wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-06-07 15:43:54 +02:00
Code Issues Projects Releases Wiki Activity

fixes

Browse source
This commit is contained in:
Jack Ivanov 2016-08-25 23:51:17 +03:00
commit ac2446dd21
21 changed files with 344 additions and 251 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
.gitignore vendored
View file

@ -1,6 +1,3 @@
*.retry *.retry
configs/*.mobileconfig configs/*
configs/*.p12
configs/*.crt
configs/*.tmp
inventory_users inventory_users

29
digitalocean.yml
View file

@ -1,3 +1,4 @@
# vim:ft=ansible:
- name: Configure the server and install required software - name: Configure the server and install required software
hosts: localhost hosts: localhost
@ -50,23 +51,28 @@
private: no private: no
- name: "dns_enabled" - name: "dns_enabled"
prompt: "Do you want to install a local DNS resolver to block ads while surfing? (Y or N):\n" prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "proxy_enabled" - name: "proxy_enabled"
prompt: "Do you want to install a proxy to block ads and decrease traffic usage while surfing? (Y or N):\n" prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "auditd_enabled" - name: "auditd_enabled"
prompt: "Do you want to use auditd ? (Y or N):\n" prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
default: "Y" default: "y"
private: no
- name: "ssh_tunneling_enabled"
prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
default: "y"
private: no private: no
- name: "easyrsa_p12_export_password" - name: "easyrsa_p12_export_password"
prompt: "Enter the password for p12 certificates:\n" prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
default: "vpn" default: "vpnpw"
private: yes private: yes
roles: roles:
@ -125,10 +131,11 @@
roles: roles:
- common - common
- security - security
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
- { role: dns_adblocking, when: dns_enabled is defined and dns_enabled == "y" }
- { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
- { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
- vpn - vpn
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" }
- { role: dns_adblocking, when: dns_enabled is defined and dns_enabled == "Y" }
- { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }
handlers: handlers:
- name: reload eth0 - name: reload eth0

29
ec2.yml
View file

@ -21,7 +21,6 @@
"11": "sa-east-1" "11": "sa-east-1"
vars_prompt: vars_prompt:
- name: "aws_access_key" - name: "aws_access_key"
prompt: "Enter your aws_access_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n" prompt: "Enter your aws_access_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n"
private: yes private: yes
@ -58,23 +57,28 @@
private: no private: no
- name: "dns_enabled" - name: "dns_enabled"
prompt: "Do you want to install a local DNS resolver to block ads while surfing? (Y or N):\n" prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "proxy_enabled" - name: "proxy_enabled"
prompt: "Do you want to install a proxy to block ads and decrease traffic usage while surfing? (Y or N):\n" prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "auditd_enabled" - name: "auditd_enabled"
prompt: "Do you want to use auditd ? (Y or N):\n" prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
default: "Y" default: "y"
private: no
- name: "ssh_tunneling_enabled"
prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
default: "y"
private: no private: no
- name: "easyrsa_p12_export_password" - name: "easyrsa_p12_export_password"
prompt: "Enter the password for p12 certificates:\n" prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
default: "vpn" default: "vpnpw"
private: yes private: yes
roles: roles:
@ -96,7 +100,8 @@
roles: roles:
- common - common
- security - security
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
- { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
- { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
- { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
- vpn - vpn
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" }
- { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" }
- { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }

29
gce.yml
View file

@ -1,3 +1,4 @@
# vim:ft=ansible:
- name: Configure the server and install required software - name: Configure the server and install required software
hosts: localhost hosts: localhost
gather_facts: false gather_facts: false
@ -54,23 +55,28 @@
private: no private: no
- name: "dns_enabled" - name: "dns_enabled"
prompt: "Do you want to install a local DNS resolver to block ads while surfing? (Y or N):\n" prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "proxy_enabled" - name: "proxy_enabled"
prompt: "Do you want to install a proxy to block ads and decrease traffic usage while surfing? (Y or N):\n" prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "auditd_enabled" - name: "auditd_enabled"
prompt: "Do you want to use auditd ? (Y or N):\n" prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
default: "Y" default: "y"
private: no
- name: "ssh_tunneling_enabled"
prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
default: "y"
private: no private: no
- name: "easyrsa_p12_export_password" - name: "easyrsa_p12_export_password"
prompt: "Enter the password for p12 certificates:\n" prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
default: "vpn" default: "vpnpw"
private: yes private: yes
roles: roles:
@ -92,7 +98,8 @@
roles: roles:
- common - common
- security - security
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
- { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
- { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
- { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
- vpn - vpn
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" }
- { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" }
- { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }

34
non-cloud.yml
View file

@ -1,9 +1,10 @@
# vim:ft=ansible:
- hosts: localhost - hosts: localhost
gather_facts: False gather_facts: False
vars_files: vars_files:
- config.cfg - config.cfg
vars_prompt:
vars_prompt:
- name: "server_ip" - name: "server_ip"
prompt: "Enter IP address of your server: (use localhost for local installation)\n" prompt: "Enter IP address of your server: (use localhost for local installation)\n"
default: localhost default: localhost
@ -15,27 +16,32 @@
private: no private: no
- name: "dns_enabled" - name: "dns_enabled"
prompt: "Do you want to install a local DNS resolver to block ads while surfing? (Y or N):\n" prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "proxy_enabled" - name: "proxy_enabled"
prompt: "Do you want to install a proxy to block ads and decrease traffic usage while surfing? (Y or N):\n" prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "auditd_enabled" - name: "auditd_enabled"
prompt: "Do you want to use auditd ? (Y or N):\n" prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
default: "Y" default: "y"
private: no
- name: "ssh_tunneling_enabled"
prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
default: "y"
private: no private: no
- name: "easyrsa_p12_export_password" - name: "easyrsa_p12_export_password"
prompt: "Enter the password for p12 certificates:\n" prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
default: "vpn" default: "vpnpw"
private: yes private: yes
- name: "IP_subject" - name: "IP_subject"
prompt: "Enter public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)\n" prompt: "Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)\n"
private: no private: no
tasks: tasks:
@ -47,6 +53,7 @@
ansible_python_interpreter: "/usr/bin/python2.7" ansible_python_interpreter: "/usr/bin/python2.7"
dns_enabled: "{{ dns_enabled }}" dns_enabled: "{{ dns_enabled }}"
proxy_enabled: "{{ proxy_enabled }}" proxy_enabled: "{{ proxy_enabled }}"
ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
auditd_enabled: " {{ auditd_enabled }}" auditd_enabled: " {{ auditd_enabled }}"
easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
IP_subject: "{{ IP_subject }}" IP_subject: "{{ IP_subject }}"
@ -69,7 +76,8 @@
roles: roles:
- common - common
- security - security
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
- { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
- { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
- { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
- vpn - vpn
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" }
- { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" }
- { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }

1
roles/cloud-digitalocean/tasks/main.yml
View file

@ -33,6 +33,7 @@
do_droplet_id: "{{ do.droplet.id }}" do_droplet_id: "{{ do.droplet.id }}"
dns_enabled: "{{ dns_enabled }}" dns_enabled: "{{ dns_enabled }}"
proxy_enabled: "{{ proxy_enabled }}" proxy_enabled: "{{ proxy_enabled }}"
ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
auditd_enabled: " {{ auditd_enabled }}" auditd_enabled: " {{ auditd_enabled }}"
easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
cloud_provider: digitalocean cloud_provider: digitalocean

1
roles/cloud-ec2/tasks/main.yml
View file

@ -71,6 +71,7 @@
ansible_python_interpreter: "/usr/bin/python2.7" ansible_python_interpreter: "/usr/bin/python2.7"
dns_enabled: "{{ dns_enabled }}" dns_enabled: "{{ dns_enabled }}"
proxy_enabled: "{{ proxy_enabled }}" proxy_enabled: "{{ proxy_enabled }}"
ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
auditd_enabled: " {{ auditd_enabled }}" auditd_enabled: " {{ auditd_enabled }}"
easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
cloud_provider: ec2 cloud_provider: ec2

