247 lines
6.8 KiB
YAML
247 lines
6.8 KiB
YAML
---
|
||
# The home-server project produces a multi-purpose setup using Ansible.
|
||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||
|
||
# WARNING: This file may be used inside a mounted chroot.
|
||
# The running system should not be assumed to be the target system.
|
||
|
||
### UPSTREAM BEGIN ⇒ ###
|
||
- name: settings necessary for pulling from upstream
|
||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
|
||
vars:
|
||
msg: SSH
|
||
### ⇐ UPSTREAM BEGIN ###
|
||
|
||
- name: create the bastion user (front only)
|
||
user:
|
||
name: "{{ssh_bastion_user}}"
|
||
password: "{{ssh_bastion_pwd_sha512}}"
|
||
create_home: true
|
||
system: true
|
||
when:
|
||
- (inventory_hostname in groups['front'])
|
||
|
||
- name: send secure SSH host RSA key
|
||
copy:
|
||
src: "files/{{hostname}}.{{item.name}}"
|
||
dest: "{{chroot}}/etc/ssh/{{item.name}}"
|
||
mode: "{{item.perm}}"
|
||
with_items:
|
||
- {name: ssh_host_rsa_key, perm: '0400'}
|
||
- {name: ssh_host_rsa_key.pub, perm: '0444'}
|
||
notify:
|
||
- restart sshd.service
|
||
|
||
- name: force mode of other secure keys (no error)
|
||
file:
|
||
path: "{{chroot}}/etc/ssh/{{item.name}}"
|
||
mode: "{{item.perm}}"
|
||
ignore_errors: true
|
||
with_items:
|
||
- {name: ssh_host_ed25519_key, perm: '0400'}
|
||
- {name: ssh_host_ed25519_key.pub, perm: '0444'}
|
||
|
||
- name: send Ansible’s forced-command
|
||
copy:
|
||
content: |
|
||
#!/usr/bin/env bash
|
||
eval $SSH_ORIGINAL_COMMAND
|
||
dest: "{{chroot}}/root/.ssh/force_ansible.sh"
|
||
mode: 0700
|
||
notify:
|
||
- restart sshd.service
|
||
|
||
- name: copy Ansible key to root’s home
|
||
lineinfile:
|
||
path: "{{chroot}}/root/.ssh/authorized_keys"
|
||
regexp: "{{ansible_authorized_key}}"
|
||
line: >
|
||
from="{{ansible_master}}",restrict,command="/root/.ssh/force_ansible.sh"
|
||
{{ansible_authorized_key}}
|
||
create: true
|
||
mode: 0600
|
||
notify:
|
||
- restart sshd.service
|
||
|
||
- name: enable sshd
|
||
file:
|
||
src: /usr/lib/systemd/system/sshd.service
|
||
dest: "{{chroot}}/etc/systemd/system/multi-user.target.wants/sshd.service"
|
||
state: link
|
||
|
||
- meta: flush_handlers
|
||
|
||
### UPSTREAM END ⇒ ###
|
||
- name: merge local settings
|
||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
|
||
vars:
|
||
msg: SSH
|
||
### ⇐ UPSTREAM END ###
|
||
|
||
- name: force mode of other secure keys
|
||
file:
|
||
path: "{{chroot}}/etc/ssh/{{item.name}}"
|
||
mode: "{{item.perm}}"
|
||
with_items:
|
||
- {name: ssh_host_ed25519_key, perm: '0400'}
|
||
- {name: ssh_host_ed25519_key.pub, perm: '0444'}
|
||
when:
|
||
- (chroot == '')
|
||
notify:
|
||
- restart sshd.service
|
||
|
||
- name: SSH hardening from https://stribika.github.io/
|
||
blockinfile:
|
||
path: "{{chroot}}/etc/ssh/sshd_config"
|
||
marker:
|
||
'# {mark} https://stribika.github.io/2015/01/04/secure-secure-shell.html'
|
||
block: |
|
||
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
||
insertafter: '^#?ListenAddress\s'
|
||
notify:
|
||
- restart sshd.service
|
||
|
||
- name: enable the secure host keys
|
||
lineinfile:
|
||
path: "{{chroot}}/etc/ssh/sshd_config"
|
||
backrefs: true
|
||
regexp: '^#?(HostKey\s+/etc/ssh/ssh_host_{{item}}_key)'
|
||
line: '\1'
|
||
with_items:
|
||
- ed25519
|
||
- rsa
|
||
notify:
|
||
- restart sshd.service
|
||
|
||
- name: disable the insecure host keys
|
||
lineinfile:
|
||
path: "{{chroot}}/etc/ssh/sshd_config"
