@ -1,19 +1,41 @@ | |||
--- | |||
- name: 'including configuration tasks' | |||
import_tasks: '1_configure_server.yaml' | |||
tags: | |||
- 'role::ldap' | |||
- name: 'including password renewal tasks' | |||
import_tasks: '2_renew_rootpw.yaml' | |||
tags: service_password | |||
tags: | |||
- 'install' | |||
- 'service_password' | |||
- 'role::ldap' | |||
- 'role::ldap::install' | |||
- name: 'including tree provisionig tasks' | |||
import_tasks: '3_provision_tree.yaml' | |||
when: ldap_check_tree | |||
tags: | |||
- 'install' | |||
- 'role::ldap' | |||
- 'role::ldap::install' | |||
- 'role::ldap::init_tree' | |||
- name: 'including tls tasks' | |||
import_tasks: '4_setup_tls.yaml' | |||
when: ldap_tls_enabled | |||
tags: | |||
- 'configure' | |||
- 'role::ldap' | |||
- 'role::ldap::configure' | |||
- 'pki' | |||
- 'pki::tls' | |||
- name: 'including replication tasks' | |||
import_tasks: '5_configure_replication.yaml' | |||
tags: | |||
- 'configure' | |||
- 'role::ldap' | |||
- 'role::ldap::replicaton' | |||
... |
@ -0,0 +1,134 @@ | |||
--- | |||
- name: 'check | container folder exists' | |||
stat: | |||
path: '/var/lib/lxc/{{ vm_name }}' | |||
register: container_dir | |||
- name: 'check | container exists' | |||
container_exists: | |||
name: '{{ vm_name }}' | |||
register: container_exists | |||
- name: 'check | distro is supported' | |||
assert: | |||
that: distro in [ 'debian', 'alpine' ] | |||
- name: 'check | Debian | release is supported' | |||
assert: | |||
that: release in [ 'bullseye', 'sid', 'buster' ] | |||
msg: 'release {{ release }} not supported by debian template' | |||
when: distro == 'debian' | |||
- block: | |||
- name: 'create | Debian | Privileged Container' | |||
lxc_container: | |||
name: '{{ vm_name }}' | |||
backing_store: 'lvm' | |||
fs_size: '{{ vm_size }}' | |||
vg_name: '{{ vg_name }}' | |||
lv_name: 'vm_{{ vm_name }}' | |||
fs_type: 'xfs' | |||
container_log: true | |||
template: 'debian' | |||
template_options: '--release {{ distro }} --packages=ssh,python3,python3-apt' | |||
state: 'stopped' | |||
# suppress messages related to file descriptors | |||
# leaking when lvm is invoked | |||
environment: | |||
LVM_SUPPRESS_FD_WARNINGS: 1 | |||
when: (not unprivileged) and distro == 'debian' | |||
- name: 'pre-create | Unprivileged Container | Subxid Script' | |||
copy: | |||
src: 'find_subxid.sh' | |||
dest: 'find_subxid.sh' | |||
when: unprivileged | |||
- name: 'pre-create | Unprivileged Container | Find Subxid' | |||
command: 'bash find_subxid.sh' | |||
register: avail_subxid | |||
when: unprivileged | |||
- name: 'pre-create | Unprivileged Container | Set Subxid' | |||
set_fact: | |||
subuidmap: '{{ avail_subxid.stdout_lines[0] }}' | |||
subgidmap: '{{ avail_subxid.stdout_lines[1] }}' | |||
when: unprivileged | |||
- name: 'pre-create | Unprivileged Container | Allocate Subxid' | |||
command: >- | |||
usermod | |||
-v {{ '{}-{}'.format(subuidmap.split(' ')[0], | |||
subuidmap.split(' ')[0]|int+subuidmap.split(' ')[1]|int-1) }} | |||
-w {{ '{}-{}'.format(subgidmap.split(' ')[0], | |||
subgidmap.split(' ')[0]|int+subgidmap.split(' ')[1]|int-1) }} | |||
root | |||
- name: 'pre-create | Unprivileged Container | Create config stub' | |||
copy: | |||
content: | | |||
lxc.idmap = u 0 {{ subuidmap }} | |||
lxc.idmap = g 0 {{ subgidmap }} | |||
dest: '/tmp/lxc_unpriv_config' | |||
when: unprivileged | |||
- name: 'create | Unprivileged Container' | |||
