- nano
- tcpdump
openwrt_packages_extra:
+ - "-dropbear"
+ - openssh-server
- git
+ - sudo
openwrt_mixin:
# Go binaries
/usr/local/bin/door_client:
- mode: 0755
+ mode: '0755'
file: "{{ playbook_dir }}/.cache/openwrt/tuer/door_and_sensors/door_client/door_client"
/usr/local/bin/door_daemon:
- mode: 0755
+ mode: '0755'
file: "{{ playbook_dir }}/.cache/openwrt/tuer/door_and_sensors/door_daemon/door_daemon"
/usr/local/bin/update-keys:
- mode: 0755
+ mode: '0755'
file: "{{ playbook_dir }}/.cache/openwrt/tuer/door_and_sensors/update-keys/update-keys"
- /etc/dropbear/authorized_keys:
- mode: 0600
+ /usr/local/bin/authorized_keys.sh:
+ mode: '0755'
+ file: "{{ playbook_dir }}/files/tuer/authorized_keys.sh"
+
+ /usr/local/bin/update-keys-from-stdin.sh:
+ mode: '0755'
+ file: "{{ playbook_dir }}/files/tuer/update-keys-from-stdin.sh"
+
+ /etc/ssh/sshd_config:
+ content: |-
+ Port 22000
+
+ AllowUsers root tuerctl tuergit
+ AuthenticationMethods publickey
+ AuthorizedKeysFile /etc/ssh/authorized_keys.d/%u
+
+ AllowAgentForwarding no
+ AllowTcpForwarding no
+ X11Forwarding no
+ UsePrivilegeSeparation sandbox
+
+ Match User tuerctl
+ AuthorizedKeysFile /dev/null
+ AuthorizedKeysCommand /usr/local/bin/authorized_keys.sh
+ AuthorizedKeysCommandUser tuergit
+
+
+ /etc/ssh/authorized_keys.d/root:
+ content: |-
+ {% for key in noc_ssh_keys %}
+ {{ key }}
+ {% endfor %}
+
+ /etc/ssh/authorized_keys.d/tuergit:
content: |-
{% for key in noc_ssh_keys %}
{{ key }}
dns: 192.168.33.1
dns_search: realraum.at
- dropbear:
- - name: dropbear
- options:
- PasswordAuth: off
- RootPasswordAuth: off
- Port: 22000
openwrt_mounts:
- path: /run
src: none
fstype: tmpfs
opts: nosuid,nodev,noexec,noatime
+
+ openwrt_users:
+ tuerd: {}
+ tuergit:
+ home: /home/tuergit
+ shell: /usr/bin/git-shell
+ tuerctl:
+ shell: /bin/false # TODO fixme