83 lines
2.3 KiB
YAML
83 lines
2.3 KiB
YAML
- name: Setup homeserver
|
|
hosts: dataserver
|
|
|
|
handlers:
|
|
- name: restart sshd
|
|
systemd:
|
|
name: sshd
|
|
state: restarted
|
|
|
|
tasks:
|
|
- name: Copy backup user principals file
|
|
copy:
|
|
dest: /etc/ssh/backup_principals
|
|
content: hypervisor
|
|
|
|
- name: Copy hyp user SSH CA public key
|
|
copy:
|
|
dest: /etc/ssh/hyp_user.pub
|
|
content: "{{ hyp_user_ca_public_key }}"
|
|
|
|
- name: Copy user certificate sshd config
|
|
copy:
|
|
src: "sshd_user_certificates.conf"
|
|
dest: /etc/ssh/sshd_config.d/user_certificates.conf
|
|
notify: restart sshd
|
|
|
|
- name: Ensure backup directory exists
|
|
file:
|
|
path: "{{ kingston1tb_mount_point }}/hosts"
|
|
state: directory
|
|
|
|
- name: Create backup respositories
|
|
command:
|
|
cmd: "borg init -e none {{ kingston1tb_mount_point }}/hosts/{{ item }}"
|
|
creates: "{{ kingston1tb_mount_point }}/hosts/{{ item }}"
|
|
with_items: "{{ backup_hosts }}"
|
|
|
|
- name: Create extra disk moint point
|
|
file:
|
|
path: "{{ kingston1tb_mount_point }}"
|
|
state: directory
|
|
|
|
- name: Mount extra disk
|
|
ansible.posix.mount:
|
|
path: "{{ kingston1tb_mount_point }}"
|
|
src: "UUID={{ kingston1tb_uuid }}"
|
|
fstype: ext4
|
|
passno: 1
|
|
state: present
|
|
|
|
- name: Generate host key pair
|
|
openssh_keypair:
|
|
path: /etc/ssh/ssh_host_ed25519_key
|
|
type: ed25519
|
|
comment: "{{ ansible_host }}"
|
|
register: host_key
|
|
|
|
- name: Check whether host certificate exists
|
|
stat:
|
|
path: /etc/ssh/ssh_host_ed25519_key-cert.pub
|
|
register: cert_stat
|
|
|
|
- name: Generate SSH host certificate
|
|
command:
|
|
cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@atlas.hyp '/root/ssh_ca/ssh_ca.sh host hyp_host \"{{ host_key.public_key }}\" {{ ansible_host }}'"
|
|
register: host_certificate
|
|
delegate_to: localhost
|
|
when: not cert_stat.stat.exists
|
|
|
|
- name: Place host certificate
|
|
copy:
|
|
dest: /etc/ssh/ssh_host_ed25519_key-cert.pub
|
|
content: "{{ host_certificate.stdout }}"
|
|
mode: 0644
|
|
when: not cert_stat.stat.exists
|
|
|
|
- name: Enable host certificate
|
|
copy:
|
|
dest: /etc/ssh/sshd_config.d/sshd_host_certificate.conf
|
|
content: "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"
|
|
|
|
roles:
|
|
- apt
|