lxc_container: | |||
name: '{{ vm_name }}' | |||
backing_store: 'lvm' | |||
fs_type: 'xfs' | |||
fs_size: '{{ vm_size }}' | |||
vg_name: '{{ vg_name }}' | |||
lv_name: 'vm_{{ vm_name }}' | |||
container_log: true | |||
template: 'download' | |||
template_options: '-d {{ distro }} -r {{ release }} -a amd64' | |||
config: '/tmp/lxc_unpriv_config' | |||
state: 'stopped' | |||
when: unprivileged | |||
- name: 'post-create | LXC Container Configuration' | |||
template: | |||
src: 'config.j2' | |||
dest: '/var/lib/lxc/{{ vm_name }}/config' | |||
- block: | |||
- name: 'post-create | Alpine | Force restart' | |||
lxc_container: | |||
name: '{{ vm_name }}' | |||
state: 'restarted' | |||
- name: 'post-create | Alpine | Guest Network Configuration' | |||
raw: | | |||
rm /etc/network/interfaces | |||
echo 'nameserver {{ hostvars | ip_from_inventory('vm_gateway') }}' > /etc/resolv.conf | |||
delegate_to: '{{ vm_name }}' | |||
connection: 'ssh_lxc' | |||
- name: 'post-create | Alpine | Force restart' | |||
lxc_container: | |||
name: '{{ vm_name }}' | |||
state: 'restarted' | |||
- name: 'post-create | Alpine | Install Python' | |||
raw: | | |||
apk update | |||
apk upgrade | |||
apk add python3 | |||
delegate_to: '{{ vm_name }}' | |||
connection: 'ssh_lxc' | |||
when: distro == 'alpine' | |||
- name: 'post-create | Debian | Guest Initial Configuration' | |||
lxc_container: | |||
name: '{{ vm_name }}' | |||
container_command: | | |||
echo 'nameserver {{ hostvars | ip_from_inventory('vm_gateway') }}' > /etc/resolv.conf | |||
apt update | |||
apt install -y python3 python3-apt | |||
systemctl mask systemd-journald-audit.socket | |||
state: 'stopped' | |||
- name: 'post-create | Start container' | |||
lxc_container: | |||
name: '{{ vm_name }}' | |||
state: 'started' | |||
when: auto_start|bool | |||
when: not (container_exists.exists and container_dir.stat.isdir) |
@ -0,0 +1,60 @@ | |||
--- | |||
- name: 'check | container unprivileged?' | |||
command: >- | |||
grep -e '^lxc.idmap = ' /var/lib/lxc/{{ vm_name }}/config | |||
register: unpriv_status | |||
changed_when: false | |||
failed_when: unpriv_status.rc > 1 | |||
- name: 'configure | Unprivileged Container | Subxid mappings' | |||
set_fact: | |||
unprivileged: true | |||
subuidmap: '{{ unpriv_status.stdout_lines[0] | replace("lxc.idmap = u 0 ", "") }}' | |||
subgidmap: '{{ unpriv_status.stdout_lines[1] | replace("lxc.idmap = g 0 ", "") }}' | |||
when: unpriv_status.rc == 0 | |||
- name: 'configure | LXC Container Config file' | |||
template: | |||
src: 'config.j2' | |||
dest: '/var/lib/lxc/{{ vm_name }}/config' | |||
register: container_config | |||
notify: 'restart container' | |||
- name: 'configure | Container Running State' | |||
lxc_container: | |||
name: '{{ vm_name }}' | |||
state: '{{ container_state }}' | |||
register: container_running_state | |||
- name: 'configure | Container /etc/resolv.conf' | |||
template: | |||
src: 'resolv.conf.j2' | |||
dest: '/etc/resolv.conf' | |||
delegate_to: '{{ vm_name }}' | |||
connection: 'ssh_lxc' | |||
- name: 'configure | Container /etc/network/interfaces' | |||
copy: | |||
src: 'interfaces' | |||
dest: '/etc/network/interfaces' | |||
delegate_to: '{{ vm_name }}' | |||
connection: 'ssh_lxc' | |||
notify: 'restart container' | |||
- name: 'configure | Debian | APT Periodic' | |||
lineinfile: | |||
path: '/etc/apt/apt.conf.d/02periodic' | |||
line: '{{ item.key }} "{{ item.value }}";' | |||
