From 376b0235650c343f57c79f4f9aafb3298ac58d9c Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Tue, 19 Nov 2019 19:16:11 +0100 Subject: [PATCH] Change default SSH port --- config.cfg | 5 +++- files/cloud-init/base.sh | 21 +++++++++++++++++ files/cloud-init/base.yml | 29 ++++++++++++++++++++++++ files/cloud-init/sshd_config | 10 ++++++++ playbooks/cloud-post.yml | 11 +++++---- roles/cloud-azure/files/deployment.json | 15 ++++++++---- roles/cloud-azure/tasks/main.yml | 7 +++++- roles/cloud-cloudstack/tasks/main.yml | 15 ++++-------- roles/cloud-digitalocean/tasks/main.yml | 5 +++- roles/cloud-ec2/files/stack.yaml | 28 ++++++----------------- roles/cloud-ec2/tasks/cloudformation.yml | 2 ++ roles/cloud-ec2/tasks/main.yml | 4 +++- roles/cloud-gce/tasks/main.yml | 12 +++++----- roles/cloud-hetzner/tasks/main.yml | 5 +++- roles/cloud-lightsail/tasks/main.yml | 15 ++++++------ roles/cloud-openstack/tasks/main.yml | 26 ++++++++++----------- roles/cloud-vultr/tasks/main.yml | 24 ++++++++++++-------- roles/common/templates/rules.v4.j2 | 4 ++-- roles/common/templates/rules.v6.j2 | 4 ++-- server.yml | 9 ++++++++ 20 files changed, 166 insertions(+), 85 deletions(-) create mode 100644 files/cloud-init/base.sh create mode 100644 files/cloud-init/base.yml create mode 100644 files/cloud-init/sshd_config diff --git a/config.cfg b/config.cfg index 2bc9c00..9758959 100644 --- a/config.cfg +++ b/config.cfg @@ -11,6 +11,9 @@ users: ### Advanced users only below this line ### +# Changing the port not supported by Scaleway, the default (22) is always used +ssh_port: 4160 + # Store the PKI in a ram disk. Enabled only if store_pki (retain the PKI) is set to false # Supports on MacOS and Linux only (including Windows Subsystem for Linux) pki_in_tmpfs: true @@ -127,7 +130,7 @@ congrats: ca_key_pass: | "# The CA key password is {{ CA_password|default(omit) }} #" ssh_access: | - "# Shell access: ssh -i {{ ansible_ssh_private_key_file|default(omit) }} {{ ansible_ssh_user|default(omit) }}@{{ ansible_ssh_host|default(omit) }} #" + "# Shell access: ssh -i {{ SSH_keys.private }} {{ ansible_ssh_user|default(omit) }}@{{ ansible_ssh_host|default(omit) }} -p {{ ssh_port }} #" SSH_keys: comment: algo@ssh diff --git a/files/cloud-init/base.sh b/files/cloud-init/base.sh new file mode 100644 index 0000000..3f1fb44 --- /dev/null +++ b/files/cloud-init/base.sh @@ -0,0 +1,21 @@ +#!/bin/bash +set -eux + +apt-get update -y +apt-get install sudo -y + +getent passwd algo || useradd -m -d /home/algo -s /bin/bash -G sudo -p '!' algo + +cat </etc/sudoers.d/10-algo-user +algo ALL=(ALL) NOPASSWD:ALL +EOF + +cat </etc/ssh/sshd_config +{{ lookup('template', 'files/cloud-init/sshd_config') }} +EOF + +test -d /home/algo/.ssh || sudo -u algo mkdir -p /home/algo/.ssh/ +echo "{{ lookup('file', '{{ SSH_keys.public }}') }}" | sudo -u algo tee /home/algo/.ssh/authorized_keys + +sudo apt-get remove -y --purge sshguard || true +systemctl restart sshd.service diff --git a/files/cloud-init/base.yml b/files/cloud-init/base.yml new file mode 