1
roles/cloud-gce/tasks/main.yml
View file

@ -22,6 +22,7 @@
ansible_python_interpreter: "/usr/bin/python2.7" ansible_python_interpreter: "/usr/bin/python2.7"
dns_enabled: "{{ dns_enabled }}" dns_enabled: "{{ dns_enabled }}"
proxy_enabled: "{{ proxy_enabled }}" proxy_enabled: "{{ proxy_enabled }}"
ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
auditd_enabled: " {{ auditd_enabled }}" auditd_enabled: " {{ auditd_enabled }}"
easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
cloud_provider: gce cloud_provider: gce

136
roles/common/templates/sshd_config.j2
View file

@ -1,106 +1,64 @@
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22 Port 22
# ListenAddress ::
# Use these options to restrict which interfaces/protocols sshd will bind to # ListenAddress 0.0.0.0
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2 Protocol 2
# HostKeys for protocol version 2 # LogLevel VERBOSE logs user's key fingerprint on login.
#HostKey /etc/ssh/ssh_host_rsa_key # Needed to have a clear audit log of which keys were used to log in.
#HostKey /etc/ssh/ssh_host_dsa_key SyslogFacility AUTH
HostKey /etc/ssh/ssh_host_ecdsa_key LogLevel VERBOSE
HostKey /etc/ssh/ssh_host_ed25519_key
# Use kernel sandbox mechanisms where possible in unprivilegied processes # Use kernel sandbox mechanisms where possible
# Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere. # Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
UsePrivilegeSeparation sandbox UsePrivilegeSeparation sandbox
# Lifetime and size of ephemeral version 1 server key # Handy for keeping network connections alive
KeyRegenerationInterval 3600 TCPKeepAlive yes
ServerKeyBits 1024 ClientAliveInterval 120
# Logging # Authentication
SyslogFacility AUTH UsePAM yes
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin without-password PermitRootLogin without-password
StrictModes yes StrictModes yes
RSAAuthentication no
PubkeyAuthentication yes PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_* AcceptEnv LANG LC_*
# Subsystem sftp /usr/lib/openssh/sftp-server # Turn off a lot of features
IgnoreRhosts yes
# Set this to 'yes' to enable PAM authentication, account processing, RhostsRSAAuthentication no
# and session processing. If this is enabled, PAM authentication will RSAAuthentication no
# be allowed through the ChallengeResponseAuthentication and HostbasedAuthentication no
# PasswordAuthentication. Depending on your PAM configuration, PermitEmptyPasswords no
# PAM authentication via ChallengeResponseAuthentication may bypass ChallengeResponseAuthentication no
# the setting of "PermitRootLogin yes PasswordAuthentication no
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
# Added by DigitalOcean build process
ClientAliveInterval 120
ClientAliveCountMax 2
UseDNS no UseDNS no
# Do not enable sftp
# If you DO enable it, use this line to log which files sftp users read/write
# Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO
# This makes ansible faster
PrintMotd no
PrintLastLog yes
# Use only modern host keys
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Use only modern ciphers
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256 # TODO: I haven't seen anyone review these yet
# HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
# TODO: I haven't seen anyone review these yet
# PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
# Password based logins are disabled - only public key based logins are allowed. {% if ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" %}
AuthenticationMethods publickey Match Group algo
AllowTcpForwarding remote
AllowAgentForwarding no
AllowStreamLocalForwarding no
PermitTunnel no
X11Forwarding no
{% endif %}

2
roles/dns_adblocking/tasks/main.yml
View file

@ -10,7 +10,7 @@
- restart dnsmasq - restart dnsmasq
- name: The dnsmasq directory created - name: The dnsmasq directory created
file: dest=/var/lib/dnsmasq state=directory mode=755 owner=dnsmasq group=nogroup file: dest=/var/lib/dnsmasq state=directory mode=0755 owner=dnsmasq group=nogroup
- name: Enforce the dnsmasq AppArmor policy - name: Enforce the dnsmasq AppArmor policy
shell: aa-enforce usr.sbin.dnsmasq shell: aa-enforce usr.sbin.dnsmasq