regexp: '^{{ item.key }} ' | |||
create: true | |||
loop: | |||
- { key: 'APT::Periodic::Enable', value: '1' } | |||
- { key: 'APT::Periodic::Update-Package-Lists', value: '1' } | |||
- { key: 'APT::Periodic::Verbose', value: '2' } | |||
delegate_to: '{{ vm_name }}' | |||
when: distro == 'debian' | |||
connection: 'ssh_lxc' | |||
- meta: 'flush_handlers' | |||
... |
@ -0,0 +1,16 @@ | |||
--- | |||
- name: 'MONITORING | Host type: lxc_vm' | |||
set_fact: | |||
monitoring_entry: > | |||
{{ { 'address': ansible_host, | |||
'host_type': 'lxc_vm' } }} | |||
- name: 'MONITORING | Append host' | |||
set_fact: | |||
monitoring_facts: > | |||
{{ hostvars[monitoring_host]['monitoring_facts'] | |||
| default({}) | |||
| combine({host_fqdn: monitoring_entry}) }} | |||
delegate_facts: true | |||
delegate_to: '{{ monitoring_host }}' | |||
... |
@ -1,217 +1,14 @@ | |||
--- | |||
- name: 'check if container dir exists' | |||
stat: | |||
path: '/var/lib/lxc/{{ vm_name }}' | |||
register: container_dir | |||
tags: | |||
- 'lxc' | |||
- name: 'check if container exists' | |||
container_exists: | |||
name: '{{ vm_name }}' | |||
register: container_exists | |||
tags: | |||
- 'lxc' | |||
- name: 'check if release is supported' | |||
assert: | |||
that: release in [ 'bullseye', 'sid', 'buster' ] | |||
msg: 'release {{ release }} not supported by debian template' | |||
when: distro == 'debian' | |||
tags: | |||
- 'lxc' | |||
- block: | |||
- name: 'privileged | create lxc container' | |||
lxc_container: | |||
name: '{{ vm_name }}' | |||
backing_store: 'lvm' | |||
fs_size: '{{ vm_size }}' | |||
vg_name: '{{ vg_name }}' | |||
lv_name: 'vm_{{ vm_name }}' | |||
fs_type: 'xfs' | |||
container_log: true | |||
template: 'debian' | |||
template_options: '--release {{ distro }} --packages=ssh,python3,python3-apt' | |||
state: 'stopped' | |||
# suppress messages related to file descriptors | |||
# leaking when lvm is invoked | |||
environment: | |||
LVM_SUPPRESS_FD_WARNINGS: 1 | |||
when: (not unprivileged) and distro == 'debian' | |||
- name: 'unprivileged | upload bash script' | |||
copy: | |||
src: 'find_subxid.sh' | |||
dest: 'find_subxid.sh' | |||
when: unprivileged | |||
- name: 'unprivileged | get free subxid mappings' | |||
command: 'bash find_subxid.sh' | |||
register: avail_subxid | |||
when: unprivileged | |||
- name: 'unprivileged | set subxid mappings' | |||
set_fact: | |||
subuidmap: '{{ avail_subxid.stdout_lines[0] }}' | |||
subgidmap: '{{ avail_subxid.stdout_lines[1] }}' | |||
when: unprivileged | |||
- name: 'unprivileged | create system subxid mappings' | |||
command: >- | |||
usermod | |||
-v {{ '{}-{}'.format(subuidmap.split(' ')[0], | |||
subuidmap.split(' ')[0]|int+subuidmap.split(' ')[1]|int-1) }} | |||
-w {{ '{}-{}'.format(subgidmap.split(' ')[0], | |||
subgidmap.split(' ')[0]|int+subgidmap.split(' ')[1]|int-1) }} | |||
root | |||
- name: 'unprivileged | create config seed' | |||
copy: | |||
content: | | |||
lxc.idmap = u 0 {{ subuidmap }} | |||
lxc.idmap = g 0 {{ subgidmap }} | |||
dest: '/tmp/lxc_unpriv_config' | |||
when: unprivileged | |||
- name: 'unprivileged | create lxc container' | |||
lxc_container: | |||
name: '{{ vm_name }}' | |||
backing_store: 'lvm' | |||
fs_type: 'xfs' | |||
fs_size: '{{ vm_size }}' | |||
vg_name: '{{ vg_name }}' | |||
lv_name: 'vm_{{ vm_name }}' | |||
container_log: true | |||
template: 'download' | |||
template_options: '-d {{ distro }} -r {{ release }} -a amd64' | |||
