2018-09-03 20:06:05 +02:00
|
|
|
|
---
|
|
|
|
|
# The home-server project produces a multi-purpose setup using Ansible.
|
2023-07-30 19:31:56 +02:00
|
|
|
|
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
2018-09-03 20:06:05 +02:00
|
|
|
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
|
|
|
|
|
|
|
|
|
# WARNING: This file may be used inside a mounted chroot.
|
|
|
|
|
# The running system should not be assumed to be the target system.
|
|
|
|
|
|
|
|
|
|
### UPSTREAM BEGIN ⇒ ###
|
|
|
|
|
- name: settings necessary for pulling from upstream
|
|
|
|
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
|
|
|
|
|
vars:
|
|
|
|
|
msg: SSH
|
|
|
|
|
### ⇐ UPSTREAM BEGIN ###
|
|
|
|
|
|
|
|
|
|
- name: create the bastion user (front only)
|
|
|
|
|
user:
|
|
|
|
|
name: "{{ssh_bastion_user}}"
|
|
|
|
|
password: "{{ssh_bastion_pwd_sha512}}"
|
|
|
|
|
create_home: true
|
|
|
|
|
system: true
|
|
|
|
|
when:
|
|
|
|
|
- (inventory_hostname in groups['front'])
|
|
|
|
|
|
|
|
|
|
- name: send secure SSH host RSA key
|
|
|
|
|
copy:
|
|
|
|
|
src: "files/{{hostname}}.{{item.name}}"
|
|
|
|
|
dest: "{{chroot}}/etc/ssh/{{item.name}}"
|
|
|
|
|
mode: "{{item.perm}}"
|
|
|
|
|
with_items:
|
|
|
|
|
- {name: ssh_host_rsa_key, perm: '0400'}
|
|
|
|
|
- {name: ssh_host_rsa_key.pub, perm: '0444'}
|
|
|
|
|
notify:
|
|
|
|
|
- restart sshd.service
|
|
|
|
|
|
|
|
|
|
- name: force mode of other secure keys (no error)
|
|
|
|
|
file:
|
|
|
|
|
path: "{{chroot}}/etc/ssh/{{item.name}}"
|
|
|
|
|
mode: "{{item.perm}}"
|
|
|
|
|
ignore_errors: true
|
|
|
|
|
with_items:
|
|
|
|
|
- {name: ssh_host_ed25519_key, perm: '0400'}
|
|
|
|
|
- {name: ssh_host_ed25519_key.pub, perm: '0444'}
|
|
|
|
|
|
|
|
|
|
- name: send Ansible’s forced-command
|
|
|
|
|
copy:
|
|
|
|
|
content: |
|
2023-12-30 16:32:52 +01:00
|
|
|
|
#!/usr/bin/env bash
|
2018-09-03 20:06:05 +02:00
|
|
|
|
eval $SSH_ORIGINAL_COMMAND
|
|
|
|
|
dest: "{{chroot}}/root/.ssh/force_ansible.sh"
|
|
|
|
|
mode: 0700
|
|
|
|
|
notify:
|
|
|
|
|
- restart sshd.service
|
|
|
|
|
|
|
|
|
|
- name: copy Ansible key to root’s home
|
|
|
|
|
lineinfile:
|
|
|
|
|
path: "{{chroot}}/root/.ssh/authorized_keys"
|
|
|
|
|
regexp: "{{ansible_authorized_key}}"
|
|
|
|
|
line: >
|
|
|
|
|
from="{{ansible_master}}",restrict,command="/root/.ssh/force_ansible.sh"
|
|
|
|
|
{{ansible_authorized_key}}
|
|
|
|
|
create: true
|
|
|
|
|
mode: 0600
|
|
|
|
|
notify:
|
|
|
|
|
- restart sshd.service
|
|
|
|
|
|
|
|
|
|
- name: enable sshd
|
|
|
|
|
file:
|
|
|
|
|
src: /usr/lib/systemd/system/sshd.service
|
|
|
|
|
dest: "{{chroot}}/etc/systemd/system/multi-user.target.wants/sshd.service"
|
|
|
|
|
state: link
|
|
|
|
|
|
|
|
|
|
- meta: flush_handlers
|
|
|
|
|
|
|
|
|
|
### UPSTREAM END ⇒ ###
|
|
|
|
|
- name: merge local settings
|
|
|
|
