LILiK
/
lilik_playbook
5
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Playbooks to a new Lilik
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
463 Commits
12 Branches
967 KiB
Tree: a76d3c0d44
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'a76d3c0d44'
${ noResults }
lilik_playbook/roles/ssh_server/README.md

76 lines
2.1 KiB
Raw Normal View History

Documentation for refactored roles And minor improvements/refactoring
5 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
5 years ago
Documentation for refactored roles And minor improvements/refactoring
5 years ago
 
  1. # Role: ssh_server

  2. 

  3. This role congigure an *OpenSSH* server configured with certifcates
  4. provided by a local *ca_manager* instance.
  5. 

  6. Root password login in disabled and *certificate authentication* is
  7. enabled for users with certificate issued by the authorized authorities,
  8. listed in the variables `user_ca_keys`.
  9. 

  10. For the role to work the local certification authority must be
  11. configured and reachable from the Ansible controller machine.
  12. 

  13. The local user must be able to automatically login as the `request` use
  14. to the *ca_manager* instance.
  15. 

  16. ## Configuration variables

  17. 

  18. | Name            | Description                                                     |
  19. |-----------------|-----------------------------------------------------------------|
  20. | `user_ca_keys`* | List of allowed CA certificate. First entry is the default one. |
  21. | `host_fqdn`     | Used for the host certificate. [`$host.dmz.$domain`]            |
  22. 

  23. 

  24. **Note: The *ca_manager* instance should be present in the inventory.
  25. 

  26. ## Minimal example

  27. 

  28. group_vars/all.yaml:
  29. 

  30. 	---
  31. 	domain: 'example.com'
  32. 	user_ca_keys:
  33. 	 - 'ssh-ed25519 ############## Production CA'
  34. 	 - 'ssh-ed25519 ############## Backup CA'
  35. 

  36. hosts:
  37. 

  38. 	vm_gateay             ansible_host=10.0.2.1   ansible_user=root
  39. 	authorities_request   ansible_host=10.0.1.8   ansible_user=request
  40. 	host1                 ansible_host=10.0.1.1   ansible_user=root
  41. 	virtual1              ansible_host=10.0.2.2   ansible_user=root    ansible_lxc_host=host1
  42. 

  43. playbook.yaml:
  44. 

  45. 	---
  46. 	# Configure SSH on a Physical Host
  47. 	- hosts: host1
  48.       roles:
  49. 	    - role: ssh_server
  50. 

  51. 	# Configure SSH on a new LXC Guest with ssh_lxc proxy
  52. 	- hosts: virtual1
  53. 	  gather_facts: false # host may not exist yet
  54. 	  tasks:
  55. 	    - import_role: name='lxc_guest'
  56. 		  vars:
  57. 		   vm_name: '{{ inventory_hostname }}'
  58. 		   vm_size: '1G'
  59. 	      delegate_to: '{{ ansible_lxc_host }}'
  60.         - set_fact: ansible_connection='ssh_lxc'
  61. 		- setup: # gather facts
  62. 		- include_role: name='ssh_server'
  63. 		# Now the guest is ssh-reachable, don't need proxy anymore.
  64. 		- set_fact: ansible_connection='ssh'
  65. 

  66. Command line:
  67. 

  68. 	ansible-playbook -i hosts playbook.yaml
  69. 

  70. 

  71. ## Requirements

  72. 

  73. On Ansible controller:
  74. 

  75. - tasks/ca-dialog.yaml
  76.