100644 index 0000000..0ab2482 --- /dev/null +++ b/files/cloud-init/base.yml @@ -0,0 +1,29 @@ +#cloud-config +output: {all: '| tee -a /var/log/cloud-init-output.log'} + +package_update: true +package_upgrade: true + +packages: + - sudo + +users: + - default + - name: algo + homedir: /home/algo + sudo: ALL=(ALL) NOPASSWD:ALL + groups: sudo + shell: /bin/bash + lock_passwd: true + ssh_authorized_keys: + - "{{ lookup('file', '{{ SSH_keys.public }}') }}" + +write_files: + - path: /etc/ssh/sshd_config + content: | + {{ lookup('template', 'files/cloud-init/sshd_config') | indent(width=6) }} + +runcmd: + - set -x + - sudo apt-get remove -y --purge sshguard || true + - systemctl restart sshd.service diff --git a/files/cloud-init/sshd_config b/files/cloud-init/sshd_config new file mode 100644 index 0000000..de3b21e --- /dev/null +++ b/files/cloud-init/sshd_config @@ -0,0 +1,10 @@ +Port {{ ssh_port }} +AllowUsers algo +PermitRootLogin no +PasswordAuthentication no +ChallengeResponseAuthentication no +UsePAM yes +X11Forwarding yes +PrintMotd no +AcceptEnv LANG LC_* +Subsystem sftp /usr/lib/openssh/sftp-server diff --git a/playbooks/cloud-post.yml b/playbooks/cloud-post.yml index 78eb607..e871732 100644 --- a/playbooks/cloud-post.yml +++ b/playbooks/cloud-post.yml @@ -9,6 +9,7 @@ groups: vpn-host ansible_connection: "{% if cloud_instance_ip == 'localhost' %}local{% else %}ssh{% endif %}" ansible_ssh_user: "{{ ansible_ssh_user }}" + ansible_ssh_port: "{{ ansible_ssh_port|default(22) }}" ansible_python_interpreter: "/usr/bin/python3" algo_provider: "{{ algo_provider }}" algo_server_name: "{{ algo_server_name }}" @@ -19,6 +20,7 @@ algo_ssh_tunneling: "{{ algo_ssh_tunneling }}" algo_store_pki: "{{ algo_store_pki }}" IP_subject_alt_name: "{{ IP_subject_alt_name }}" + cloudinit: "{{ cloudinit|default(false) }}" - name: Additional variables for the server add_host: @@ -28,7 +30,7 @@ - name: Wait until SSH becomes ready... wait_for: - port: 22 + port: "{{ ansible_ssh_port|default(22) }}" host: "{{ cloud_instance_ip }}" search_regex: "OpenSSH" delay: 10 @@ -47,6 +49,7 @@ - debug: var: IP_subject_alt_name -- name: A short pause, in order to be sure the instance is ready - pause: - seconds: 20 +- name: Wait 600 seconds for target connection to become reachable/usable + wait_for_connection: + delegate_to: "{{ item }}" + loop: "{{ groups['vpn-host'] }}" diff --git a/roles/cloud-azure/files/deployment.json b/roles/cloud-azure/files/deployment.json index 027e562..bb05507 100644 --- a/roles/cloud-azure/files/deployment.json +++ b/roles/cloud-azure/files/deployment.json @@ -13,6 +13,12 @@ }, "imageReferenceSku": { "type": "string" + }, + "SshPort": { + "type": "int" + }, + "UserData": { + "type": "string" } }, "variables": { @@ -30,10 +36,10 @@ { "name": "AllowSSH", "properties": { - "description": "Locks inbound down to ssh default port 22.", + "description": "Allow SSH", "protocol": "Tcp", "sourcePortRange": "*", - "destinationPortRange": "22", + "destinationPortRange": "[parameters('SshPort')]", "sourceAddressPrefix": "*", "destinationAddressPrefix": "*", "access": "Allow", @@ -160,13 +166,14 @@ }, "osProfile": { "computerName": "[resourceGroup().name]", - "adminUsername": "ubuntu", + "customData": "[parameters('UserData')]", + "adminUsername": "algo", "linuxConfiguration": { "disablePasswordAuthentication": true, "ssh": { "publicKeys": [ { - "path": "/home/ubuntu/.ssh/authorized_keys", + "path": "/home/algo/.ssh/authorized_keys", "keyData": "[parameters('sshKeyData')]" } ] diff --git a/roles/cloud-azure/tasks/main.yml b/roles/cloud-azure/tasks/main.yml index 9ff0925..78971ce 100644 --- a/roles/cloud-azure/tasks/main.yml +++ b/roles/cloud-azure/tasks/main.yml @@ -31,8 +31,13 @@ value: "{{ cloud_providers.azure.size }}" imageReferenceSku: value: "{{ cloud_providers.azure.image }}" + SshPort: + value: "{{ ssh_port }}" + UserData: + value: "{{ lookup('template', 'files/cloud-init/base.yml') | b64encode }}" register: azure_rm_deployment - set_fact: cloud_instance_ip: "{{ azure_rm_deployment.deployment.outputs.publicIPAddresses.value }}" - ansible_ssh_user: ubuntu + ansible_ssh_user: algo + ansible_ssh_port: "{{ ssh_port }}" diff --git a/roles/cloud-cloudstack/tasks/main.yml b/roles/cloud-cloudstack/tasks/main.yml index a881c83..a3a7781 100644 --- a/roles/cloud-cloudstack/tasks/main.yml +++ b/roles/cloud-cloudstack/tasks/main.yml @@ -26,38 +26,33 @@ end_port: "{{ item.end_port }}" cidr: "{{ item.range }}" with_items: - - { proto: tcp, start_port: 22, end_port: 22, range: 0.0.0.0/0 } + - { proto: tcp, start_port: '{{ ssh_port }}', end_port: '{{ ssh_port }}', range: 0.0.0.0/0 } - { proto: udp, start_port: 4500, end_port: 4500, range: 0.0.0.0/0 } - { proto: udp, start_port: 500, end_port: 500, range: 0.0.0.0/0 } - { proto: udp, start_port: "{{ wireguard_port }}", end_port: "{{ wireguard_port }}", range: 0.0.0.0/0 } - - name: Keypair created - cs_sshkeypair: - name: "{{ SSH_keys.comment|regex_replace('@', '_') }}" - public_key: "{{ lookup('file', '{{ SSH_keys.public }}') }}" - register: cs_keypair - - name: Set facts set_fact: image_id: "{{ cloud_providers.cloudstack.image }}" size: "{{ cloud_providers.cloudstack.size }}" disk: "{{ cloud_providers.cloudstack.disk }}" - keypair_name: "{{ cs_keypair.name }}" - name: Server created cs_instance: name: "{{ algo_server_name }}" root_disk_size: "{{ disk }}" template: "{{ image_id }}" - ssh_key: "{{ keypair_name }}" security_groups: "{{ cs_security_group.name }}" zone: "{{ algo_region }}" service_offering: "{{ size }}" + user_data: "{{ lookup('template', 'files/cloud-init/base.yml') }}" register: cs_server - set_fact: cloud_instance_ip: "{{ cs_server.default_ip }}" - ansible_ssh_user: ubuntu + ansible_ssh_user: algo + ansible_ssh_port: "{{ ssh_port }}" + cloudinit: true environment: CLOUDSTACK_CONFIG: "{{ algo_cs_config }}" CLOUDSTACK_REGION: "{{ algo_cs_region }}" diff --git a/roles/cloud-digitalocean/tasks/main.yml b/roles/cloud-digitalocean/tasks/main.yml index b381525..b41becd 100644 --- a/roles/cloud-digitalocean/tasks/main.yml +++ b/roles/cloud-digitalocean/tasks/main.yml @@ -21,10 +21,13 @@ unique_name: true ipv6: true ssh_keys: "{{ do_ssh_key.data.ssh_key.id }}" + user_data: "{{ lookup('template', 'files/cloud-init/base.yml') }}" tags: - Environment:Algo register: digital_ocean_droplet - set_fact: cloud_instance_ip: "{{ digital_ocean_droplet.data.ip_address }}" - ansible_ssh_user: root + ansible_ssh_user: algo + ansible_ssh_port: "{{ ssh_port }}" + cloudinit: true diff --git a/roles/cloud-ec2/files/stack.yaml b/roles/cloud-ec2/files/stack.yaml index 33cdde6..661d5dc 100644 --- a/roles/cloud-ec2/files/stack.yaml +++ b/roles/cloud-ec2/files/stack.yaml @@ -16,6 +16,10 @@ Parameters: Default: '' EbsEncrypted: Type: String + UserData: + Type: String + SshPort: + Type: String Conditions: AllocateNewEIP: !Equals [!Ref UseThisElasticIP, ''] AssociateExistingEIP: !Not [!Equals [!Ref UseThisElasticIP, '']] @@ -123,8 +127,8 @@ Resources: GroupDescription: Enable SSH and IPsec SecurityGroupIngress: - IpProtocol: tcp - FromPort: '22' - ToPort: '22' + FromPort: !Ref SshPort + ToPort: !Ref SshPort CidrIp: 0.0.0.0/0 - IpProtocol: udp FromPort: '500' @@ -148,16 +152,6 @@ Resources: - SubnetIPv6 - Subnet - InstanceSecurityGroup - Metadata: - AWS::CloudFormation::Init: - config: - files: - /home/ubuntu/.ssh/authorized_keys: - content: - Ref: PublicSSHKeyParameter - mode: "000644" - owner: "ubuntu" - group: "ubuntu" Properties: InstanceType: Ref: InstanceTypeParameter @@ -174,15 +168,7 @@ Resources: Ref: ImageIdParameter SubnetId: !Ref Subnet Ipv6AddressCount: 1 - UserData: - "Fn::Base64": - !Sub | - #!/bin/bash -xe - apt-get update - apt-get -y install python-pip - pip install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-latest.tar.gz - cfn-init -v --stack ${AWS::StackName} --resource EC2Instance --region ${AWS::Region} - cfn-signal -e $? --stack ${AWS::StackName} --resource EC2Instance --region ${AWS::Region} + UserData: !Ref UserData Tags: - Key: Name Value: !Ref AWS::StackName diff --git a/roles/cloud-ec2/tasks/cloudformation.yml b/roles/cloud-ec2/tasks/cloudformation.yml index 27f4265..4ddc8d6 100644 --- a/roles/cloud-ec2/tasks/cloudformation.yml +++ b/roles/cloud-ec2/tasks/cloudformation.yml @@ -14,6 +14,8 @@ WireGuardPort: "{{ wireguard_port }}" UseThisElasticIP: "{{ existing_eip }}" EbsEncrypted: "{{ encrypted }}" + UserData: "{{ lookup('template', 'files/cloud-init/base.yml') | b64encode }}" + SshPort: "{{ ssh_port }}" tags: Environment: Algo register: stack diff --git a/roles/cloud-ec2/tasks/main.yml b/roles/cloud-ec2/tasks/main.yml index 674705e..450b267 100644 --- a/roles/cloud-ec2/tasks/main.yml +++ b/roles/cloud-ec2/tasks/main.yml @@ -24,4 +24,6 @@ - set_fact: cloud_instance_ip: "{{ stack.stack_outputs.ElasticIP }}" - ansible_ssh_user: ubuntu + ansible_ssh_user: algo + ansible_ssh_port: "{{ ssh_port }}" + cloudinit: true diff --git a/roles/cloud-gce/tasks/main.yml b/roles/cloud-gce/tasks/main.yml index cd50fc6..ca68567 100644 --- a/roles/cloud-gce/tasks/main.yml +++ b/roles/cloud-gce/tasks/main.yml @@ -32,7 +32,7 @@ - '{{ wireguard_port|string }}' - ip_protocol: tcp ports: - - '22' + - '{{ ssh_port }}' - ip_protocol: icmp - block: @@ -64,10 +64,8 @@ initialize_params: source_image: "projects/ubuntu-os-cloud/global/images/family/{{ cloud_providers.gce.image }}" metadata: - ssh-keys: "ubuntu:{{ ssh_public_key_lookup }}" - user-data: | - #!