config: '/tmp/lxc_unpriv_config' | |||
state: 'stopped' | |||
when: unprivileged | |||
- name: 'deploy container config' | |||
template: | |||
src: 'config.j2' | |||
dest: '/var/lib/lxc/{{ vm_name }}/config' | |||
- block: | |||
- name: 'unprivilaged | alpine | start for tweak' | |||
lxc_container: | |||
name: '{{ vm_name }}' | |||
state: 'restarted' | |||
- name: 'unprivileged | alpine | tweak' | |||
raw: | | |||
rm /etc/network/interfaces | |||
echo 'nameserver {{ hostvars | ip_from_inventory('vm_gateway') }}' > /etc/resolv.conf | |||
delegate_to: '{{ vm_name }}' | |||
connection: 'ssh_lxc' | |||
- name: 'unprivileged | alpine | restart' | |||
lxc_container: | |||
name: '{{ vm_name }}' | |||
state: 'restarted' | |||
- name: 'unprivileged | alpine | install python' | |||
raw: | | |||
apk update | |||
apk upgrade | |||
apk add python3 | |||
delegate_to: '{{ vm_name }}' | |||
connection: 'ssh_lxc' | |||
when: distro == 'alpine' | |||
- name: 'unprivileged | tweak config' | |||
lxc_container: | |||
name: '{{ vm_name }}' | |||
container_command: | | |||
echo 'nameserver {{ hostvars | ip_from_inventory('vm_gateway') }}' > /etc/resolv.conf | |||
apt update | |||
apt install -y python3 python3-apt | |||
systemctl mask systemd-journald-audit.socket | |||
state: 'stopped' | |||
- name: 'start container' | |||
lxc_container: | |||
name: '{{ vm_name }}' | |||
state: 'started' | |||
when: auto_start|bool | |||
when: not (container_exists.exists and container_dir.stat.isdir) | |||
tags: | |||
- 'lxc' | |||
- name: 'read unprivileged status from config' | |||
command: >- | |||
grep -e '^lxc.idmap = ' /var/lib/lxc/{{ vm_name }}/config | |||
register: unpriv_status | |||
changed_when: false | |||
failed_when: unpriv_status.rc > 1 | |||
- name: 'set unprivileged status from config' | |||
set_fact: | |||
unprivileged: true | |||
subuidmap: '{{ unpriv_status.stdout_lines[0] | replace("lxc.idmap = u 0 ", "") }}' | |||
subgidmap: '{{ unpriv_status.stdout_lines[1] | replace("lxc.idmap = g 0 ", "") }}' | |||
when: unpriv_status.rc == 0 | |||
- name: 'update container config' | |||
template: | |||
src: 'config.j2' | |||
dest: '/var/lib/lxc/{{ vm_name }}/config' | |||
register: container_config | |||
notify: 'restart container' | |||
- name: 'set container running state' | |||
lxc_container: | |||
name: '{{ vm_name }}' | |||
state: '{{ container_state }}' | |||
register: container_running_state | |||
tags: | |||
- 'lxc' | |||
- name: 'update container resolv.conf' | |||
template: | |||
src: 'resolv.conf.j2' | |||
dest: '/etc/resolv.conf' | |||
delegate_to: '{{ vm_name }}' | |||
connection: 'ssh_lxc' | |||
- name: 'update container net config' | |||
copy: | |||
src: 'interfaces' | |||
dest: '/etc/network/interfaces' | |||
delegate_to: '{{ vm_name }}' | |||
connection: 'ssh_lxc' | |||
notify: 'restart container' | |||
- name: 'update container apt config' | |||
lineinfile: | |||
path: '/etc/apt/apt.conf.d/02periodic' | |||
line: '{{ item.key }} "{{ item.value }}";' | |||
regexp: '^{{ item.key }} ' | |||
create: true | |||
loop: | |||
- { key: 'APT::Periodic::Enable', value: '1' } | |||
- { key: 'APT::Periodic::Update-Package-Lists', value: '1' } | |||
- { key: 'APT::Periodic::Verbose', value: '2' } | |||
delegate_to: '{{ vm_name }}' | |||
when: distro == 'debian' | |||
connection: 'ssh_lxc' | |||
- meta: 'flush_handlers' | |||
- name: 'MONITORING | add to monitored hosts' | |||
