mirror of
https://github.com/trailofbits/algo.git
synced 2025-04-11 11:47:08 +02:00
117 lines
3.3 KiB
YAML
117 lines
3.3 KiB
YAML
---
|
|
- name: Ensure that the sshd_config file has desired options
|
|
blockinfile:
|
|
dest: /etc/ssh/sshd_config
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK ssh_tunneling_role"
|
|
block: |
|
|
Match Group algo
|
|
AllowTcpForwarding local
|
|
AllowAgentForwarding no
|
|
AllowStreamLocalForwarding no
|
|
PermitTunnel no
|
|
X11Forwarding no
|
|
notify:
|
|
- restart ssh
|
|
|
|
- name: Ensure that the algo group exist
|
|
group:
|
|
name: algo
|
|
state: present
|
|
gid: 15000
|
|
|
|
- name: Ensure that the jail directory exist
|
|
file:
|
|
path: /var/jail/
|
|
state: directory
|
|
mode: 0755
|
|
owner: root
|
|
group: "{{ root_group|default('root') }}"
|
|
|
|
- block:
|
|
- name: Ensure that the SSH users exist
|
|
user:
|
|
name: "{{ item }}"
|
|
group: algo
|
|
home: /var/jail/{{ item }}
|
|
createhome: true
|
|
generate_ssh_key: false
|
|
shell: /bin/false
|
|
state: present
|
|
append: true
|
|
with_items: "{{ users }}"
|
|
|
|
- block:
|
|
- name: Clean up the ssh-tunnel directory
|
|
file:
|
|
dest: "{{ ssh_tunnels_config_path }}"
|
|
state: absent
|
|
when: keys_clean_all|bool
|
|
|
|
- name: Ensure the config directories exist
|
|
file:
|
|
dest: "{{ ssh_tunnels_config_path }}"
|
|
state: directory
|
|
recurse: true
|
|
mode: "0700"
|
|
|
|
- name: Check if the private keys exist
|
|
stat:
|
|
path: "{{ ssh_tunnels_config_path }}/{{ item }}.pem"
|
|
register: privatekey
|
|
with_items: "{{ users }}"
|
|
|
|
- name: Build ssh private keys
|
|
openssl_privatekey:
|
|
path: "{{ ssh_tunnels_config_path }}/{{ item.item }}.pem"
|
|
passphrase: "{{ p12_export_password }}"
|
|
cipher: auto
|
|
force: false
|
|
no_log: "{{ no_log|bool }}"
|
|
when: not item.stat.exists
|
|
with_items: "{{ privatekey.results }}"
|
|
register: openssl_privatekey
|
|
|
|
- name: Build ssh public keys
|
|
openssl_publickey:
|
|
path: "{{ ssh_tunnels_config_path }}/{{ item.item.item }}.pub"
|
|
privatekey_path: "{{ ssh_tunnels_config_path }}/{{ item.item.item }}.pem"
|
|
privatekey_passphrase: "{{ p12_export_password }}"
|
|
format: OpenSSH
|
|
force: true
|
|
no_log: "{{ no_log|bool }}"
|
|
when: item.changed
|
|
with_items: "{{ openssl_privatekey.results }}"
|
|
|
|
- name: Build the client ssh config
|
|
template:
|
|
src: ssh_config.j2
|
|
dest: "{{ ssh_tunnels_config_path }}/{{ item }}.ssh_config"
|
|
mode: 0700
|
|
with_items: "{{ users }}"
|
|
delegate_to: localhost
|
|
become: false
|
|
|
|
- name: The authorized keys file created
|
|
authorized_key:
|
|
user: "{{ item }}"
|
|
key: "{{ lookup('file', ssh_tunnels_config_path + '/' + item + '.pub') }}"
|
|
state: present
|
|
manage_dir: true
|
|
exclusive: true
|
|
with_items: "{{ users }}"
|
|
|
|
- name: Get active users
|
|
getent:
|
|
database: group
|
|
key: algo
|
|
split: ":"
|
|
|
|
- name: Delete non-existing users
|
|
user:
|
|
name: "{{ item }}"
|
|
state: absent
|
|
remove: true
|
|
force: true
|
|
when: item not in users
|
|
with_items: "{{ getent_group['algo'][2].split(',') }}"
|
|
tags: update-users
|