jpp/ansible-roles
1
0
Fork 0
mirror of https://git.lapiole.org/dani/ansible-roles.git synced 2025-04-23 21:53:21 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update to 2021-12-13 19:00

Browse Source
This commit is contained in:
Daniel Berteaud 2021-12-13 19:00:18 +01:00
parent c699767808
commit e43d9bc96c
14 changed files with 185 additions and 148 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
roles/jitsi/templates/prosody.cfg.lua.j2
View File

@ -16,8 +16,13 @@ external_services = {
port = "{{ stun | regex_replace('(turns?|stun):.+:(\d+)?.*', '\\2') }}", port = "{{ stun | regex_replace('(turns?|stun):.+:(\d+)?.*', '\\2') }}",
{% endif %} {% endif %}
{% if stun | urlsplit('query') is search('transport=') %} {% if stun | urlsplit('query') is search('transport=') %}
transport = "{{ stun | urlsplit('query') | regex_replace('.*transport=(udp|tcp).*', '\\1') }}" transport = "{{ stun | urlsplit('query') | regex_replace('.*transport=(udp|tcp).*', '\\1') }}",
{% endif %} {% endif %}
secret = {{ jitsi_turn_secret is defined | ternary('true', 'false') }},
{% if stun | urlsplit('scheme') == 'turn' or stun | urlsplit('scheme') == 'turns' %}
algorithm = "turn",
{% endif %}
ttl = 86400
}, },
{% endfor %} {% endfor %}
}; };

2
roles/squid/defaults/main.yml
View File

@ -92,6 +92,7 @@ squid_base_acl:
items: items:
- '"/etc/squid/acl/software_windows.domains"' - '"/etc/squid/acl/software_windows.domains"'
- '"/etc/squid/acl/service_fws.domains"' - '"/etc/squid/acl/service_fws.domains"'
- '"/etc/squid/acl/service_dbd.domains"'
- '"/etc/squid/acl/service_various.domains"' - '"/etc/squid/acl/service_various.domains"'
- '"/etc/squid/acl/software_epel.domains"' - '"/etc/squid/acl/software_epel.domains"'
- '"/etc/squid/acl/software_centos.domains"' - '"/etc/squid/acl/software_centos.domains"'
@ -100,6 +101,7 @@ squid_base_acl:
- '"/etc/squid/acl/software_various.domains"' - '"/etc/squid/acl/software_various.domains"'
- '"/etc/squid/acl/software_smeserver.domains"' - '"/etc/squid/acl/software_smeserver.domains"'
- '"/etc/squid/acl/software_remi.domains"' - '"/etc/squid/acl/software_remi.domains"'
- '"/etc/squid/acl/software_dbd.domains"'
- name: local_whitelist_domains - name: local_whitelist_domains
type: dstdomain type: dstdomain
items: items:

1
roles/squid/files/acl/service_dbd.domains Normal file
View File

@ -0,0 +1 @@
.lapiole.org

2
roles/squid/files/acl/software_dbd.domains Normal file
View File

@ -0,0 +1,2 @@
rpms.lapiole.org
git.lapiole.org

1
roles/squid/files/acl/software_various.domains
View File

@ -16,7 +16,6 @@ publicsuffix.org
www.internic.net www.internic.net
tzurl.org tzurl.org
gitlab.com gitlab.com
.lapiole.org
archive.apache.org archive.apache.org
ftp.gnu.org ftp.gnu.org