|
||
backrefs: true
|
||
regexp: '^#?(HostKey\s+/etc/ssh/ssh_host_{{item}}_key)'
|
||
line: '#\1'
|
||
with_items:
|
||
- dsa
|
||
- ecdsa
|
||
notify:
|
||
- restart sshd.service
|
||
|
||
- name: restrict root login
|
||
lineinfile:
|
||
path: "{{chroot}}/etc/ssh/sshd_config"
|
||
regexp: '^#?PermitRootLogin\s'
|
||
line: 'PermitRootLogin forced-commands-only'
|
||
notify:
|
||
- restart sshd.service
|
||
|
||
- name: allow TCP forwarding
|
||
lineinfile:
|
||
path: "{{chroot}}/etc/ssh/sshd_config"
|
||
regexp: '^#?AllowTcpForwarding\s'
|
||
line: "AllowTcpForwarding {{ssh_allow_tcpforward}}"
|
||
notify:
|
||
- restart sshd.service
|
||
|
||
- name: allow gateway ports
|
||
lineinfile:
|
||
path: "{{chroot}}/etc/ssh/sshd_config"
|
||
regexp: '^#?GatewayPorts\s'
|
||
line: "GatewayPorts {{ssh_allow_gatewayports}}"
|
||
notify:
|
||
- restart sshd.service
|
||
|
||
- name: allow X11 forwarding
|
||
lineinfile:
|
||
path: "{{chroot}}/etc/ssh/sshd_config"
|
||
regexp: '^#?X11Forwarding\s'
|
||
line: "X11Forwarding {{ssh_allow_x11forward}}"
|
||
notify:
|
||
- restart sshd.service
|
||
|
||
- name: set keep-alive interval
|
||
lineinfile:
|
||
path: "{{chroot}}/etc/ssh/sshd_config"
|
||
regexp: '^#?ClientAliveInterval\s'
|
||
line: "ClientAliveInterval {{ssh_clientalive_interval}}"
|
||
notify:
|
||
- restart sshd.service
|
||
|
||
- name: allow tunnel
|
||
lineinfile:
|
||
path: "{{chroot}}/etc/ssh/sshd_config"
|
||
regexp: '^#?PermitTunnel\s'
|
||
line: "PermitTunnel {{ssh_allow_tunnel}}"
|
||
notify:
|
||
- restart sshd.service
|
||
|
||
- name: extended front setup
|
||
blockinfile:
|
||
path: "/etc/ssh/sshd_config"
|
||
marker:
|
||
'# {mark} extended setup'
|
||
block: |
|
||
# regular port
|
||
Port 22
|
||
# alternative port
|
||
Port 23
|
||
# remote-help port
|
||
Port 22000
|
||
AcceptEnv {{ssh_accept_env}}
|
||
AllowUsers {{ssh_allowed_users}}
|
||
ForceCommand /usr/bin/nologin
|
||
Match Address {{(net_trusted_ranges + ' ' + (iodine_net | ipaddr('0'))) | replace(' ', ',')}}
|
||
ForceCommand none
|
||
Match LocalPort 23
|
||
ForceCommand none
|
||
Match LocalPort 22000
|
||
ForceCommand /usr/bin/echo 'Use: ssh -NTxR 2200x:localhost:22 -i /your/key -p 22000 {{ssh_bastion_user}}@{{net_soa}}'
|
||
PermitTTY no
|
||
AuthenticationMethods publickey
|
||
MaxAuthTries 1
|
||
MaxSessions 0
|
||
X11Forwarding no
|
||
insertafter: EOF
|
||
when:
|
||
- (inventory_hostname in groups['front'])
|
||
- (chroot == '')
|
||
notify:
|
||
- restart sshd.service
|
||
|
||
- name: extended back setup
|
||
blockinfile:
|
||
path: "/etc/ssh/sshd_config"
|
||
marker:
|
||
'# {mark} extended setup'
|
||
block: |
|
||
# regular port
|
||
Port 22
|
||
# git port
|
||
Port 2222
|
||
AcceptEnv {{ssh_accept_env}}
|
||
AllowUsers {{ssh_allowed_users}}
|
||
ForceCommand /usr/bin/nologin
|
||
Match Address {{(net_trusted_ranges + ' ' + (iodine_net | ipaddr('0'))) | replace(' ', ',')}}
|
||
ForceCommand none
|
||
Match LocalPort 2222
|
||
AllowUsers {{gitea_user}}
|
||
PermitRootLogin no
|
||
PasswordAuthentication no
|
||
PermitEmptyPasswords no
|
||
PubkeyAuthentication yes
|
||
insertafter: EOF
|
||
when:
|
||
- (inventory_hostname in groups['back'])
|
||
- (chroot == '')
|
||
notify:
|
||
- restart sshd.service
|
||
|
||
### LOCAL COMMIT ⇒ ###
|
||
- name: commit local changes
|
||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
|
||
vars:
|
||
msg: SSH
|
||
### ⇐ LOCAL COMMIT ###
|
||
- meta: flush_handlers
|