block: | |||
- name: 'MONITORING | add to monitored hosts' | |||
set_fact: | |||
monitoring_entry: > | |||
{{ { 'address': ansible_host, | |||
'host_type': 'lxc_vm' } }} | |||
- name: 'MONITORING | update monitoring facts' | |||
set_fact: | |||
monitoring_facts: > | |||
{{ hostvars[monitoring_host]['monitoring_facts'] | |||
| default({}) | |||
| combine({host_fqdn: monitoring_entry}) }} | |||
delegate_facts: true | |||
delegate_to: '{{ monitoring_host }}' | |||
tags: | |||
- 'monitoring' | |||
- import_tasks: '01-create.yaml' | |||
tags: | |||
- 'vm::create' | |||
- import_tasks: '02-configure.yaml' | |||
tags: | |||
- 'vm::configure' | |||
- import_tasks: '03-monitoring.yaml' | |||
tags: | |||
- 'monitoring' | |||
tags: | |||
- 'role::lxc_guest' | |||
... |
@ -0,0 +1,82 @@ | |||
--- | |||
- import_role: name='service' | |||
vars: | |||
service_name: 'ssh' | |||
service_packages: | |||
- 'openssh-server' | |||
- 'openssh-sftp-server' | |||
tags: | |||
- 'ssh' | |||
- name: 'upload user and server ca' | |||
copy: | |||
content: | | |||
{% for ca in item.1 %} | |||
{{ ca }} | |||
{% endfor %} | |||
dest: '/etc/ssh/{{ item.0 }}_ca.pub' | |||
vars: | |||
cas: '{{ item.1 }}' | |||
notify: 'restart ssh' | |||
loop: | |||
- [ 'user', '{{ ssh_user_ca }}' ] | |||
- [ 'server', '{{ ssh_server_ca }}' ] | |||
tags: | |||
- 'ssh' | |||
- 'pki' | |||
- 'pki::ssh' | |||
- name: 'generate and sign host certificate' | |||
import_role: name='ca_cert' | |||
vars: | |||
ca_cert_common_name: '{{ host_fqdn }}' | |||
ca_cert_proto: 'ssh' | |||
ca_cert_ssh_ca_path: '/etc/ssh/server_ca.pub' | |||
ca_cert_ssh_key_path: '/etc/ssh/ssh_host_ed25519_key' | |||
tags: | |||
- 'ssh' | |||
- 'pki' | |||
- 'pki::ssh' | |||
- name: 'add host certificate to sshd config' | |||
lineinfile: | |||
line: 'HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub' | |||
dest: '/etc/ssh/sshd_config' | |||
regexp: '^HostCertificate *' | |||
notify: 'restart ssh' | |||
tags: | |||
- 'ssh' | |||
- 'pki' | |||
- 'pki::ssh' | |||
- name: 'add user ca to sshd config' | |||
lineinfile: | |||
line: 'TrustedUserCAKeys /etc/ssh/user_ca.pub' | |||
dest: '/etc/ssh/sshd_config' | |||
regexp: '^TrustedUserCAKeys *' | |||
notify: 'restart ssh' | |||
tags: | |||
- 'ssh' | |||
- 'pki' | |||
- 'pki::ssh' | |||
- name: 'permit root login only with certificate' | |||
lineinfile: | |||
line: 'PermitRootLogin without-password' | |||
dest: '/etc/ssh/sshd_config' | |||
regexp: '^PermitRootLogin *' | |||
notify: 'restart ssh' | |||
tags: | |||
- 'ssh' | |||
- meta: 'flush_handlers' | |||
- name: 'waiting for ssh on {{ inventory_hostname }} to start' | |||
wait_for: | |||
host: '{{ hostvars | ip_from_inventory(inventory_hostname) }}' | |||
port: 22 | |||
timeout: 30 | |||
delegate_to: 'localhost' | |||
delegate_facts: true | |||
tags: | |||
- 'ssh' |
@ -0,0 +1,66 @@ | |||
--- | |||
- name: 'upload user and server ca' | |||
copy: | |||
content: | | |||
{% for ca in item.1 %} | |||
{{ ca }} | |||
{% endfor %} | |||
dest: '/etc/ssh/{{ item.0 }}_ca.pub' | |||
vars: | |||
cas: '{{ item.1 }}' | |||
notify: 'restart ssh' | |||
loop: | |||
- [ 'user', '{{ ssh_user_ca }}' ] | |||
- [ 'server', '{{ ssh_server_ca }}' ] | |||
tags: | |||
- 'pki' | |||
- 'pki::ssh' | |||
- name: 'generate and sign host certificate' | |||
import_role: name='ca_cert' | |||
vars: | |||
ca_cert_common_name: '{{ host_fqdn }}' | |||
ca_cert_proto: 'ssh' | |||
ca_cert_ssh_ca_path: '/etc/ssh/server_ca.pub' | |||
ca_cert_ssh_key_path: '/etc/ssh/ssh_host_ed25519_key' | |||
tags: | |||
- 'pki' | |||
- 'pki::ssh' | |||
- name: 'add host certificate to sshd config' | |||
lineinfile: | |||
line: 'HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub' | |||
dest: '/etc/ssh/sshd_config' | |||
regexp: '^HostCertificate *' | |||
notify: 'restart ssh' | |||
tags: | |||
- 'pki' | |||
- 'pki::ssh' | |||
- name: 'add user ca to sshd config' | |||
lineinfile: | |||
line: 'TrustedUserCAKeys /etc/ssh/user_ca.pub' | |||
dest: '/etc/ssh/sshd_config' | |||
regexp: '^TrustedUserCAKeys *' | |||
notify: 'restart ssh' | |||
tags: | |||
- 'pki' | |||
- 'pki::ssh' | |||
- name: 'permit root login only with certificate' | |||
lineinfile: | |||
line: 'PermitRootLogin without-password' | |||
dest: '/etc/ssh/sshd_config' | |||
regexp: '^PermitRootLogin *' | |||
notify: 'restart ssh' | |||
- meta: 'flush_handlers' | |||
- name: 'waiting for ssh on {{ inventory_hostname }} to start' | |||
wait_for: | |||
host: '{{ hostvars | ip_from_inventory(inventory_hostname) }}' | |||
port: 22 | |||
timeout: 30 | |||
delegate_to: 'localhost' | |||
delegate_facts: true | |||
... |
@ -1,68 +1,16 @@ | |||
--- | |||
- import_role: name='service' | |||
vars: | |||
service_name: 'ssh' | |||
service_packages: | |||
- 'openssh-server' | |||
- 'openssh-sftp-server' | |||
- name: 'upload user and server ca' | |||
copy: | |||
content: | | |||
{% for ca in item.1 %} | |||
{{ ca }} | |||
{% endfor %} | |||
dest: '/etc/ssh/{{ item.0 }}_ca.pub' | |||
vars: | |||
cas: '{{ item.1 }}' | |||
notify: 'restart ssh' | |||
loop: | |||
- [ 'user', '{{ ssh_user_ca }}' ] | |||
- [ 'server', '{{ ssh_server_ca }}' ] | |||
- block: | |||
- import_tasks: '01-install.yaml' | |||
tags: | |||
- 'install' | |||
- 'role::ssh_server::install' | |||
- import_tasks: '02-configure.yaml' | |||
tags: | |||
- 'configure' | |||
- 'role::ssh_server::configure' | |||
#- import_tasks: '03-monitoring.yaml' | |||
# tags: | |||
# - 'monitoring' | |||
tags: | |||
- 'ssh_certs' | |||
- name: 'generate and sign host certificate' | |||
import_role: name='ca_cert' | |||
vars: | |||
ca_cert_common_name: '{{ host_fqdn }}' | |||
ca_cert_proto: 'ssh' | |||
ca_cert_ssh_ca_path: '/etc/ssh/server_ca.pub' | |||
ca_cert_ssh_key_path: '/etc/ssh/ssh_host_ed25519_key' | |||
tags: | |||
- 'ssh_certs' | |||
- name: 'add host certificate to sshd config' | |||
lineinfile: | |||
line: 'HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub' | |||
dest: '/etc/ssh/sshd_config' | |||
regexp: '^HostCertificate *' | |||
notify: 'restart ssh' | |||
tags: | |||
- 'ssh_certs' | |||
- name: 'add user ca to sshd config' | |||
lineinfile: | |||
line: 'TrustedUserCAKeys /etc/ssh/user_ca.pub' | |||
dest: '/etc/ssh/sshd_config' | |||
regexp: '^TrustedUserCAKeys *' | |||
notify: 'restart ssh' | |||
tags: | |||
- 'ssh_certs' | |||
- name: 'permit root login only with certificate' | |||
lineinfile: | |||
line: 'PermitRootLogin without-password' | |||
dest: '/etc/ssh/sshd_config' | |||
regexp: '^PermitRootLogin *' | |||
notify: 'restart ssh' | |||
- meta: 'flush_handlers' | |||
- name: 'waiting for ssh on {{ inventory_hostname }} to start' | |||
wait_for: | |||
host: '{{ hostvars | ip_from_inventory(inventory_hostname) }}' | |||
port: 22 | |||
timeout: 30 | |||
delegate_to: 'localhost' | |||
delegate_facts: true | |||
- 'role::ssh_server' | |||
... |