28
roles/ssh/defaults/main.yml
View File

@ -1,31 +1,35 @@
--- ---
# List of port sshd will bind to # List of port sshd will listen on
sshd_ports: [ '22' ] sshd_ports:
- 22
# Will restrict ssh access to the following IP/CIDR (only if iptables_manage == True)
sshd_src_ip:
- 0.0.0.0/0
# Will restrict ssh access to the following IP
#
sshd_src_ip: []
# sshd_src_ip: # sshd_src_ip:
# - 12.13.14.15 # - 12.13.14.15
# - 192.168.17.0/24 # - 192.168.17.0/24
sshd_permit_root_login: no # Allow the root user to login
sshd_password_auth: yes sshd_permit_root_login: False
# Allow password authentication
sshd_password_auth: True
# Control the AllowUsers, DenyUsers, AllowGroups and DenyGroups # Control the AllowUsers, DenyUsers, AllowGroups and DenyGroups
# sshd_allow_users: # sshd_allow_users:
# - fws # - xavier
# - dani # - dani@EXAMPLE.ORG
# sshd_deny_users: # sshd_deny_users:
# - dimitri # - dimitri
# - flo # - flo
# sshd_allow_groups: # sshd_allow_groups:
# - tech # - tech
# - support # - support@EXAMPLE.ORG
# sshd_deny_groups: # sshd_deny_groups:
# - sales # - sales
# - interim # - interim@EXAMPLE.ORG
# #
# #
@ -52,7 +56,7 @@ sshd_password_auth: yes
# run_as: root # run_as: root
# nopasswd: False # nopasswd: False
# #
#ssh_extra_users (can be used as ssh_users) #ssh_extra_users (can be used as ssh_users, both will be merged)
# #
# #
# Max number of conn / minute. 0 to disable rate limit # Max number of conn / minute. 0 to disable rate limit

13
roles/ssh/tasks/cleanup.yml Normal file
View File

@ -0,0 +1,13 @@
---
- name: List all authorized keys directories
shell: ls -1 /etc/ssh/authorized_keys | xargs -n1 basename
register: existing_ssh_keys
changed_when: False
tags: ssh
- name: Remove unmanaged ssh keys
file: path=/etc/ssh/authorized_keys/{{ item }} state=absent
loop: "{{ existing_ssh_keys.stdout_lines | default([]) }}"
when: item not in ssh_users | rejectattr('keys_file', 'defined') | map(attribute='name')
tags: ssh

81
roles/ssh/tasks/conf.yml Normal file
View File

@ -0,0 +1,81 @@
---
- name: Deploy sshd configuration
template: src=sshd_config.j2 dest=/etc/ssh/sshd_config
notify: restart sshd
tags: ssh
- name: Create top level authorized keys directory
file: path=/etc/ssh/authorized_keys/ state=directory mode=755 owner=root group=root
tags: ssh
- name: Create an SSH key pair for root
user:
name: root
generate_ssh_key: yes
ssh_key_file: .ssh/id_rsa
tags: ssh
- name: Create ssh users
user:
name: "{{ item.name }}"
loop: "{{ ssh_users }}"
register: ssh_create_user
when: item.create_user | default(False)
tags: ssh
- name: Check if sssd is installed
stat: path=/usr/sbin/sss_cache
register: ssh_sss_cache
tags: ssh
# Flush sss cache so we can modify newly available users
- name: Reset sss cache
command: sss_cache -E
when: ssh_sss_cache.stat.exists and ssh_create_user.results | selectattr('changed','equalto',True) | list | length > 0
tags: ssh
# We do this in two times (first create, then set shell and comment)
# to prevent hitting a bug in ansible where usermod could be called before useradd
# See https://github.com/ansible/ansible/issues/22576
- name: Set ssh user attributes
user:
name: "{{ item.name }}"
comment: "{{ item.full_name | default(omit) }}"
shell: "{{ item.shell | default(omit) }}"
loop: "{{ ssh_users }}"
when: item.create_user | default(False)
tags: ssh
- name: Create private dir for Authorized keys
file: path=/etc/ssh/authorized_keys/{{ item.name }} state=directory mode=700 owner={{ item.name }}
ignore_errors: True # Needed eg, if LDAP isn't available on first run
loop: "{{ ssh_users }}"
tags: ssh
- name: Deploy ssh user keys
authorized_key:
user: "{{ item.name }}"
key: "{{ item.ssh_keys| default([]) | join(\"\n\") }}"
key_options: "{{ item.key_options | default([]) | join(',') }}"
path: "{{ item.keys_file | default('/etc/ssh/authorized_keys/' ~ item.name ~ '/authorized_keys') }}"
manage_dir: False
exclusive: True
ignore_errors: True # Needed eg, if LDAP isn't available on first run
#when: item.ssh_keys is defined
loop: "{{ ssh_users }}"
tags: ssh
- name: Ensure permissions and ownership on authorized_keys files
file:
path: /etc/ssh/authorized_keys/{{ item.name }}/authorized_keys
mode: 0600
owner: "{{ item.name }}"
when: item.ssh_keys is defined
ignore_errors: True
loop: "{{ ssh_users }}"
tags: ssh
- name: Deploy sudo fragment
template: src=sudo.j2 dest=/etc/sudoers.d/ssh_users mode=600
tags: ssh

