--- # The home-server project produces a multi-purpose setup using Ansible. # Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license. # Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing. # WARNING: This file may be used inside a mounted chroot. # The running system should not be assumed to be the target system. ### UPSTREAM BEGIN ⇒ ### - name: settings necessary for pulling from upstream include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml vars: msg: SSH ### ⇐ UPSTREAM BEGIN ### - name: create the bastion user (front only) user: name: "{{ssh_bastion_user}}" password: "{{ssh_bastion_pwd_sha512}}" create_home: true system: true when: - (inventory_hostname in groups['front']) - name: send secure SSH host RSA key copy: src: "files/{{hostname}}.{{item.name}}" dest: "{{chroot}}/etc/ssh/{{item.name}}" mode: "{{item.perm}}" with_items: - {name: ssh_host_rsa_key, perm: '0400'} - {name: ssh_host_rsa_key.pub, perm: '0444'} notify: - restart sshd.service - name: force mode of other secure keys (no error) file: path: "{{chroot}}/etc/ssh/{{item.name}}" mode: "{{item.perm}}" ignore_errors: true with_items: - {name: ssh_host_ed25519_key, perm: '0400'} - {name: ssh_host_ed25519_key.pub, perm: '0444'} - name: send Ansible’s forced-command copy: content: | #!/usr/bin/env bash eval $SSH_ORIGINAL_COMMAND dest: "{{chroot}}/root/.ssh/force_ansible.sh" mode: 0700 notify: - restart sshd.service - name: copy Ansible key to root’s home lineinfile: path: "{{chroot}}/root/.ssh/authorized_keys" regexp: "{{ansible_authorized_key}}" line: > from="{{ansible_master}}",restrict,command="/root/.ssh/force_ansible.sh" {{ansible_authorized_key}} create: true mode: 0600 notify: - restart sshd.service - name: enable sshd file: src: /usr/lib/systemd/system/sshd.service dest: "{{chroot}}/etc/systemd/system/multi-user.target.wants/sshd.service" state: link - meta: flush_handlers ### UPSTREAM END ⇒ ### - name: merge local settings include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml vars: msg: SSH ### ⇐ UPSTREAM END ### - name: force mode of other secure keys file: path: "{{chroot}}/etc/ssh/{{item.name}}" mode: "{{item.perm}}" with_items: - {name: ssh_host_ed25519_key, perm: '0400'} - {name: ssh_host_ed25519_key.pub, perm: '0444'} when: - (chroot == '') notify: - restart sshd.service - name: SSH hardening from https://stribika.github.io/ blockinfile: path: "{{chroot}}/etc/ssh/sshd_config" marker: '# {mark} https://stribika.github.io/2015/01/04/secure-secure-shell.html' block: | KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com insertafter: '^#?ListenAddress\s' notify: - restart sshd.service - name: enable the secure host keys lineinfile: path: "{{chroot}}/etc/ssh/sshd_config" backrefs: true regexp: '^#?(HostKey\s+/etc/ssh/ssh_host_{{item}}_key)' line: '\1' with_items: - ed25519 - rsa notify: - restart sshd.service - name: disable the insecure host keys lineinfile: path: "{{chroot}}/etc/ssh/sshd_config" backrefs: true regexp: '^#?(HostKey\s+/etc/ssh/ssh_host_{{item}}_key)' line: '#\1' with_items: - dsa - ecdsa notify: - restart sshd.service - name: restrict root login lineinfile: path: "{{chroot}}/etc/ssh/sshd_config" regexp: '^#?PermitRootLogin\s' line: 'PermitRootLogin forced-commands-only' notify: - restart sshd.service - name: allow TCP forwarding lineinfile: path: "{{chroot}}/etc/ssh/sshd_config" regexp: '^#?AllowTcpForwarding\s' line: "AllowTcpForwarding {{ssh_allow_tcpforward}}" notify: - restart sshd.service - name: allow gateway ports lineinfile: path: "{{chroot}}/etc/ssh/sshd_config" regexp: '^#?GatewayPorts\s' line: "GatewayPorts {{ssh_allow_gatewayports}}" notify: - restart sshd.service - name: allow X11 forwarding lineinfile: path: "{{chroot}}/etc/ssh/sshd_config" regexp: '^#?X11Forwarding\s' line: "X11Forwarding {{ssh_allow_x11forward}}" notify: - restart sshd.service - name: set keep-alive interval lineinfile: path: "{{chroot}}/etc/ssh/sshd_config" regexp: '^#?ClientAliveInterval\s' line: "ClientAliveInterval {{ssh_clientalive_interval}}" notify: - restart sshd.service - name: allow tunnel lineinfile: path: "{{chroot}}/etc/ssh/sshd_config" regexp: '^#?PermitTunnel\s' line: "PermitTunnel {{ssh_allow_tunnel}}" notify: - restart sshd.service - name: extended front setup blockinfile: path: "/etc/ssh/sshd_config" marker: '# {mark} extended setup' block: | # regular port Port 22 # alternative port Port 23 # remote-help port Port 22000 AcceptEnv {{ssh_accept_env}} AllowUsers {{ssh_allowed_users}} ForceCommand /usr/bin/nologin Match Address {{(net_trusted_ranges + ' ' + (iodine_net | ipaddr('0'))) | replace(' ', ',')}} ForceCommand none Match LocalPort 23 ForceCommand none Match LocalPort 22000 ForceCommand /usr/bin/echo 'Use: ssh -NTxR 2200x:localhost:22 -i /your/key -p 22000 {{ssh_bastion_user}}@{{net_soa}}' PermitTTY no AuthenticationMethods publickey MaxAuthTries 1 MaxSessions 0 X11Forwarding no insertafter: EOF when: - (inventory_hostname in groups['front']) - (chroot == '') notify: - restart sshd.service - name: extended back setup blockinfile: path: "/etc/ssh/sshd_config" marker: '# {mark} extended setup' block: | # regular port Port 22 # git port Port 2222 AcceptEnv {{ssh_accept_env}} AllowUsers {{ssh_allowed_users}} ForceCommand /usr/bin/nologin Match Address {{(net_trusted_ranges + ' ' + (iodine_net | ipaddr('0'))) | replace(' ', ',')}} ForceCommand none Match LocalPort 2222 AllowUsers {{gitea_user}} PermitRootLogin no PasswordAuthentication no PermitEmptyPasswords no PubkeyAuthentication yes insertafter: EOF when: - (inventory_hostname in groups['back']) - (chroot == '') notify: - restart sshd.service ### LOCAL COMMIT ⇒ ### - name: commit local changes include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml vars: msg: SSH ### ⇐ LOCAL COMMIT ### - meta: flush_handlers