Zolfa c03b9af325 | 5 years ago | |
---|---|---|
.. | ||
defaults | 5 years ago | |
files | 6 years ago | |
handlers | 5 years ago | |
tasks | 5 years ago | |
README.md | 5 years ago |
This role congigure an OpenSSH server configured with certifcates provided by a local ca_manager instance.
Root password login in disabled and certificate authentication is
enabled for users with certificate issued by the authorized authorities,
listed in the variables user_ca_keys
.
For the role to work the local certification authority must be configured and reachable from the Ansible controller machine.
The local user must be able to automatically login as the request
use
to the ca_manager instance.
Name | Description |
---|---|
user_ca_keys * |
List of allowed CA certificate. First entry is the default one. |
host_fqdn |
Used for the host certificate. [$host.dmz.$domain ] |
**Note: The ca_manager instance should be present in the inventory.
group_vars/all.yaml:
---
domain: 'example.com'
user_ca_keys:
- 'ssh-ed25519 ############## Production CA'
- 'ssh-ed25519 ############## Backup CA'
hosts:
vm_gateay ansible_host=10.0.2.1 ansible_user=root
authorities_request ansible_host=10.0.1.8 ansible_user=request
host1 ansible_host=10.0.1.1 ansible_user=root
virtual1 ansible_host=10.0.2.2 ansible_user=root ansible_lxc_host=host1
playbook.yaml:
---
# Configure SSH on a Physical Host
- hosts: host1
roles:
- role: ssh_server
# Configure SSH on a new LXC Guest with ssh_lxc proxy
- hosts: virtual1
gather_facts: false # host may not exist yet
tasks:
- import_role: name='lxc_guest'
vars:
vm_name: '{{ inventory_hostname }}'
vm_size: '1G'
delegate_to: '{{ ansible_lxc_host }}'
- set_fact: ansible_connection='ssh_lxc'
- setup: # gather facts
- include_role: name='ssh_server'
# Now the guest is ssh-reachable, don't need proxy anymore.
- set_fact: ansible_connection='ssh'
Command line:
ansible-playbook -i hosts playbook.yaml
On Ansible controller: