diff --git a/ansible/environments/home/host_vars/homeserver b/ansible/environments/home/host_vars/homeserver index d29acc3..043f581 100644 --- a/ansible/environments/home/host_vars/homeserver +++ b/ansible/environments/home/host_vars/homeserver @@ -1,3 +1,5 @@ os_flavor: "freebsd" zfs_snapshot_datasets: - zroot/freebsd/computer/be/default +sshd_enabled: true +sshd_conf: "sshd_config" diff --git a/ansible/environments/laptop/host_vars/odolinux b/ansible/environments/laptop/host_vars/odolinux index a700b99..8ee08e9 100644 --- a/ansible/environments/laptop/host_vars/odolinux +++ b/ansible/environments/laptop/host_vars/odolinux @@ -9,6 +9,11 @@ users: - name: users - name: docker - name: libvirt + authorized_keys: + - yubikey + - main_fido + - backup_fido + - homeassistant zfs_snapshot_datasets: - zroot/linux/archmain/home - zroot/linux/archmain/be diff --git a/ansible/playbook.yaml b/ansible/playbook.yaml index d766097..2dafcac 100644 --- a/ansible/playbook.yaml +++ b/ansible/playbook.yaml @@ -6,4 +6,5 @@ - users - zrepl - zsh + - sshd - base diff --git a/ansible/roles/blank/handlers/main.yaml b/ansible/roles/blank/handlers/main.yaml index 729fb8f..0d2f27e 100644 --- a/ansible/roles/blank/handlers/main.yaml +++ b/ansible/roles/blank/handlers/main.yaml @@ -1,4 +1,14 @@ -# - name: restart foo +# - name: restart foo freebsd +# when: 'os_flavor == "freebsd"' +# listen: restart foo # service: # name: foo # state: restarted + +# - name: restart ssh linux +# when: 'os_flavor == "linux"' +# listen: restart foo +# systemd: +# state: restarted +# name: foo +# daemon_reload: yes diff --git a/ansible/roles/sshd/defaults/main.yaml b/ansible/roles/sshd/defaults/main.yaml new file mode 100644 index 0000000..3e4387c --- /dev/null +++ b/ansible/roles/sshd/defaults/main.yaml @@ -0,0 +1 @@ +sshd_enabled: false diff --git a/ansible/roles/sshd/files/keys/backup_fido.pub b/ansible/roles/sshd/files/keys/backup_fido.pub new file mode 100644 index 0000000..fa8c178 --- /dev/null +++ b/ansible/roles/sshd/files/keys/backup_fido.pub @@ -0,0 +1 @@ +sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAFNcSXwvy+brYTOGo56G93Ptuq2MmZsjvRWAfMqbmMLAAAABHNzaDo= diff --git a/ansible/roles/sshd/files/keys/homeassistant.pub b/ansible/roles/sshd/files/keys/homeassistant.pub new file mode 100644 index 0000000..aabacf6 --- /dev/null +++ b/ansible/roles/sshd/files/keys/homeassistant.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICfmIPexKT+dzA8VpQ1nblAaDLYBorIc2WYQv+Lc4apk lizapolyudova@Lizas-Air.home.arpa diff --git a/ansible/roles/sshd/files/keys/main_fido.pub b/ansible/roles/sshd/files/keys/main_fido.pub new file mode 100644 index 0000000..ec20fd2 --- /dev/null +++ b/ansible/roles/sshd/files/keys/main_fido.pub @@ -0,0 +1 @@ +sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEI6mu6I5Jp+Ib0vJxapGHbEShZjyvzV8jz5DnzDrI39AAAABHNzaDo= diff --git a/ansible/roles/sshd/files/keys/yubikey.pub b/ansible/roles/sshd/files/keys/yubikey.pub new file mode 100644 index 0000000..36b8f22 --- /dev/null +++ b/ansible/roles/sshd/files/keys/yubikey.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGu+k5lrirokdW5zVdRVBOqEOAvAPlIkG/MdJNc9g5ky cardno:000611194908 diff --git a/ansible/roles/sshd/files/rc.conf b/ansible/roles/sshd/files/rc.conf new file mode 100644 index 0000000..38a7f5f --- /dev/null +++ b/ansible/roles/sshd/files/rc.conf @@ -0,0 +1 @@ +sshd_enable="YES" diff --git a/ansible/roles/sshd/files/sshd_config b/ansible/roles/sshd/files/sshd_config new file mode 100644 index 0000000..3958b48 --- /dev/null +++ b/ansible/roles/sshd/files/sshd_config @@ -0,0 +1,122 @@ +# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $ +# $FreeBSD$ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +# Note that some of FreeBSD's defaults differ from OpenBSD's, and +# FreeBSD has a few additional options. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin no +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# Change to yes to enable built-in password authentication. +#PasswordAuthentication no +#PermitEmptyPasswords no + +# Change to no to disable PAM authentication +#KbdInteractiveAuthentication yes +KbdInteractiveAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'no' to disable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the KbdInteractiveAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via KbdInteractiveAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and KbdInteractiveAuthentication to 'no'. +#UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#UseBlacklist no +#VersionAddendum FreeBSD-20211221 + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/libexec/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server diff --git a/ansible/roles/sshd/handlers/main.yaml b/ansible/roles/sshd/handlers/main.yaml new file mode 100644 index 0000000..c7b6c00 --- /dev/null +++ b/ansible/roles/sshd/handlers/main.yaml @@ -0,0 +1,14 @@ +- name: restart sshd freebsd + when: 'os_flavor == "freebsd"' + listen: restart sshd + service: + name: sshd + state: reloaded + +- name: restart ssh linux + when: 'os_flavor == "linux"' + listen: restart sshd + systemd: + state: reloaded + name: sshd + daemon_reload: yes diff --git a/ansible/roles/sshd/meta/main.yaml b/ansible/roles/sshd/meta/main.yaml new file mode 100644 index 0000000..655446a --- /dev/null +++ b/ansible/roles/sshd/meta/main.yaml @@ -0,0 +1,2 @@ +dependencies: + - users diff --git a/ansible/roles/sshd/tasks/common.yaml b/ansible/roles/sshd/tasks/common.yaml new file mode 100644 index 0000000..8af7b49 --- /dev/null +++ b/ansible/roles/sshd/tasks/common.yaml @@ -0,0 +1,26 @@ +- name: Install Configuration + when: sshd_conf is defined + copy: + src: "files/{{ sshd_conf }}" + dest: "{{ item }}" + mode: 0644 + owner: root + group: wheel + notify: restart sshd + loop: + - /etc/ssh/sshd_config + +- import_tasks: tasks/freebsd.yaml + when: 'os_flavor == "freebsd"' + +- import_tasks: tasks/linux.yaml + when: 'os_flavor == "linux"' + +- include_tasks: + file: tasks/peruser.yaml + apply: + become: yes + become_user: "{{ initialize_user }}" + loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}" + loop_control: + loop_var: initialize_user diff --git a/ansible/roles/sshd/tasks/freebsd.yaml b/ansible/roles/sshd/tasks/freebsd.yaml new file mode 100644 index 0000000..efb9cab --- /dev/null +++ b/ansible/roles/sshd/tasks/freebsd.yaml @@ -0,0 +1,10 @@ +- name: Enable services + copy: + src: "files/{{ item.src }}" + dest: "{{ item.dest }}" + mode: 0644 + owner: root + group: wheel + loop: + - src: rc.conf + dest: /etc/rc.conf.d/sshd diff --git a/ansible/roles/sshd/tasks/linux.yaml b/ansible/roles/sshd/tasks/linux.yaml new file mode 100644 index 0000000..78e3302 --- /dev/null +++ b/ansible/roles/sshd/tasks/linux.yaml @@ -0,0 +1,6 @@ +- name: Enable services + systemd: + state: started + name: sshd + daemon_reload: yes + enabled: yes diff --git a/ansible/roles/sshd/tasks/main.yaml b/ansible/roles/sshd/tasks/main.yaml new file mode 100644 index 0000000..5249f89 --- /dev/null +++ b/ansible/roles/sshd/tasks/main.yaml @@ -0,0 +1,2 @@ +- import_tasks: tasks/common.yaml + when: sshd_enabled diff --git a/ansible/roles/sshd/tasks/peruser.yaml b/ansible/roles/sshd/tasks/peruser.yaml new file mode 100644 index 0000000..3b4e070 --- /dev/null +++ b/ansible/roles/sshd/tasks/peruser.yaml @@ -0,0 +1,26 @@ +- include_role: + name: per_user + +- name: Create ssh directory + file: + name: "{{ account_homedir.stdout }}/.ssh" + state: directory + mode: 0700 + owner: "{{ account_name.stdout }}" + group: "{{ group_name.stdout }}" + +- name: Set authorized keys + authorized_key: + user: "{{ account_name.stdout }}" + key: | + {% for user in users[account_name.stdout].authorized_keys %} + {{ lookup('file', './files/keys/' + user + '.pub') }} + {% endfor %} + exclusive: true + notify: "restart sshd" + +- import_tasks: tasks/peruser_freebsd.yaml + when: 'os_flavor == "freebsd"' + +- import_tasks: tasks/peruser_linux.yaml + when: 'os_flavor == "linux"' diff --git a/ansible/roles/sshd/tasks/peruser_freebsd.yaml b/ansible/roles/sshd/tasks/peruser_freebsd.yaml new file mode 100644 index 0000000..e69de29 diff --git a/ansible/roles/sshd/tasks/peruser_linux.yaml b/ansible/roles/sshd/tasks/peruser_linux.yaml new file mode 100644 index 0000000..e69de29 diff --git a/ansible/roles/users/defaults/main.yaml b/ansible/roles/users/defaults/main.yaml index f1f8090..a4fa82f 100644 --- a/ansible/roles/users/defaults/main.yaml +++ b/ansible/roles/users/defaults/main.yaml @@ -5,3 +5,8 @@ users: gid: 11235 groups: - name: wheel + authorized_keys: + - yubikey + - main_fido + - backup_fido + - homeassistant