From ee31ade8e240b3534ebf0f4b8ba6815301afb714 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 26 Apr 2023 19:29:58 +0200 Subject: [PATCH] extract roles --- ansible/atlas.yml | 3 +- ansible/backup_control.sh | 15 ---- .../host_vars/atlas/ssh_certificates.yml | 12 +++ ansible/requirements.yml | 6 ++ .../roles/ssh/files/ssh_user_certificate.conf | 2 - ansible/roles/ssh/tasks/main.yml | 73 ------------------- ansible/sshd.conf.j2 | 14 ---- 7 files changed, 20 insertions(+), 105 deletions(-) delete mode 100644 ansible/backup_control.sh create mode 100644 ansible/inventory/host_vars/atlas/ssh_certificates.yml delete mode 100644 ansible/roles/ssh/files/ssh_user_certificate.conf delete mode 100644 ansible/roles/ssh/tasks/main.yml delete mode 100644 ansible/sshd.conf.j2 diff --git a/ansible/atlas.yml b/ansible/atlas.yml index e5f6ca3..2c072f0 100644 --- a/ansible/atlas.yml +++ b/ansible/atlas.yml @@ -26,5 +26,6 @@ - {role: postgresql, tags: postgresql} - {role: wireguard, tags: wireguard} - {role: ssh_ca, tags: ssh_ca} - - {role: ssh, tags: ssh} + - {role: ssh_ca_known_hosts, tags: ssh_ca_known_hosts} + - {role: deploy_ssh_certificates, tags: deploy_ssh_certificates} - {role: borg, tags: borg} diff --git a/ansible/backup_control.sh b/ansible/backup_control.sh deleted file mode 100644 index 7563250..0000000 --- a/ansible/backup_control.sh +++ /dev/null @@ -1,15 +0,0 @@ -VIRSH="virsh --connect qemu:///system" -read -p "" option -case "$option" in - up) - for i in $($VIRSH list --all --name --autostart); do $VIRSH start "$i"; done - ;; - down) - for i in $($VIRSH list --state-running --name --autostart); do - $VIRSH shutdown "$i" - until $VIRSH domstate "$i" | grep shut; do - sleep 0.5 - done - done - ;; -esac diff --git a/ansible/inventory/host_vars/atlas/ssh_certificates.yml b/ansible/inventory/host_vars/atlas/ssh_certificates.yml new file mode 100644 index 0000000..029c8fb --- /dev/null +++ b/ansible/inventory/host_vars/atlas/ssh_certificates.yml @@ -0,0 +1,12 @@ +deploy_ssh_certificates: + - name: ssh_user_ed25519_key + type: user + key_type: ed25519 + signing_key: hyp_user + host: atlas.hyp + principals: hypervisor + - name: ssh_host_ed25519_key + type: host + key_type: ed25519 + signing_key: hyp_host + host: atlas.hyp diff --git a/ansible/requirements.yml b/ansible/requirements.yml index a9efdbe..5062082 100644 --- a/ansible/requirements.yml +++ b/ansible/requirements.yml @@ -4,5 +4,11 @@ - name: ssh_ca src: https://git.pim.kunis.nl/pim/ansible-role-ssh-ca scm: git +- name: deploy_ssh_certificates + src: https://git.pim.kunis.nl/home/ansible-role-deploy-ssh-certificates + scm: git +- name: ssh_ca_known_hosts + src: https://git.pim.kunis.nl/home/ansible-role-ssh-ca-known-hosts + scm: git - name: wireguard src: githubixx.ansible_role_wireguard diff --git a/ansible/roles/ssh/files/ssh_user_certificate.conf b/ansible/roles/ssh/files/ssh_user_certificate.conf deleted file mode 100644 index 4a0bccc..0000000 --- a/ansible/roles/ssh/files/ssh_user_certificate.conf +++ /dev/null @@ -1,2 +0,0 @@ -CertificateFile /etc/ssh/ssh_user_ed25519_key-cert.pub -IdentityFile /etc/ssh/ssh_user_ed25519_key diff --git a/ansible/roles/ssh/tasks/main.yml b/ansible/roles/ssh/tasks/main.yml deleted file mode 100644 index 6e13701..0000000 --- a/ansible/roles/ssh/tasks/main.yml +++ /dev/null @@ -1,73 +0,0 @@ -- name: Generate user key pair - openssh_keypair: - path: /etc/ssh/ssh_user_ed25519_key - type: ed25519 - comment: "{{ ansible_fqdn }}" - register: user_key - -- name: Check whether user certificate exists - stat: - path: /etc/ssh/ssh_user_ed25519_key-cert.pub - register: cert_stat - -- name: Generate SSH user certificate - command: - cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@atlas.hyp '/root/ssh_ca/ssh_ca.sh user hyp_user \"{{ user_key.public_key }}\" {{ ansible_fqdn }} \"hypervisor\"'" - register: user_certificate - delegate_to: localhost - when: not cert_stat.stat.exists - -- name: Place user certificate - copy: - dest: /etc/ssh/ssh_user_ed25519_key-cert.pub - content: "{{ user_certificate.stdout }}" - mode: 0644 - when: not cert_stat.stat.exists - -- name: Enable user certificate - copy: - src: "{{ role_path }}/files/ssh_user_certificate.conf" - dest: /etc/ssh/ssh_config.d/user_certificate.conf - -- name: Add SSH host CA known host - known_hosts: - key: '@cert-authority *.dmz ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x Host Certficate Authority for DMZ' - name: '@cert-authority *.dmz' - path: /etc/ssh/ssh_known_hosts - -- name: Add SSH host CA known host - known_hosts: - key: '@cert-authority *.hyp ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzRkH3d/KVJQouswY/DMpenWbDFVOnI3Vut0xR0e1tb Host Certficate Authority for HYP' - name: '@cert-authority *.hyp' - path: /etc/ssh/ssh_known_hosts - -- name: Generate host key pair - openssh_keypair: - path: /etc/ssh/ssh_host_ed25519_key - type: ed25519 - comment: "{{ ansible_host }}" - register: host_key - -- name: Check whether host certificate exists - stat: - path: /etc/ssh/ssh_host_ed25519_key-cert.pub - register: cert_stat - -- name: Generate SSH host certificate - command: - cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@atlas.hyp '/root/ssh_ca/ssh_ca.sh host hyp_host \"{{ host_key.public_key }}\" {{ ansible_host }}'" - register: host_certificate - delegate_to: localhost - when: not cert_stat.stat.exists - -- name: Place host certificate - copy: - dest: /etc/ssh/ssh_host_ed25519_key-cert.pub - content: "{{ host_certificate.stdout }}" - mode: 0644 - when: not cert_stat.stat.exists - -- name: Enable host certificate - copy: - dest: /etc/ssh/sshd_config.d/sshd_host_certificate.conf - content: "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub" diff --git a/ansible/sshd.conf.j2 b/ansible/sshd.conf.j2 deleted file mode 100644 index a8ea7ea..0000000 --- a/ansible/sshd.conf.j2 +++ /dev/null @@ -1,14 +0,0 @@ -TrustedUserCAKeys /etc/ssh/user_ca_key.pub - -Match User {{ backup_share_user }} - AuthorizedPrincipalsFile /etc/ssh/backup_principals - ChrootDirectory /kvm/data - ForceCommand internal-sftp - AllowTcpForwarding no - X11Forwarding no - -Match User {{ backup_control_user }} - AuthorizedPrincipalsFile /etc/ssh/backup_principals - ForceCommand /home/{{ backup_control_user }}/control.sh - AllowTcpForwarding no - X11Forwarding no