7
roles/ssh/tasks/facts.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Combine SSH users
set_fact:
ssh_users: "{{ ssh_users + ssh_extra_users | default([]) }}"
tags: ssh

17
roles/ssh/tasks/install.yml Normal file
View File

@ -0,0 +1,17 @@
---
- name: Install ssh components
yum:
name:
- openssh-server
- openssh-clients
when: ansible_os_family == 'RedHat'
tags: ssh
- name: Install ssh components
apt:
name:
- openssh-server
- openssh-client
when: ansible_os_family == 'Debian'
tags: ssh

19
roles/ssh/tasks/iptables.yml Normal file
View File

@ -0,0 +1,19 @@
---
- name: Apply rate limits
iptables_raw:
name: sshd_limit
rules: |
-A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --set
-A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --rcheck --seconds 60 --hitcount {{ sshd_max_conn_per_minute }} -j LOG --log-prefix "Firewall (ssh limit): "
-A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --rcheck --seconds 60 --hitcount {{ sshd_max_conn_per_minute }} -j REJECT
state: "{{ (sshd_max_conn_per_minute > 0) | ternary('present','absent') }}"
weight: 10
tags: ssh,firewall
- name: Handle ssh ports
iptables_raw:
name: sshd_ports
state: "{{ (sshd_src_ip is defined and sshd_src_ip | length > 0) | ternary('present','absent') }}"
rules: "-A INPUT -m state --state new -p tcp -m multiport --dports {{ sshd_ports | join(',') }} -s {{ sshd_src_ip | flatten | join(',') }} -j ACCEPT"
tags: ssh,firewall