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
|
|
|
|
|
vars:
|
|
|
|
|
msg: SSH
|
|
|
|
|
### ⇐ UPSTREAM END ###
|
|
|
|
|
|
|
|
|
|
- name: force mode of other secure keys
|
|
|
|
|
file:
|
|
|
|
|
path: "{{chroot}}/etc/ssh/{{item.name}}"
|
|
|
|
|
mode: "{{item.perm}}"
|
|
|
|
|
with_items:
|
|
|
|
|
- {name: ssh_host_ed25519_key, perm: '0400'}
|
|
|
|
|
- {name: ssh_host_ed25519_key.pub, perm: '0444'}
|
|
|
|
|
when:
|
|
|
|
|
- (chroot == '')
|
|
|
|
|
notify:
|
|
|
|
|
- restart sshd.service
|
|
|
|
|
|
|
|
|
|
- name: SSH hardening from https://stribika.github.io/
|
|
|
|
|
blockinfile:
|
|
|
|
|
path: "{{chroot}}/etc/ssh/sshd_config"
|
|
|
|
|
marker:
|
|
|
|
|
'# {mark} https://stribika.github.io/2015/01/04/secure-secure-shell.html'
|
|
|
|
|
block: |
|
|
|
|
|
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
|
|
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
|
|
|
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
|
|
|
|
insertafter: '^#?ListenAddress\s'
|
|
|
|
|
notify:
|
|
|
|
|
- restart sshd.service
|
|
|
|
|
|
|
|
|
|
- name: enable the secure host keys
|
|
|
|
|
lineinfile:
|
|
|
|
|
path: "{{chroot}}/etc/ssh/sshd_config"
|
|
|
|
|
backrefs: true
|
|
|
|
|
regexp: '^#?(HostKey\s+/etc/ssh/ssh_host_{{item}}_key)'
|
|
|
|
|
line: '\1'
|
|
|
|
|
with_items:
|
|
|
|
|
- ed25519
|
|
|
|
|
- rsa
|
|
|
|
|
notify:
|
|
|
|
|
- restart sshd.service
|
|
|
|
|
|
|
|
|
|
- name: disable the insecure host keys
|
|
|
|
|
lineinfile:
|
|
|
|
|
path: "{{chroot}}/etc/ssh/sshd_config"
|
|
|
|
|
backrefs: true
|
|
|
|
|
regexp: '^#?(HostKey\s+/etc/ssh/ssh_host_{{item}}_key)'
|
|
|
|
|
line: '#\1'
|
|
|
|
|
with_items:
|
|
|
|
|
- dsa
|
|
|
|
|
- ecdsa
|
|
|
|
|
notify:
|
|
|
|
|
- restart sshd.service
|
|
|
|
|
|
|
|
|
|
- name: restrict root login
|
|
|
|
|
lineinfile:
|
|
|
|
|
path: "{{chroot}}/etc/ssh/sshd_config"
|
|
|
|
|
regexp: '^#?PermitRootLogin\s'
|
|
|
|
|
line: 'PermitRootLogin forced-commands-only'
|
|
|
|
|
notify:
|
|
|
|
|
- restart sshd.service
|
|
|
|
|
|
|
|
|
|
- name: allow TCP forwarding
|
|
|
|
|
lineinfile:
|
|
|
|
|
path: "{{chroot}}/etc/ssh/sshd_config"
|
|
|
|
|
regexp: '^#?AllowTcpForwarding\s'
|
|
|
|
|
line: "AllowTcpForwarding {{ssh_allow_tcpforward}}"
|
|
|
|
|
notify:
|
|
|
|
|
- restart sshd.service
|
|
|
|
|
|
|
|
|
|
- name: allow gateway ports
|
|
|
|
|
lineinfile:
|
|
|
|
|
path: "{{chroot}}/etc/ssh/sshd_config"
|
|
|
|
|
regexp: '^#?GatewayPorts\s'
|
|
|
|
|
line: "GatewayPorts {{ssh_allow_gatewayports}}"
|
|
|
|
|
notify:
|
|
|
|
|
- restart sshd.service
|
|
|
|
|
|
|
|
|
|
- name: allow X11 forwarding
|
|
|
|
|
lineinfile:
|
|
|
|
|
path: "{{chroot}}/etc/ssh/sshd_config"
|
|
|
|
|
regexp: '^#?X11Forwarding\s'
|
|
|
|
|
line: "X11Forwarding {{ssh_allow_x11forward}}"
|
|
|
|
|
notify:
|
|
|
|
|
- restart sshd.service
|
|
|
|
|
|
|