2
roles/ssh_tunneling/handlers/main.yml Normal file
View file

@ -0,0 +1,2 @@
- name: restart ssh
service: name=ssh state=restarted

49
roles/ssh_tunneling/tasks/main.yml Normal file
View file

@ -0,0 +1,49 @@
---
- name: Ensure that the algo group exist
group: name=algo state=present
- name: Ensure that the jail directory exist
file: path=/var/jail/ state=directory mode=0755 owner=root group=root
- name: Ensure that the SSH users exist
user:
name: "{{ item }}"
groups: algo
home: '/var/jail/{{ item }}'
createhome: yes
generate_ssh_key: yes
shell: /bin/false
ssh_key_type: rsa
ssh_key_bits: 2048
ssh_key_comment: '{{ item }}@{{ IP_subject_alt_name }}'
ssh_key_passphrase: "{{ easyrsa_p12_export_password }}"
state: present
append: yes
with_items: "{{ users }}"
- name: The authorized keys file created
file:
src: '/var/jail/{{ item }}/.ssh/id_rsa.pub'
dest: '/var/jail/{{ item }}/.ssh/authorized_keys'
owner: "{{ item }}"
group: "{{ item }}"
state: link
with_items: "{{ users }}"
- name: Generate SSH fingerprints
shell: >
ssh-keyscan {{ IP_subject_alt_name }} 2>/dev/null
register: ssh_fingerprints
- name: The known_hosts file created
template: src=known_hosts.j2 dest=/root/.ssh/{{ IP_subject_alt_name }}_known_hosts
- name: Fetch users SSH private keys
fetch: src='/var/jail/{{ item }}/.ssh/id_rsa' dest=configs/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes
with_items: "{{ users }}"
- name: Fetch the known_hosts file
fetch: src='/root/.ssh/{{ IP_subject_alt_name }}_known_hosts' dest=configs/{{ IP_subject_alt_name }}_known_hosts flat=yes

3
roles/ssh_tunneling/templates/known_hosts.j2 Normal file
View file

@ -0,0 +1,3 @@
{% for item in ssh_fingerprints.stdout_lines %}
{{ item }}
{% endfor %}

58
users.yml
View file

@ -16,9 +16,14 @@
default: "root" default: "root"
private: no private: no
- name: "ssh_tunneling_enabled"
prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
default: "y"
private: no
- name: "easyrsa_p12_export_password" - name: "easyrsa_p12_export_password"
prompt: "Enter the password for p12 certificates:\n" prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
default: "vpn" default: "vpnpw"
private: yes private: yes
- name: "IP_subject" - name: "IP_subject"
@ -33,6 +38,7 @@
ansible_ssh_user: "{{ server_user }}" ansible_ssh_user: "{{ server_user }}"
ansible_python_interpreter: "/usr/bin/python2.7" ansible_python_interpreter: "/usr/bin/python2.7"
easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
IP_subject: "{{ IP_subject }}" IP_subject: "{{ IP_subject }}"
- name: Wait for SSH to become available - name: Wait for SSH to become available
@ -114,3 +120,51 @@
- name: Fetch server CA certificate - name: Fetch server CA certificate
fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ IP_subject_alt_name }}_ca.crt flat=yes fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ IP_subject_alt_name }}_ca.crt flat=yes
# SSH
- name: SSH | Ensure that the system users exist
user:
name: "{{ item }}"
groups: algo
home: '/var/jail/{{ item }}'
createhome: yes
generate_ssh_key: yes
shell: /bin/false
ssh_key_type: rsa
ssh_key_bits: 2048
ssh_key_comment: '{{ item }}@{{ IP_subject_alt_name }}'
ssh_key_passphrase: "{{ easyrsa_p12_export_password }}"
state: present
append: yes
with_items: "{{ users }}"
when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
- name: SSH | The authorized keys file created
file:
src: '/var/jail/{{ item }}/.ssh/id_rsa.pub'
dest: '/var/jail/{{ item }}/.ssh/authorized_keys'
owner: "{{ item }}"
group: "{{ item }}"
state: link
with_items: "{{ users }}"
when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
- name: SSH | Get active system users
shell: >
getent group algo | cut -f4 -d: | sed "s/,/\n/g"
register: valid_users
when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
- name: SSH | Delete non-existing users
user:
name: "{{ item }}"
state: absent
remove: yes
force: yes
when: item not in users and ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
with_items: "{{ valid_users.stdout_lines }}"
- name: SSH | Fetch users SSH private keys
fetch: src='/var/jail/{{ item }}/.ssh/id_rsa' dest=configs/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes
with_items: "{{ users }}"