/bin/bash - sudo apt-get remove -y --purge sshguard + ssh-keys: "algo:{{ ssh_public_key_lookup }}" + user-data: "{{ lookup('template', 'files/cloud-init/base.yml') }}" network_interfaces: - network: "{{ gcp_compute_network }}" access_configs: @@ -81,4 +79,6 @@ - set_fact: cloud_instance_ip: "{{ gcp_compute_instance.networkInterfaces[0].accessConfigs[0].natIP }}" - ansible_ssh_user: ubuntu + ansible_ssh_user: algo + ansible_ssh_port: "{{ ssh_port }}" + cloudinit: true diff --git a/roles/cloud-hetzner/tasks/main.yml b/roles/cloud-hetzner/tasks/main.yml index 629e721..cbae7c6 100644 --- a/roles/cloud-hetzner/tasks/main.yml +++ b/roles/cloud-hetzner/tasks/main.yml @@ -22,10 +22,13 @@ state: present api_token: "{{ algo_hcloud_token }}" ssh_keys: "{{ hcloud_ssh_key.hcloud_ssh_key.name }}" + user_data: "{{ lookup('template', 'files/cloud-init/base.yml') }}" labels: Environment: algo register: hcloud_server - set_fact: cloud_instance_ip: "{{ hcloud_server.hcloud_server.ipv4_address }}" - ansible_ssh_user: root + ansible_ssh_user: algo + ansible_ssh_port: "{{ ssh_port }}" + cloudinit: true diff --git a/roles/cloud-lightsail/tasks/main.yml b/roles/cloud-lightsail/tasks/main.yml index b41feb4..0ee04b4 100644 --- a/roles/cloud-lightsail/tasks/main.yml +++ b/roles/cloud-lightsail/tasks/main.yml @@ -17,6 +17,9 @@ bundle_id: "{{ cloud_providers.lightsail.size }}" wait_timeout: "300" open_ports: + - from_port: "{{ ssh_port }}" + to_port: "{{ ssh_port }}" + protocol: tcp - from_port: 4500 to_port: 4500 protocol: udp @@ -27,15 +30,11 @@ to_port: "{{ wireguard_port }}" protocol: udp user_data: | - #!/bin/bash - mkdir -p /home/ubuntu/.ssh/ - echo "{{ lookup('file', '{{ SSH_keys.public }}') }}" >> /home/ubuntu/.ssh/authorized_keys - chown -R ubuntu: /home/ubuntu/.ssh/ - chmod 0700 /home/ubuntu/.ssh/ - chmod 0600 /home/ubuntu/.ssh/* - test + {{ lookup('template', 'files/cloud-init/base.sh') }} register: algo_instance - set_fact: cloud_instance_ip: "{{ algo_instance['instance']['public_ip_address'] }}" - ansible_ssh_user: ubuntu + ansible_ssh_user: algo + ansible_ssh_port: "{{ ssh_port }}" + cloudinit: true diff --git a/roles/cloud-openstack/tasks/main.yml b/roles/cloud-openstack/tasks/main.yml index fd451c5..e710def 100644 --- a/roles/cloud-openstack/tasks/main.yml +++ b/roles/cloud-openstack/tasks/main.yml @@ -22,26 +22,26 @@ port_range_max: "{{ item.port_max }}" remote_ip_prefix: "{{ item.range }}" with_items: - - { proto: tcp, port_min: 22, port_max: 22, range: 0.0.0.0/0 } + - { proto: tcp, port_min: '{{ ssh_port }}', port_max: '{{ ssh_port }}', range: 0.0.0.0/0 } - { proto: icmp, port_min: -1, port_max: -1, range: 0.0.0.0/0 } - { proto: udp, port_min: 