Playbooks to a new Lilik
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

76 lines
2.1 KiB

  1. # Role: ssh_server
  2. This role congigure an *OpenSSH* server configured with certifcates
  3. provided by a local *ca_manager* instance.
  4. Root password login in disabled and *certificate authentication* is
  5. enabled for users with certificate issued by the authorized authorities,
  6. listed in the variables `user_ca_keys`.
  7. For the role to work the local certification authority must be
  8. configured and reachable from the Ansible controller machine.
  9. The local user must be able to automatically login as the `request` use
  10. to the *ca_manager* instance.
  11. ## Configuration variables
  12. | Name | Description |
  13. |-----------------|-----------------------------------------------------------------|
  14. | `user_ca_keys`* | List of allowed CA certificate. First entry is the default one. |
  15. | `server_fqdn` | Used for the host certificate. [`$host.$domain`] |
  16. **Note: The *ca_manager* instance should be present in the inventory.
  17. ## Minimal example
  18. group_vars/all.yaml:
  19. ---
  20. domain: 'example.com'
  21. user_ca_keys:
  22. - 'ssh-ed25519 ############## Production CA'
  23. - 'ssh-ed25519 ############## Backup CA'
  24. hosts:
  25. vm_gateay ansible_host=10.0.2.1 ansible_user=root
  26. authorities_request ansible_host=10.0.1.8 ansible_user=request
  27. host1 ansible_host=10.0.1.1 ansible_user=root
  28. virtual1 ansible_host=10.0.2.2 ansible_user=root ansible_lxc_host=host1
  29. playbook.yaml:
  30. ---
  31. # Configure SSH on a Physical Host
  32. - hosts: host1
  33. roles:
  34. - role: ssh_server
  35. # Configure SSH on a new LXC Guest with ssh_lxc proxy
  36. - hosts: virtual1
  37. gather_facts: false # host may not exist yet
  38. tasks:
  39. - import_role: name='lxc_guest'
  40. vars:
  41. vm_name: '{{ inventory_hostname }}'
  42. vm_size: '1G'
  43. delegate_to: '{{ ansible_lxc_host }}'
  44. - set_fact: ansible_connection='ssh_lxc'
  45. - setup: # gather facts
  46. - include_role: name='ssh_server'
  47. # Now the guest is ssh-reachable, don't need proxy anymore.
  48. - set_fact: ansible_connection='ssh'
  49. Command line:
  50. ansible-playbook -i hosts playbook.yaml
  51. ## Requirements
  52. On Ansible controller:
  53. - tasks/ca-dialog.yaml