From f746583d5229e728f31e84160f8f544f5d75ca4f Mon Sep 17 00:00:00 2001 From: Tobias Manske Date: Tue, 12 Sep 2023 00:35:35 +0200 Subject: [PATCH] Common: Configure sshd --- coreos-config/group_vars/all/vault.yaml | 15 ++++++ coreos-config/plays/common.yaml | 52 ++++++++++++++++++++ coreos-config/plays/templates/sshd_config.j2 | 1 + 3 files changed, 68 insertions(+) create mode 100644 coreos-config/group_vars/all/vault.yaml create mode 100644 coreos-config/plays/templates/sshd_config.j2 diff --git a/coreos-config/group_vars/all/vault.yaml b/coreos-config/group_vars/all/vault.yaml new file mode 100644 index 0000000..dfbed0d --- /dev/null +++ b/coreos-config/group_vars/all/vault.yaml @@ -0,0 +1,15 @@ +$ANSIBLE_VAULT;1.2;AES256;secrets +61326166343132303034623663646238316263313832303164636539643039653530323537613030 +3733303163623763353765386332653832353862323262320a313766323336393933623736653834 +34643932613563646332633437323135656437613335333362383464613061383935323661656433 +3032376366323234660a316635626139373136316136633738663034613066653665353836383339 +36383266633566653866363465633331303134373130626138616431313132333631646165326434 +34303431376434346535373665633939643230646336653431373063333264393562303035383162 +36323439346464336134343639366464636362363635306139323238363130383362323330653530 +30643366623964643037353031626532313465303061666563616439666661653131313438316162 +61373165393161633139633265363064353664613763616136383536633931323335306631356330 +31373631353237346362633062326338366537643539363630396437373237633736366165393431 +39363562373035353165336566613739303132373435616532363662633535356564303431626539 +63376263623334643733613831343861343932363739363566303165666335306430396564343135 +37626663656665383864326166313566643937656362396236356462623737343235313962633666 +3838623136396663383432613764623266626533663866353762 diff --git a/coreos-config/plays/common.yaml b/coreos-config/plays/common.yaml index 4311e93..361e81c 100644 --- a/coreos-config/plays/common.yaml +++ b/coreos-config/plays/common.yaml @@ -1,3 +1,54 @@ +- name: Setup SSH Config + hosts: all + become: true + become_user: root + tags: + - setup_ssh + - setup + tasks: + - name: Authorized_keys dir present + ansible.builtin.file: + state: directory + path: /etc/ssh/authorized_keys + owner: root + group: root + mode: '0755' + - name: Deploy CI SSH-Key + ansible.posix.authorized_key: + user: "{{ ansible_user }}" + state: present + manage_dir: false + path: "/etc/ssh/authorized_keys/{{ ansible_user }}" + key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/2H7n27J7/xFAyQpE7r29UxTP5jttLRe6RhAC/Ndam drone-deploy" + - name: Deploy Common SSH-Keys + ansible.posix.authorized_key: + user: "{{ ansible_user }}" + state: present + manage_dir: false + path: "/etc/ssh/authorized_keys/{{ ansible_user }}" + key: "{{ item }}" + loop: "{{ common.ssh.authorized_keys }}" + - name: Ensure authorized_keys ownership + ansible.builtin.file: + state: directory + path: /etc/ssh/authorized_keys + owner: root + group: root + mode: "u=rwX,g=rX,o=rX" + recurse: true + - name: Configure sshd + ansible.builtin.template: + src: 'sshd_config.j2' + dest: '/etc/ssh/sshd_config.d/99-override.conf' + owner: root + group: root + mode: '0600' + - name: Remove Keys Config + ansible.builtin.file: + state: absent + path: /etc/ssh/ssh_config.d/40-ssh-key-dir.conf + + - name: Backup hosts: backup become: true @@ -135,6 +186,7 @@ tags: - never - setup_monitoring + - setup tasks: - name: Login to Kuma delegate_to: localhost diff --git a/coreos-config/plays/templates/sshd_config.j2 b/coreos-config/plays/templates/sshd_config.j2 new file mode 100644 index 0000000..c81cc96 --- /dev/null +++ b/coreos-config/plays/templates/sshd_config.j2 @@ -0,0 +1 @@ +AuthorizedKeysFile /etc/ssh/authorized_keys/%u