|
|
|
- name: set keep-alive interval
|
|
|
|
|
lineinfile:
|
|
|
|
|
path: "{{chroot}}/etc/ssh/sshd_config"
|
|
|
|
|
regexp: '^#?ClientAliveInterval\s'
|
|
|
|
|
line: "ClientAliveInterval {{ssh_clientalive_interval}}"
|
|
|
|
|
notify:
|
|
|
|
|
- restart sshd.service
|
|
|
|
|
|
|
|
|
|
- name: allow tunnel
|
|
|
|
|
lineinfile:
|
|
|
|
|
path: "{{chroot}}/etc/ssh/sshd_config"
|
|
|
|
|
regexp: '^#?PermitTunnel\s'
|
|
|
|
|
line: "PermitTunnel {{ssh_allow_tunnel}}"
|
|
|
|
|
notify:
|
|
|
|
|
- restart sshd.service
|
|
|
|
|
|
|
|
|
|
- name: extended front setup
|
|
|
|
|
blockinfile:
|
|
|
|
|
path: "/etc/ssh/sshd_config"
|
|
|
|
|
marker:
|
|
|
|
|
'# {mark} extended setup'
|
|
|
|
|
block: |
|
|
|
|
|
# regular port
|
|
|
|
|
Port 22
|
|
|
|
|
# alternative port
|
|
|
|
|
Port 23
|
|
|
|
|
# remote-help port
|
|
|
|
|
Port 22000
|
|
|
|
|
AcceptEnv {{ssh_accept_env}}
|
|
|
|
|
AllowUsers {{ssh_allowed_users}}
|
|
|
|
|
ForceCommand /usr/bin/nologin
|
|
|
|
|
Match Address {{(net_trusted_ranges + ' ' + (iodine_net | ipaddr('0'))) | replace(' ', ',')}}
|
|
|
|
|
ForceCommand none
|
|
|
|
|
Match LocalPort 23
|
|
|
|
|
ForceCommand none
|
|
|
|
|
Match LocalPort 22000
|
|
|
|
|
ForceCommand /usr/bin/echo 'Use: ssh -NTxR 2200x:localhost:22 -i /your/key -p 22000 {{ssh_bastion_user}}@{{net_soa}}'
|
|
|
|
|
PermitTTY no
|
|
|
|
|
AuthenticationMethods publickey
|
|
|
|
|
MaxAuthTries 1
|
|
|
|
|
MaxSessions 0
|
|
|
|
|
X11Forwarding no
|
|
|
|
|
insertafter: EOF
|
|
|
|
|
when:
|
|
|
|
|
- (inventory_hostname in groups['front'])
|
|
|
|
|
- (chroot == '')
|
|
|
|
|
notify:
|
|
|
|
|
- restart sshd.service
|
|
|
|
|
|
|
|
|
|
- name: extended back setup
|
|
|
|
|
blockinfile:
|
|
|
|
|
path: "/etc/ssh/sshd_config"
|
|
|
|
|
marker:
|
|
|
|
|
'# {mark} extended setup'
|
|
|
|
|
block: |
|
|
|
|
|
# regular port
|
|
|
|
|
Port 22
|
|
|
|
|
# git port
|
|
|
|
|
Port 2222
|
|
|
|
|
AcceptEnv {{ssh_accept_env}}
|
|
|
|
|
AllowUsers {{ssh_allowed_users}}
|
|
|
|
|
ForceCommand /usr/bin/nologin
|
|
|
|
|
Match Address {{(net_trusted_ranges + ' ' + (iodine_net | ipaddr('0'))) | replace(' ', ',')}}
|
|
|
|
|
ForceCommand none
|
|
|
|
|
Match LocalPort 2222
|
2019-03-10 18:33:53 +01:00
|
|
|
|
AllowUsers {{gitea_user}}
|
2018-09-03 20:06:05 +02:00
|
|
|
|
PermitRootLogin no
|
|
|
|
|
PasswordAuthentication no
|
|
|
|
|
PermitEmptyPasswords no
|
|
|
|
|
PubkeyAuthentication yes
|
|
|
|
|
insertafter: EOF
|
|
|
|
|
when:
|
|
|
|
|
- (inventory_hostname in groups['back'])
|
|
|
|
|
- (chroot == '')
|
|
|
|
|
notify:
|
|
|
|
|
- restart sshd.service
|
|
|
|
|
|
|
|
|
|
### LOCAL COMMIT ⇒ ###
|
|
|
|
|
- name: commit local changes
|
|
|
|
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
|
|
|
|
|
vars:
|
|
|
|
|
msg: SSH
|
|
|
|
|
### ⇐ LOCAL COMMIT ###
|
|
|
|
|
- meta: flush_handlers
|