mirror of
https://github.com/trailofbits/algo.git
synced 2025-07-24 14:33:02 +02:00
e8947f318b
* Refactoring, booleans declaration and update users fix * Make server_name more FQDN compatible * Rename variables * Define the default value for store_cakey * Skip a prompt about the SSH user if deploying to localhost * Disable reboot for non-cloud deployments * Enable EC2 volume encryption by default * Add default server value (localhost) for the local installation Delete empty files * Add default region to aws_region_facts * Update docs * EC2 credentials fix * Warnings fix * Update deploy-from-ansible.md * Fix a typo * Remove lightsail from the docs * Disable EC2 encryption by default * rename droplet to server * Disable dependencies * Disable tls_cipher_suite * Convert wifi-exclude to a string. Update-users fix * SSH access congrats fix * 16.04 > 18.04 * Dont ask for the credentials if specified in the environment vars * GCE server name fix
105 lines
2.9 KiB
YAML
105 lines
2.9 KiB
YAML
---
|
|
- block:
|
|
- name: Ensure that the sshd_config file has desired options
|
|
blockinfile:
|
|
dest: /etc/ssh/sshd_config
|
|
marker: '# {mark} ANSIBLE MANAGED BLOCK ssh_tunneling_role'
|
|
block: |
|
|
Match Group algo
|
|
AllowTcpForwarding local
|
|
AllowAgentForwarding no
|
|
AllowStreamLocalForwarding no
|
|
PermitTunnel no
|
|
X11Forwarding no
|
|
notify:
|
|
- restart ssh
|
|
|
|
- name: Ensure that the algo group exist
|
|
group: name=algo state=present
|
|
|
|
- name: Ensure that the jail directory exist
|
|
file:
|
|
path: /var/jail/
|
|
state: directory
|
|
mode: 0755
|
|
owner: root
|
|
group: "{{ root_group|default('root') }}"
|
|
|
|
- name: Ensure that the SSH users exist
|
|
user:
|
|
name: "{{ item }}"
|
|
groups: algo
|
|
home: '/var/jail/{{ item }}'
|
|
createhome: yes
|
|
generate_ssh_key: yes
|
|
shell: /bin/false
|
|
ssh_key_type: ecdsa
|
|
ssh_key_bits: 256
|
|
ssh_key_comment: '{{ item }}@{{ IP_subject_alt_name }}'
|
|
ssh_key_passphrase: "{{ p12_export_password }}"
|
|
update_password: on_create
|
|
state: present
|
|
append: yes
|
|
with_items: "{{ users }}"
|
|
tags: update-users
|
|
|
|
- name: The authorized keys file created
|
|
file:
|
|
src: '/var/jail/{{ item }}/.ssh/id_ecdsa.pub'
|
|
dest: '/var/jail/{{ item }}/.ssh/authorized_keys'
|
|
owner: "{{ item }}"
|
|
group: "{{ item }}"
|
|
state: link
|
|
with_items: "{{ users }}"
|
|
tags: update-users
|
|
|
|
- name: Generate SSH fingerprints
|
|
shell: ssh-keyscan {{ IP_subject_alt_name }} 2>/dev/null
|
|
register: ssh_fingerprints
|
|
|
|
- name: Fetch users SSH private keys
|
|
fetch:
|
|
src: '/var/jail/{{ item }}/.ssh/id_ecdsa'
|
|
dest: configs/{{ IP_subject_alt_name }}/{{ item }}.ssh.pem
|
|
flat: yes
|
|
mode: "0600"
|
|
with_items: "{{ users }}"
|
|
tags: update-users
|
|
|
|
- name: Fetch the known_hosts file
|
|
local_action:
|
|
module: template
|
|
src: known_hosts.j2
|
|
dest: configs/{{ IP_subject_alt_name }}/known_hosts
|
|
become: no
|
|
|
|
- name: Build the client ssh config
|
|
local_action:
|
|
module: template
|
|
src: ssh_config.j2
|
|
dest: configs/{{ IP_subject_alt_name }}/{{ item }}.ssh_config
|
|
mode: 0600
|
|
become: false
|
|
tags: update-users
|
|
with_items: "{{ users }}"
|
|
|
|
- name: SSH | Get active system users
|
|
shell: >
|
|
getent group algo | cut -f4 -d: | sed "s/,/\n/g"
|
|
register: valid_users
|
|
tags: update-users
|
|
|
|
- name: SSH | Delete non-existing users
|
|
user:
|
|
name: "{{ item }}"
|
|
state: absent
|
|
remove: yes
|
|
force: yes
|
|
when: item not in users
|
|
with_items: "{{ valid_users.stdout_lines | default('null') }}"
|
|
tags: update-users
|
|
rescue:
|
|
- debug: var=fail_hint
|
|
tags: always
|
|
- fail:
|
|
tags: always
|