141
roles/ssh/tasks/main.yml
View File

@ -1,139 +1,12 @@
--- ---
- name: Install ssh components - include: facts.yml
yum: - include: install.yml
name: - include: conf.yml
- openssh-server - include: selinux.yml
- openssh-clients
when: ansible_os_family == 'RedHat'
tags: ssh
- name: Install ssh components
apt:
name:
- openssh-server
- openssh-client
when: ansible_os_family == 'Debian'
tags: ssh
- name: Allow ssh port in SELinux
seport: ports={{ sshd_ports|join(',') }} proto=tcp setype=ssh_port_t state=present
when: ansible_selinux.status == 'enabled' when: ansible_selinux.status == 'enabled'
tags: ssh - include: iptables.yml
- name: Combine SSH users
set_fact:
ssh_users: "{{ ssh_users + ssh_extra_users | default([]) }}"
tags: ssh
- name: Deploy sshd configuration
template: src=sshd_config.j2 dest=/etc/ssh/sshd_config backup=yes
notify: restart sshd
tags: ssh
- name: Set SSH rate limit
iptables_raw:
name: sshd_limit
rules: |
-A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --set
-A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --rcheck --seconds 60 --hitcount {{ sshd_max_conn_per_minute }} -j LOG --log-prefix "Firewall (ssh limit): "
-A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --rcheck --seconds 60 --hitcount {{ sshd_max_conn_per_minute }} -j REJECT
state: "{{ (sshd_max_conn_per_minute > 0) | ternary('present','absent') }}"
weight: 10
when: iptables_manage | default(True) when: iptables_manage | default(True)
tags: ssh,firewall - include: service.yml
- include: cleanup.yml
- name: Handle ssh ports
iptables_raw:
name: sshd_ports
state: "{{ (sshd_src_ip is defined and sshd_src_ip | length > 0) | ternary('present','absent') }}"
rules: "-A INPUT -m state --state new -p tcp -m multiport --dports {{ sshd_ports | join(',') }} -s {{ sshd_src_ip | flatten | join(',') }} -j ACCEPT"
when: iptables_manage | default(True)
tags: ssh,firewall
- name: Create top level authorized keys directory
file: path=/etc/ssh/authorized_keys/ state=directory mode=755 owner=root group=root
tags: ssh
- name: Create an SSH key pair for root
user:
name: root
generate_ssh_key: yes
ssh_key_file: .ssh/id_rsa
tags: ssh
# Do this in two times, to prevent hitting a bug in ansible
# where usermod could be called before useradd
# See https://github.com/ansible/ansible/issues/22576
- name: Create ssh users
user:
name: "{{ item.name }}"
with_items: "{{ ssh_users }}"
register: ssh_create_user
when: item.create_user | default(False)
tags: ssh
- name: Check if sssd is installed
stat: path=/usr/sbin/sss_cache
register: ssh_sss_cache
tags: ssh
# Flush sss cache so we can modify freshly created users
- name: Reset sss cache
command: sss_cache -E
when: ssh_sss_cache.stat.exists and ssh_create_user.results | selectattr('changed','equalto',True) | list | length > 0
tags: ssh
- name: Set ssh user attributes
user:
name: "{{ item.name }}"
comment: "{{ item.full_name | default(omit) }}"
shell: "{{ item.shell | default(omit) }}"
with_items: "{{ ssh_users }}"
when: item.create_user | default(False)
tags: ssh
- name: Create private dir for Authorized keys
file: path=/etc/ssh/authorized_keys/{{ item.name }} state=directory mode=700 owner={{ item.name }}
ignore_errors: True # Needed eg, if LDAP isn't available on first run
with_items: "{{ ssh_users }}"
tags: ssh
- name: Deploy ssh user keys
authorized_key:
user: "{{ item.name }}"
key: "{{ item.ssh_keys| default([]) | join(\"\n\") }}"
key_options: "{{ item.key_options | default([]) | join(',') }}"
path: "/etc/ssh/authorized_keys/{{ item.name }}/authorized_keys"
manage_dir: False
exclusive: True
ignore_errors: True # Needed eg, if LDAP isn't available on first run
#when: item.ssh_keys is defined
with_items: "{{ ssh_users }}"
tags: ssh
- name: Ensure permissions and ownership on authorized_keys files
file:
path: /etc/ssh/authorized_keys/{{ item.name }}/authorized_keys
mode: 0600
owner: "{{ item.name }}"
when: item.ssh_keys is defined
ignore_errors: True
with_items: "{{ ssh_users }}"
tags: ssh
- name: List all authorized keys directories
shell: ls -1 /etc/ssh/authorized_keys | xargs -n1 basename
register: existing_ssh_keys
changed_when: False
tags: ssh
- name: Remove unmanaged ssh keys
file: path=/etc/ssh/authorized_keys/{{ item }} state=absent
with_items: "{{ existing_ssh_keys.stdout_lines | default([]) }}"
when: item not in ssh_users | map(attribute='name')
tags: ssh
- name: Deploy sudo fragment
template: src=sudo.j2 dest=/etc/sudoers.d/ssh_users mode=600
tags: ssh

9
roles/ssh/tasks/selinux.yml Normal file
View File

@ -0,0 +1,9 @@
---
- name: Allow ssh port in SELinux
seport:
ports: "{{ sshd_ports | join(',') }}"
proto: tcp
setype: ssh_port_t
tags: ssh

5
roles/ssh/tasks/service.yml Normal file
View File

@ -0,0 +1,5 @@
---
- name: Start and enable sshd
service: name=sshd state=started enabled=True
tags: ssh