diff --git a/ansible/environments/laptop/host_vars/odolinux b/ansible/environments/laptop/host_vars/odolinux index a700b99..8ee08e9 100644 --- a/ansible/environments/laptop/host_vars/odolinux +++ b/ansible/environments/laptop/host_vars/odolinux @@ -9,6 +9,11 @@ users: - name: users - name: docker - name: libvirt + authorized_keys: + - yubikey + - main_fido + - backup_fido + - homeassistant zfs_snapshot_datasets: - zroot/linux/archmain/home - zroot/linux/archmain/be diff --git a/ansible/roles/blank/handlers/main.yaml b/ansible/roles/blank/handlers/main.yaml index 729fb8f..0d2f27e 100644 --- a/ansible/roles/blank/handlers/main.yaml +++ b/ansible/roles/blank/handlers/main.yaml @@ -1,4 +1,14 @@ -# - name: restart foo +# - name: restart foo freebsd +# when: 'os_flavor == "freebsd"' +# listen: restart foo # service: # name: foo # state: restarted + +# - name: restart ssh linux +# when: 'os_flavor == "linux"' +# listen: restart foo +# systemd: +# state: restarted +# name: foo +# daemon_reload: yes diff --git a/ansible/roles/sshd/files/keys/backup_fido.pub b/ansible/roles/sshd/files/keys/backup_fido.pub new file mode 100644 index 0000000..fa8c178 --- /dev/null +++ b/ansible/roles/sshd/files/keys/backup_fido.pub @@ -0,0 +1 @@ +sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAFNcSXwvy+brYTOGo56G93Ptuq2MmZsjvRWAfMqbmMLAAAABHNzaDo= diff --git a/ansible/roles/sshd/files/keys/homeassistant.pub b/ansible/roles/sshd/files/keys/homeassistant.pub new file mode 100644 index 0000000..aabacf6 --- /dev/null +++ b/ansible/roles/sshd/files/keys/homeassistant.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICfmIPexKT+dzA8VpQ1nblAaDLYBorIc2WYQv+Lc4apk lizapolyudova@Lizas-Air.home.arpa diff --git a/ansible/roles/sshd/files/keys/main_fido.pub b/ansible/roles/sshd/files/keys/main_fido.pub new file mode 100644 index 0000000..ec20fd2 --- /dev/null +++ b/ansible/roles/sshd/files/keys/main_fido.pub @@ -0,0 +1 @@ +sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEI6mu6I5Jp+Ib0vJxapGHbEShZjyvzV8jz5DnzDrI39AAAABHNzaDo= diff --git a/ansible/roles/sshd/files/keys/yubikey.pub b/ansible/roles/sshd/files/keys/yubikey.pub new file mode 100644 index 0000000..36b8f22 --- /dev/null +++ b/ansible/roles/sshd/files/keys/yubikey.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGu+k5lrirokdW5zVdRVBOqEOAvAPlIkG/MdJNc9g5ky cardno:000611194908 diff --git a/ansible/roles/sshd/files/rc.conf b/ansible/roles/sshd/files/rc.conf new file mode 100644 index 0000000..38a7f5f --- /dev/null +++ b/ansible/roles/sshd/files/rc.conf @@ -0,0 +1 @@ +sshd_enable="YES" diff --git a/ansible/roles/sshd/handlers/main.yaml b/ansible/roles/sshd/handlers/main.yaml new file mode 100644 index 0000000..c7b6c00 --- /dev/null +++ b/ansible/roles/sshd/handlers/main.yaml @@ -0,0 +1,14 @@ +- name: restart sshd freebsd + when: 'os_flavor == "freebsd"' + listen: restart sshd + service: + name: sshd + state: reloaded + +- name: restart ssh linux + when: 'os_flavor == "linux"' + listen: restart sshd + systemd: + state: reloaded + name: sshd + daemon_reload: yes diff --git a/ansible/roles/sshd/tasks/freebsd.yaml b/ansible/roles/sshd/tasks/freebsd.yaml index e69de29..efb9cab 100644 --- a/ansible/roles/sshd/tasks/freebsd.yaml +++ b/ansible/roles/sshd/tasks/freebsd.yaml @@ -0,0 +1,10 @@ +- name: Enable services + copy: + src: "files/{{ item.src }}" + dest: "{{ item.dest }}" + mode: 0644 + owner: root + group: wheel + loop: + - src: rc.conf + dest: /etc/rc.conf.d/sshd diff --git a/ansible/roles/sshd/tasks/linux.yaml b/ansible/roles/sshd/tasks/linux.yaml index e69de29..78e3302 100644 --- a/ansible/roles/sshd/tasks/linux.yaml +++ b/ansible/roles/sshd/tasks/linux.yaml @@ -0,0 +1,6 @@ +- name: Enable services + systemd: + state: started + name: sshd + daemon_reload: yes + enabled: yes diff --git a/ansible/roles/sshd/tasks/peruser.yaml b/ansible/roles/sshd/tasks/peruser.yaml index 111e886..3b4e070 100644 --- a/ansible/roles/sshd/tasks/peruser.yaml +++ b/ansible/roles/sshd/tasks/peruser.yaml @@ -1,26 +1,23 @@ - include_role: name: per_user -# - name: Create directories -# file: -# name: "{{ account_homedir.stdout }}/{{ item }}" -# state: directory -# mode: 0700 -# owner: "{{ account_name.stdout }}" -# group: "{{ group_name.stdout }}" -# loop: -# - ".config/foo" +- name: Create ssh directory + file: + name: "{{ account_homedir.stdout }}/.ssh" + state: directory + mode: 0700 + owner: "{{ account_name.stdout }}" + group: "{{ group_name.stdout }}" -# - name: Copy files -# copy: -# src: "files/{{ item.src }}" -# dest: "{{ account_homedir.stdout }}/{{ item.dest }}" -# mode: 0600 -# owner: "{{ account_name.stdout }}" -# group: "{{ group_name.stdout }}" -# loop: -# - src: foo.conf -# dest: .config/foo/foo.conf +- name: Set authorized keys + authorized_key: + user: "{{ account_name.stdout }}" + key: | + {% for user in users[account_name.stdout].authorized_keys %} + {{ lookup('file', './files/keys/' + user + '.pub') }} + {% endfor %} + exclusive: true + notify: "restart sshd" - import_tasks: tasks/peruser_freebsd.yaml when: 'os_flavor == "freebsd"' diff --git a/ansible/roles/users/defaults/main.yaml b/ansible/roles/users/defaults/main.yaml index f1f8090..a4fa82f 100644 --- a/ansible/roles/users/defaults/main.yaml +++ b/ansible/roles/users/defaults/main.yaml @@ -5,3 +5,8 @@ users: gid: 11235 groups: - name: wheel + authorized_keys: + - yubikey + - main_fido + - backup_fido + - homeassistant