Update to 2021-12-13 19:00

2025-08-04 07:37:20 +02:00 · 2021-12-13 19:00:18 +01:00
parent c699767808
commit e43d9bc96c
14 changed files with 185 additions and 148 deletions
--- a/roles/ssh/tasks/conf.yml
+++ b/roles/ssh/tasks/conf.yml
@@ -0,0 +1,81 @@
+---
+
+- name: Deploy sshd configuration
+  template: src=sshd_config.j2 dest=/etc/ssh/sshd_config
+  notify: restart sshd
+  tags: ssh
+
+- name: Create top level authorized keys directory
+  file: path=/etc/ssh/authorized_keys/ state=directory mode=755 owner=root group=root
+  tags: ssh
+
+- name: Create an SSH key pair for root
+  user:
+    name: root
+    generate_ssh_key: yes
+    ssh_key_file: .ssh/id_rsa
+  tags: ssh
+
+- name: Create ssh users
+  user:
+    name: "{{ item.name }}"
+  loop: "{{ ssh_users }}"
+  register: ssh_create_user
+  when: item.create_user | default(False)
+  tags: ssh
+
+- name: Check if sssd is installed
+  stat: path=/usr/sbin/sss_cache
+  register: ssh_sss_cache
+  tags: ssh
+
+  # Flush sss cache so we can modify newly available users
+- name: Reset sss cache
+  command: sss_cache -E
+  when: ssh_sss_cache.stat.exists and ssh_create_user.results | selectattr('changed','equalto',True) | list | length > 0
+  tags: ssh
+
+  # We do this in two times (first create, then set shell and comment)
+  # to prevent hitting a bug in ansible where usermod could be called before useradd
+  # See https://github.com/ansible/ansible/issues/22576
+- name: Set ssh user attributes
+  user:
+    name: "{{ item.name }}"
+    comment: "{{ item.full_name | default(omit) }}"
+    shell: "{{ item.shell | default(omit) }}"
+  loop: "{{ ssh_users }}"
+  when: item.create_user | default(False)
+  tags: ssh
+
+- name: Create private dir for Authorized keys
+  file: path=/etc/ssh/authorized_keys/{{ item.name }} state=directory mode=700 owner={{ item.name }}
+  ignore_errors: True # Needed eg, if LDAP isn't available on first run
+  loop: "{{ ssh_users }}"
+  tags: ssh
+
+- name: Deploy ssh user keys
+  authorized_key:
+    user: "{{ item.name }}"
+    key: "{{ item.ssh_keys| default([]) | join(\"\n\") }}"
+    key_options: "{{ item.key_options | default([]) | join(',') }}"
+    path: "{{ item.keys_file | default('/etc/ssh/authorized_keys/' ~ item.name ~ '/authorized_keys') }}"
+    manage_dir: False
+    exclusive: True
+  ignore_errors: True # Needed eg, if LDAP isn't available on first run
+  #when: item.ssh_keys is defined
+  loop: "{{ ssh_users }}"
+  tags: ssh
+
+- name: Ensure permissions and ownership on authorized_keys files
+  file:
+    path: /etc/ssh/authorized_keys/{{ item.name }}/authorized_keys
+    mode: 0600
+    owner: "{{ item.name }}"
+  when: item.ssh_keys is defined
+  ignore_errors: True
+  loop: "{{ ssh_users }}"
+  tags: ssh
+
+- name: Deploy sudo fragment
+  template: src=sudo.j2 dest=/etc/sudoers.d/ssh_users mode=600
+  tags: ssh