home/hypervisors
Archived
2
0
Fork 0
Code Issues 3 Pull requests Projects Releases Packages Wiki Activity

extract roles

Browse source
This commit is contained in:
Pim Kunis 2023-04-26 19:29:58 +02:00
parent c2521842a0
commit ee31ade8e2
7 changed files with 20 additions and 105 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
ansible/atlas.yml
View file

@ -26,5 +26,6 @@
- {role: postgresql, tags: postgresql} - {role: postgresql, tags: postgresql}
- {role: wireguard, tags: wireguard} - {role: wireguard, tags: wireguard}
- {role: ssh_ca, tags: ssh_ca} - {role: ssh_ca, tags: ssh_ca}
- {role: ssh, tags: ssh} - {role: ssh_ca_known_hosts, tags: ssh_ca_known_hosts}
- {role: deploy_ssh_certificates, tags: deploy_ssh_certificates}
- {role: borg, tags: borg} - {role: borg, tags: borg}

15
ansible/backup_control.sh
View file

@ -1,15 +0,0 @@
VIRSH="virsh --connect qemu:///system"
read -p "" option
case "$option" in
up)
for i in $($VIRSH list --all --name --autostart); do $VIRSH start "$i"; done
;;
down)
for i in $($VIRSH list --state-running --name --autostart); do
$VIRSH shutdown "$i"
until $VIRSH domstate "$i" | grep shut; do
sleep 0.5
done
done
;;
esac

12
ansible/inventory/host_vars/atlas/ssh_certificates.yml Normal file
View file

@ -0,0 +1,12 @@
deploy_ssh_certificates:
- name: ssh_user_ed25519_key
type: user
key_type: ed25519
signing_key: hyp_user
host: atlas.hyp
principals: hypervisor
- name: ssh_host_ed25519_key
type: host
key_type: ed25519
signing_key: hyp_host
host: atlas.hyp

6
ansible/requirements.yml
View file

@ -4,5 +4,11 @@
- name: ssh_ca - name: ssh_ca
src: https://git.pim.kunis.nl/pim/ansible-role-ssh-ca src: https://git.pim.kunis.nl/pim/ansible-role-ssh-ca
scm: git scm: git
- name: deploy_ssh_certificates
src: https://git.pim.kunis.nl/home/ansible-role-deploy-ssh-certificates
scm: git
- name: ssh_ca_known_hosts
src: https://git.pim.kunis.nl/home/ansible-role-ssh-ca-known-hosts
scm: git
- name: wireguard - name: wireguard
src: githubixx.ansible_role_wireguard src: githubixx.ansible_role_wireguard

2
ansible/roles/ssh/files/ssh_user_certificate.conf
View file

@ -1,2 +0,0 @@
CertificateFile /etc/ssh/ssh_user_ed25519_key-cert.pub
IdentityFile /etc/ssh/ssh_user_ed25519_key

73
ansible/roles/ssh/tasks/main.yml
View file

@ -1,73 +0,0 @@
- name: Generate user key pair
openssh_keypair:
path: /etc/ssh/ssh_user_ed25519_key
type: ed25519
comment: "{{ ansible_fqdn }}"
register: user_key
- name: Check whether user certificate exists
stat:
path: /etc/ssh/ssh_user_ed25519_key-cert.pub
register: cert_stat
- name: Generate SSH user certificate
command:
cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@atlas.hyp '/root/ssh_ca/ssh_ca.sh user hyp_user \"{{ user_key.public_key }}\" {{ ansible_fqdn }} \"hypervisor\"'"
register: user_certificate
delegate_to: localhost
when: not cert_stat.stat.exists
- name: Place user certificate
copy:
dest: /etc/ssh/ssh_user_ed25519_key-cert.pub
content: "{{ user_certificate.stdout }}"
mode: 0644
when: not cert_stat.stat.exists
- name: Enable user certificate
copy:
src: "{{ role_path }}/files/ssh_user_certificate.conf"
dest: /etc/ssh/ssh_config.d/user_certificate.conf
- name: Add SSH host CA known host
known_hosts:
key: '@cert-authority *.dmz ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x Host Certficate Authority for DMZ'
name: '@cert-authority *.dmz'
path: /etc/ssh/ssh_known_hosts
- name: Add SSH host CA known host
known_hosts:
key: '@cert-authority *.hyp ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzRkH3d/KVJQouswY/DMpenWbDFVOnI3Vut0xR0e1tb Host Certficate Authority for HYP'
name: '@cert-authority *.hyp'
path: /etc/ssh/ssh_known_hosts
- name: Generate host key pair
openssh_keypair:
path: /etc/ssh/ssh_host_ed25519_key
type: ed25519
comment: "{{ ansible_host }}"
register: host_key
- name: Check whether host certificate exists
stat:
path: /etc/ssh/ssh_host_ed25519_key-cert.pub
register: cert_stat
- name: Generate SSH host certificate
command:
cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@atlas.hyp '/root/ssh_ca/ssh_ca.sh host hyp_host \"{{ host_key.public_key }}\" {{ ansible_host }}'"
register: host_certificate
delegate_to: localhost
when: not cert_stat.stat.exists
- name: Place host certificate
copy:
dest: /etc/ssh/ssh_host_ed25519_key-cert.pub
content: "{{ host_certificate.stdout }}"
mode: 0644
when: not cert_stat.stat.exists
- name: Enable host certificate
copy:
dest: /etc/ssh/sshd_config.d/sshd_host_certificate.conf
content: "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"

14
ansible/sshd.conf.j2
View file

@ -1,14 +0,0 @@
TrustedUserCAKeys /etc/ssh/user_ca_key.pub
Match User {{ backup_share_user }}
AuthorizedPrincipalsFile /etc/ssh/backup_principals
ChrootDirectory /kvm/data
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
Match User {{ backup_control_user }}
AuthorizedPrincipalsFile /etc/ssh/backup_principals
ForceCommand /home/{{ backup_control_user }}/control.sh
AllowTcpForwarding no
X11Forwarding no