Merge branch 'sshd'

ansible/environments/home/host_vars/homeserver

@@ -1,3 +1,5 @@
 os_flavor: "freebsd"
 zfs_snapshot_datasets:
   - zroot/freebsd/computer/be/default
+sshd_enabled: true
+sshd_conf: "sshd_config"

ansible/environments/laptop/host_vars/odolinux

@@ -9,6 +9,11 @@ users:
       - name: users
       - name: docker
       - name: libvirt
+    authorized_keys:
+      - yubikey
+      - main_fido
+      - backup_fido
+      - homeassistant
 zfs_snapshot_datasets:
   - zroot/linux/archmain/home
   - zroot/linux/archmain/be

ansible/playbook.yaml

@@ -6,4 +6,5 @@
     - users
     - zrepl
     - zsh
+    - sshd
     - base

ansible/roles/blank/handlers/main.yaml

@@ -1,4 +1,14 @@
-# - name: restart foo
+# - name: restart foo freebsd
+#   when: 'os_flavor == "freebsd"'
+#   listen: restart foo
 #   service:
 #     name: foo
 #     state: restarted
+
+# - name: restart ssh linux
+#   when: 'os_flavor == "linux"'
+#   listen: restart foo
+#   systemd:
+#     state: restarted
+#     name: foo
+#     daemon_reload: yes

ansible/roles/sshd/defaults/main.yaml

@@ -0,0 +1 @@
+sshd_enabled: false

ansible/roles/sshd/files/keys/backup_fido.pub

@@ -0,0 +1 @@
+sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAFNcSXwvy+brYTOGo56G93Ptuq2MmZsjvRWAfMqbmMLAAAABHNzaDo=

ansible/roles/sshd/files/keys/homeassistant.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICfmIPexKT+dzA8VpQ1nblAaDLYBorIc2WYQv+Lc4apk lizapolyudova@Lizas-Air.home.arpa

ansible/roles/sshd/files/keys/main_fido.pub

@@ -0,0 +1 @@
+sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEI6mu6I5Jp+Ib0vJxapGHbEShZjyvzV8jz5DnzDrI39AAAABHNzaDo=

ansible/roles/sshd/files/keys/yubikey.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGu+k5lrirokdW5zVdRVBOqEOAvAPlIkG/MdJNc9g5ky cardno:000611194908

ansible/roles/sshd/files/rc.conf

@@ -0,0 +1 @@
+sshd_enable="YES"

ansible/roles/sshd/files/sshd_config

@@ -0,0 +1,122 @@
+#	$OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
+#	$FreeBSD$
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+# Note that some of FreeBSD's defaults differ from OpenBSD's, and
+# FreeBSD has a few additional options.
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin no
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# Change to yes to enable built-in password authentication.
+#PasswordAuthentication no
+#PermitEmptyPasswords no
+
+# Change to no to disable PAM authentication
+#KbdInteractiveAuthentication yes
+KbdInteractiveAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+# Set this to 'no' to disable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the KbdInteractiveAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and KbdInteractiveAuthentication to 'no'.
+#UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS yes
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#UseBlacklist no
+#VersionAddendum FreeBSD-20211221
+
+# no default banner path
+#Banner none
+
+# override default of no subsystems
+Subsystem	sftp	/usr/libexec/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server

ansible/roles/sshd/handlers/main.yaml

@@ -0,0 +1,14 @@
+- name: restart sshd freebsd
+  when: 'os_flavor == "freebsd"'
+  listen: restart sshd
+  service:
+    name: sshd
+    state: reloaded
+
+- name: restart ssh linux
+  when: 'os_flavor == "linux"'
+  listen: restart sshd
+  systemd:
+    state: reloaded
+    name: sshd
+    daemon_reload: yes

ansible/roles/sshd/meta/main.yaml

@@ -0,0 +1,2 @@
+dependencies:
+  - users

ansible/roles/sshd/tasks/common.yaml

@@ -0,0 +1,26 @@
+- name: Install Configuration
+  when: sshd_conf is defined
+  copy:
+    src: "files/{{ sshd_conf }}"
+    dest: "{{ item }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  notify: restart sshd
+  loop:
+    - /etc/ssh/sshd_config
+
+- import_tasks: tasks/freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/linux.yaml
+  when: 'os_flavor == "linux"'
+
+- include_tasks:
+    file: tasks/peruser.yaml
+    apply:
+      become: yes
+      become_user: "{{ initialize_user }}"
+  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
+  loop_control:
+    loop_var: initialize_user

ansible/roles/sshd/tasks/freebsd.yaml

@@ -0,0 +1,10 @@
+- name: Enable services
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - src: rc.conf
+      dest: /etc/rc.conf.d/sshd

ansible/roles/sshd/tasks/linux.yaml

@@ -0,0 +1,6 @@
+- name: Enable services
+  systemd:
+    state: started
+    name: sshd
+    daemon_reload: yes
+    enabled: yes

ansible/roles/sshd/tasks/main.yaml

@@ -0,0 +1,2 @@
+- import_tasks: tasks/common.yaml
+  when: sshd_enabled

ansible/roles/sshd/tasks/peruser.yaml

@@ -0,0 +1,26 @@
+- include_role:
+    name: per_user
+
+- name: Create ssh directory
+  file:
+    name: "{{ account_homedir.stdout }}/.ssh"
+    state: directory
+    mode: 0700
+    owner: "{{ account_name.stdout }}"
+    group: "{{ group_name.stdout }}"
+
+- name: Set authorized keys
+  authorized_key:
+    user: "{{ account_name.stdout }}"
+    key: |
+      {% for user in users[account_name.stdout].authorized_keys %}
+      {{ lookup('file', './files/keys/' + user + '.pub') }}
+      {% endfor %}
+    exclusive: true
+  notify: "restart sshd"
+
+- import_tasks: tasks/peruser_freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/peruser_linux.yaml
+  when: 'os_flavor == "linux"'

ansible/roles/users/defaults/main.yaml

@@ -5,3 +5,8 @@ users:
     gid: 11235
     groups:
       - name: wheel
+    authorized_keys:
+      - yubikey
+      - main_fido
+      - backup_fido
+      - homeassistant