4500, port_max: 4500, range: 0.0.0.0/0 } - { proto: udp, port_min: 500, port_max: 500, range: 0.0.0.0/0 } - { proto: udp, port_min: "{{ wireguard_port }}", port_max: "{{ wireguard_port }}", range: 0.0.0.0/0 } -- name: Keypair created - os_keypair: - state: "{{ state|default('present') }}" - name: "{{ SSH_keys.comment|regex_replace('@', '_') }}" - public_key_file: "{{ SSH_keys.public }}" - register: os_keypair - - name: Gather facts about flavors os_flavor_facts: ram: "{{ cloud_providers.openstack.flavor_ram }}" - name: Gather facts about images os_image_facts: - image: "{{ cloud_providers.openstack.image }}" + +- name: Set image as a fact + set_fact: + image_id: "{{ item.id }}" + loop: "{{ openstack_image }}" + when: + - item.name == cloud_providers.openstack.image + - item.status == "active" - name: Gather facts about public networks os_networks_facts: @@ -58,8 +58,6 @@ - name: Set facts set_fact: flavor_id: "{{ (openstack_flavors | sort(attribute='ram'))[0]['id'] }}" - image_id: "{{ openstack_image['id'] }}" - keypair_name: "{{ os_keypair.key.name }}" security_group_name: "{{ os_security_group['secgroup']['name'] }}" - name: Server created @@ -68,12 +66,14 @@ name: "{{ algo_server_name }}" image: "{{ image_id }}" flavor: "{{ flavor_id }}" - key_name: "{{ keypair_name }}" security_groups: "{{ security_group_name }}" + userdata: "{{ lookup('template', 'files/cloud-init/base.yml') }}" nics: - net-id: "{{ public_network_id }}" register: os_server - set_fact: cloud_instance_ip: "{{ os_server['openstack']['public_v4'] }}" - ansible_ssh_user: ubuntu + ansible_ssh_user: algo + ansible_ssh_port: "{{ ssh_port }}" + cloudinit: true diff --git a/roles/cloud-vultr/tasks/main.yml b/roles/cloud-vultr/tasks/main.yml index 79b51df..ff34709 100644 --- a/roles/cloud-vultr/tasks/main.yml +++ b/roles/cloud-vultr/tasks/main.yml @@ -3,12 +3,6 @@ import_tasks: prompts.yml - block: - - name: Upload the SSH key - vultr_ssh_key: - name: "{{ SSH_keys.comment }}" - ssh_key: "{{ lookup('file', '{{ SSH_keys.public }}') }}" - register: ssh_key - - name: Creating a firewall group vultr_firewall_group: name: "{{ algo_server_name }}" @@ -21,8 +15,8 @@ ip_version: "{{ item.ip }}" cidr: "{{ item.cidr }}" with_items: - - { protocol: tcp, port: 22, ip: v4, cidr: "0.0.0.0/0" } - - { protocol: tcp, port: 22, ip: v6, cidr: "::/0" } + - { protocol: tcp, port: "{{ ssh_port }}", ip: v4, cidr: "0.0.0.0/0" } + - { protocol: tcp, port: "{{ ssh_port }}", ip: v6, cidr: "::/0" } - { protocol: udp, port: 500, ip: v4, cidr: "0.0.0.0/0" } - { protocol: udp, port: 500, ip: v6, cidr: "::/0" } - { protocol: udp, port: 4500, ip: v4, cidr: "0.0.0.0/0" } @@ -30,9 +24,18 @@ - { protocol: udp, port: "{{ wireguard_port }}", ip: v4, cidr: "0.0.0.0/0" } - { protocol: udp, port: "{{ wireguard_port }}", ip: v6, cidr: "::/0" } + - name: Upload the startup script + vultr_startup_script: + name: algo-startup + script: | + {{ lookup('template', 'files/cloud-init/base.sh') }} + mkdir -p /var/lib/cloud/data/ || true + touch /var/lib/cloud/data/result.json + - name: Creating a server vultr_server: name: "{{ algo_server_name }}" + startup_script: algo-startup hostname: "{{ algo_server_name }}" os: "{{ cloud_providers.vultr.os }}" plan: "{{ cloud_providers.vultr.size }}" @@ -40,7 +43,6 @@ firewall_group: "{{ algo_server_name }}" state: started tag: Environment:Algo - ssh_key: "{{ ssh_key.vultr_ssh_key.name }}" ipv6_enabled: true auto_backup_enabled: false notify_activate: false @@ -48,7 +50,9 @@ - set_fact: cloud_instance_ip: "{{ vultr_server.vultr_server.v4_main_ip }}" - ansible_ssh_user: root + ansible_ssh_user: algo + ansible_ssh_port: "{{ ssh_port }}" + cloudinit: true environment: VULTR_API_CONFIG: "{{ algo_vultr_config }}" diff --git a/roles/common/templates/rules.v4.j2 b/roles/common/templates/rules.v4.j2 index 9708435..378db71 100644 --- a/roles/common/templates/rules.v4.j2 +++ b/roles/common/templates/rules.v4.j2 @@ -64,8 +64,8 @@ COMMIT -A INPUT -p icmp --icmp-type echo-request -m hashlimit --hashlimit-upto 5/s --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name icmp-echo-drop -j ACCEPT # Accept IPSEC/WireGuard traffic to ports {{ subnets|join(',') }} -A INPUT -p udp -m multiport --dports {{ ports|join(',') }} -j ACCEPT -# Allow new traffic to port 22 (SSH) --A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT +# Allow new traffic to port {{ ssh_port }} (SSH) +-A INPUT -p tcp --dport {{ ssh_port }} -m conntrack --ctstate NEW -j ACCEPT {% if ipsec_enabled %} # Allow any traffic from the IPsec VPN diff --git a/roles/common/templates/rules.v6.j2 b/roles/common/templates/rules.v6.j2 index 5969a95..1d37bb9 100644 --- a/roles/common/templates/rules.v6.j2 +++ b/roles/common/templates/rules.v6.j2 @@ -70,8 +70,8 @@ COMMIT -A INPUT -p icmpv6 --icmpv6-type echo-request -m hashlimit --hashlimit-upto 5/s --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name icmp-echo-drop -j ACCEPT # Accept IPSEC/WireGuard traffic to ports {{ subnets|join(',') }} -A INPUT -p udp -m multiport --dports {{ ports|join(',') }} -j ACCEPT -# Allow new traffic to port 22 (SSH) --A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT +# Allow new traffic to port {{ ssh_port }} (SSH) +-A INPUT -p tcp --dport {{ ssh_port }} -m conntrack --ctstate NEW -j ACCEPT # Accept properly formatted Neighbor Discovery Protocol packets -A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT diff --git a/server.yml b/server.yml index b46b650..c418382 100644 --- a/server.yml +++ b/server.yml @@ -6,6 +6,14 @@ vars_files: - config.cfg tasks: + - name: Wait until the cloud-init completed + wait_for: + path: /var/lib/cloud/data/result.json + delay: 10 + timeout: 600 + state: present + when: cloudinit + - block: - import_role: name: common @@ -40,6 +48,7 @@ content: | server: {{ 'localhost' if inventory_hostname == 'localhost' else inventory_hostname }} server_user: {{ ansible_ssh_user }} + ansible_ssh_port: "{{ ansible_ssh_port|default(22) }}" {% if algo_provider != "local" %} ansible_ssh_private_key_file: {{ SSH_keys.private }} {% endif %}