extract roles
This commit is contained in:
parent
c2521842a0
commit
ee31ade8e2
7 changed files with 20 additions and 105 deletions
|
|
@ -26,5 +26,6 @@
|
|||
- {role: postgresql, tags: postgresql}
|
||||
- {role: wireguard, tags: wireguard}
|
||||
- {role: ssh_ca, tags: ssh_ca}
|
||||
- {role: ssh, tags: ssh}
|
||||
- {role: ssh_ca_known_hosts, tags: ssh_ca_known_hosts}
|
||||
- {role: deploy_ssh_certificates, tags: deploy_ssh_certificates}
|
||||
- {role: borg, tags: borg}
|
||||
|
|
|
|||
|
|
@ -1,15 +0,0 @@
|
|||
VIRSH="virsh --connect qemu:///system"
|
||||
read -p "" option
|
||||
case "$option" in
|
||||
up)
|
||||
for i in $($VIRSH list --all --name --autostart); do $VIRSH start "$i"; done
|
||||
;;
|
||||
down)
|
||||
for i in $($VIRSH list --state-running --name --autostart); do
|
||||
$VIRSH shutdown "$i"
|
||||
until $VIRSH domstate "$i" | grep shut; do
|
||||
sleep 0.5
|
||||
done
|
||||
done
|
||||
;;
|
||||
esac
|
||||
12
ansible/inventory/host_vars/atlas/ssh_certificates.yml
Normal file
12
ansible/inventory/host_vars/atlas/ssh_certificates.yml
Normal file
|
|
@ -0,0 +1,12 @@
|
|||
deploy_ssh_certificates:
|
||||
- name: ssh_user_ed25519_key
|
||||
type: user
|
||||
key_type: ed25519
|
||||
signing_key: hyp_user
|
||||
host: atlas.hyp
|
||||
principals: hypervisor
|
||||
- name: ssh_host_ed25519_key
|
||||
type: host
|
||||
key_type: ed25519
|
||||
signing_key: hyp_host
|
||||
host: atlas.hyp
|
||||
|
|
@ -4,5 +4,11 @@
|
|||
- name: ssh_ca
|
||||
src: https://git.pim.kunis.nl/pim/ansible-role-ssh-ca
|
||||
scm: git
|
||||
- name: deploy_ssh_certificates
|
||||
src: https://git.pim.kunis.nl/home/ansible-role-deploy-ssh-certificates
|
||||
scm: git
|
||||
- name: ssh_ca_known_hosts
|
||||
src: https://git.pim.kunis.nl/home/ansible-role-ssh-ca-known-hosts
|
||||
scm: git
|
||||
- name: wireguard
|
||||
src: githubixx.ansible_role_wireguard
|
||||
|
|
|
|||
|
|
@ -1,2 +0,0 @@
|
|||
CertificateFile /etc/ssh/ssh_user_ed25519_key-cert.pub
|
||||
IdentityFile /etc/ssh/ssh_user_ed25519_key
|
||||
|
|
@ -1,73 +0,0 @@
|
|||
- name: Generate user key pair
|
||||
openssh_keypair:
|
||||
path: /etc/ssh/ssh_user_ed25519_key
|
||||
type: ed25519
|
||||
comment: "{{ ansible_fqdn }}"
|
||||
register: user_key
|
||||
|
||||
- name: Check whether user certificate exists
|
||||
stat:
|
||||
path: /etc/ssh/ssh_user_ed25519_key-cert.pub
|
||||
register: cert_stat
|
||||
|
||||
- name: Generate SSH user certificate
|
||||
command:
|
||||
cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@atlas.hyp '/root/ssh_ca/ssh_ca.sh user hyp_user \"{{ user_key.public_key }}\" {{ ansible_fqdn }} \"hypervisor\"'"
|
||||
register: user_certificate
|
||||
delegate_to: localhost
|
||||
when: not cert_stat.stat.exists
|
||||
|
||||
- name: Place user certificate
|
||||
copy:
|
||||
dest: /etc/ssh/ssh_user_ed25519_key-cert.pub
|
||||
content: "{{ user_certificate.stdout }}"
|
||||
mode: 0644
|
||||
when: not cert_stat.stat.exists
|
||||
|
||||
- name: Enable user certificate
|
||||
copy:
|
||||
src: "{{ role_path }}/files/ssh_user_certificate.conf"
|
||||
dest: /etc/ssh/ssh_config.d/user_certificate.conf
|
||||
|
||||
- name: Add SSH host CA known host
|
||||
known_hosts:
|
||||
key: '@cert-authority *.dmz ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x Host Certficate Authority for DMZ'
|
||||
name: '@cert-authority *.dmz'
|
||||
path: /etc/ssh/ssh_known_hosts
|
||||
|
||||
- name: Add SSH host CA known host
|
||||
known_hosts:
|
||||
key: '@cert-authority *.hyp ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzRkH3d/KVJQouswY/DMpenWbDFVOnI3Vut0xR0e1tb Host Certficate Authority for HYP'
|
||||
name: '@cert-authority *.hyp'
|
||||
path: /etc/ssh/ssh_known_hosts
|
||||
|
||||
- name: Generate host key pair
|
||||
openssh_keypair:
|
||||
path: /etc/ssh/ssh_host_ed25519_key
|
||||
type: ed25519
|
||||
comment: "{{ ansible_host }}"
|
||||
register: host_key
|
||||
|
||||
- name: Check whether host certificate exists
|
||||
stat:
|
||||
path: /etc/ssh/ssh_host_ed25519_key-cert.pub
|
||||
register: cert_stat
|
||||
|
||||
- name: Generate SSH host certificate
|
||||
command:
|
||||
cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@atlas.hyp '/root/ssh_ca/ssh_ca.sh host hyp_host \"{{ host_key.public_key }}\" {{ ansible_host }}'"
|
||||
register: host_certificate
|
||||
delegate_to: localhost
|
||||
when: not cert_stat.stat.exists
|
||||
|
||||
- name: Place host certificate
|
||||
copy:
|
||||
dest: /etc/ssh/ssh_host_ed25519_key-cert.pub
|
||||
content: "{{ host_certificate.stdout }}"
|
||||
mode: 0644
|
||||
when: not cert_stat.stat.exists
|
||||
|
||||
- name: Enable host certificate
|
||||
copy:
|
||||
dest: /etc/ssh/sshd_config.d/sshd_host_certificate.conf
|
||||
content: "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
TrustedUserCAKeys /etc/ssh/user_ca_key.pub
|
||||
|
||||
Match User {{ backup_share_user }}
|
||||
AuthorizedPrincipalsFile /etc/ssh/backup_principals
|
||||
ChrootDirectory /kvm/data
|
||||
ForceCommand internal-sftp
|
||||
AllowTcpForwarding no
|
||||
X11Forwarding no
|
||||
|
||||
Match User {{ backup_control_user }}
|
||||
AuthorizedPrincipalsFile /etc/ssh/backup_principals
|
||||
ForceCommand /home/{{ backup_control_user }}/control.sh
|
||||
AllowTcpForwarding no
|
||||
X11Forwarding no
|
||||
Reference in a new issue