{ easyrsa_dir }}/easyrsa3//pki/ca.crt --cakey {{ easyrsa_dir }}/easyrsa3/pki/private/ca.key --reason superseded --cert {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt > /etc/ipsec.d/crls/{{ item }}.der &&
|
ipsec pki --signcrl --cacert {{ easyrsa_dir }}/easyrsa3//pki/ca.crt --cakey {{ easyrsa_dir }}/easyrsa3/pki/private/ca.key --reason superseded --cert {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt > /etc/ipsec.d/crls/{{ item }}.der &&
|
||||||
./easyrsa revoke {{ item }} &&
|
./easyrsa revoke {{ item }} &&
|
||||||
ipsec rereadcrls
|
ipsec rereadcrls
|
||||||
args:
|
args:
|
||||||
chdir: '{{ easyrsa_dir }}/easyrsa3/'
|
chdir: '{{ easyrsa_dir }}/easyrsa3/'
|
||||||
when: item not in users
|
when: item not in users
|
||||||
with_items: "{{ valid_certs.stdout_lines }}"
|
with_items: "{{ valid_certs.stdout_lines }}"
|
||||||
|
|
||||||
- name: Register p12 PayloadContent
|
- name: Register p12 PayloadContent
|
||||||
shell: >
|
shell: >
|
||||||
cat /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 | base64
|
cat /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 | base64
|
||||||
register: PayloadContent
|
register: PayloadContent
|
||||||
with_items: "{{ users }}"
|
with_items: "{{ users }}"
|
||||||
|
|
||||||
- name: Register CA PayloadContent
|
- name: Register CA PayloadContent
|
||||||
shell: >
|
shell: >
|
||||||
cat /{{ easyrsa_dir }}/easyrsa3/pki/ca.crt | base64
|
cat /{{ easyrsa_dir }}/easyrsa3/pki/ca.crt | base64
|
||||||
register: PayloadContentCA
|
register: PayloadContentCA
|
||||||
|
|
||||||
- name: Build the mobileconfigs
|
- name: Build the mobileconfigs
|
||||||
template: src=roles/vpn/templates/mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}.mobileconfig mode=0600
|
template: src=roles/vpn/templates/mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}.mobileconfig mode=0600
|
||||||
with_together:
|
with_together:
|
||||||
- "{{ users }}"
|
- "{{ users }}"
|
||||||
- "{{ PayloadContent.results }}"
|
- "{{ PayloadContent.results }}"
|
||||||
no_log: True
|
no_log: True
|
||||||
|
|
||||||
- name: Fetch users P12
|
- name: Fetch users P12
|
||||||
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 dest=configs/{{ IP_subject_alt_name }}_{{ item }}.p12 flat=yes
|
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 dest=configs/{{ IP_subject_alt_name }}_{{ item }}.p12 flat=yes
|
||||||
with_items: "{{ users }}"
|
with_items: "{{ users }}"
|
||||||
|
|
||||||
- name: Fetch users mobileconfig
|
- name: Fetch users mobileconfig
|
||||||
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.mobileconfig dest=configs/{{ IP_subject_alt_name }}_{{ item }}.mobileconfig flat=yes
|
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.mobileconfig dest=configs/{{ IP_subject_alt_name }}_{{ item }}.mobileconfig flat=yes
|
||||||
with_items: "{{ users }}"
|
with_items: "{{ users }}"
|
||||||
|
|
||||||
- name: Fetch server CA certificate
|
- name: Fetch server CA certificate
|
||||||
fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ IP_subject_alt_name }}_ca.crt flat=yes
|
fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ IP_subject_alt_name }}_ca.crt flat=yes
|
||||||
|
|
||||||
# SSH
|
# SSH
|
||||||
|
|
||||||
- name: SSH | Ensure that the system users exist
|
- name: SSH | Get active system users
|
||||||
user:
|
shell: >
|
||||||
name: "{{ item }}"
|
getent group algo | cut -f4 -d: | sed "s/,/\n/g"
|
||||||
groups: algo
|
register: valid_users
|
||||||
home: '/var/jail/{{ item }}'
|
when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
|
||||||
createhome: yes
|
|
||||||
generate_ssh_key: yes
|
|
||||||
shell: /bin/false
|
|
||||||
ssh_key_type: rsa
|
|
||||||
ssh_key_bits: 2048
|
|
||||||
ssh_key_comment: '{{ item }}@{{ IP_subject_alt_name }}'
|
|
||||||
ssh_key_passphrase: "{{ easyrsa_p12_export_password }}"
|
|
||||||
state: present
|
|
||||||
append: yes
|
|
||||||
with_items: "{{ users }}"
|
|
||||||
when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
|
|
||||||
|
|
||||||
- name: SSH | The authorized keys file created
|
- name: SSH | Delete non-existing users
|
||||||
file:
|
user:
|
||||||
src: '/var/jail/{{ item }}/.ssh/id_rsa.pub'
|
name: "{{ item }}"
|
||||||
dest: '/var/jail/{{ item }}/.ssh/authorized_keys'
|
state: absent
|
||||||
owner: "{{ item }}"
|
remove: yes
|
||||||
group: "{{ item }}"
|
force: yes
|
||||||
state: link
|
when: item not in users and ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
|
||||||
with_items: "{{ users }}"
|
with_items: "{{ valid_users.stdout_lines }}"
|
||||||
when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
|
|
||||||
|
|
||||||
- name: SSH | Get active system users
|
- name: SSH | Fetch users SSH private keys
|
||||||
shell: >
|
fetch: src='/var/jail/{{ item }}/.ssh/id_rsa' dest=configs/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes
|
||||||
getent group algo | cut -f4 -d: | sed "s/,/\n/g"
|
with_items: "{{ users }}"
|
||||||
register: valid_users
|
|
||||||
when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
|
|
||||||
|
|
||||||
- name: SSH | Delete non-existing users
|
|
||||||
user:
|
|
||||||
name: "{{ item }}"
|
|
||||||
state: absent
|
|
||||||
remove: yes
|
|
||||||
force: yes
|
|
||||||
when: item not in users and ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
|
|
||||||
with_items: "{{ valid_users.stdout_lines }}"
|
|
||||||
|
|
||||||
- name: SSH | Fetch users SSH private keys
|
|
||||||
fetch: src='/var/jail/{{ item }}/.ssh/id_rsa' dest=configs/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes
|
|
||||||
with_items: "{{ users }}"
|
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue