[defaults]
inventory = ./hosts
-remote_user = root
log_path = ./log
nocows=1
vault_password_file = ./gpg/get-vault-pass.sh
gathering = smart
var_compression_level = 9
+timeout=30
+
[ssh_connection]
pipelining = True
-ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s -F ssh/config
+ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s
--- /dev/null
+sshd_allowusers_host:
+ - luto
+ - robelix
+ - tomk32
+
--- /dev/null
+sshd_allowusers_set:
+ - f0rki
+ - verr
--- /dev/null
+sshd_allowusers_host:
+ - www
+ - www-data
--- /dev/null
+sshd_allowgroup: ssh
+[all:vars]
+host_domain=realraum.at
+ansible_host={{ inventory_hostname }}.{{ host_domain }}
+ansible_user=root
+
[baremetalservers]
-alfred
+alfred.mgmt
[kvmhosts]
-alfred
+alfred.mgmt
[virtualservers]
athsdisc
-calendar
+calendar.mgmt
ctf
entrance
-galley
-hacksch
-r3home
-tickets
-tools
+galley.mgmt
+hacksch.mgmt
+metrics.mgmt
+r3home.mgmt
+tickets.mgmt
+vex
[servers:children]
baremetalservers
wuerfel
-[alix]
-gw
-torwaechter
+#[alix]
+#gw
+#torwaechter.mgmt
-[apu]
-gnocchi1
-gnocchi2
+#[apu]
+#gnocchi1
+#gnocchi2
--- /dev/null
+# Set XDG_RUNTIME_DIR correctly
+if [ "$UID" -ne 0 ] && [ -z "${XDG_RUNTIME_DIR}" ]; then
+ export XDG_RUNTIME_DIR="/run/user/$(id -u)"
+fi
--- /dev/null
+# /etc/zsh/zprofile: system-wide .zprofile file for zsh(1).
+#
+# This file is sourced only for login shells (i.e. shells
+# invoked with "-" as the first character of argv[0], and
+# shells invoked with the -l flag.)
+#
+# Global Order: zshenv, zprofile, zshrc, zlogin
+umask 077
+emulate sh -c 'source /etc/profile'
---
+- set_fact:
+ sshd_allowusers: >-
+ {{ [ 'root' ] | union(sshd_allowusers_group | default([]))
+ | union(sshd_allowusers_host | default([])) }}
+
- name: only allow pubkey auth for root
lineinfile:
dest: /etc/ssh/sshd_config
line: "PermitRootLogin without-password"
notify: restart ssh
-- name: limit allowed users (1/2)
+- name: limit allowed users (1/3)
lineinfile:
dest: /etc/ssh/sshd_config
- regexp: "^AllowUsers"
- line: "AllowUsers {{ ' '.join([ 'root' ] | union(sshd_allowusers_group | default([])) | union(sshd_allowusers_host | default([]))) }}"
- when: "{{ sshd_allowusers_set | default(true) }}"
+ regexp: "^#?AllowUsers"
+ line: "AllowUsers {{ ' '.join(sshd_allowusers) }}"
+ when: sshd_allowusers_set is defined and sshd_allowgroup is not defined
notify: restart ssh
-- name: limit allowed users (2/2)
+- block:
+ - name: "limit allowed users (2/3): Make sure AllowUsers is not in sshd_config"
+ lineinfile:
+ dest: /etc/ssh/sshd_config
+ regexp: "^AllowUsers"
+ state: absent
+
+ - name: "limit allowed users (2/3): Set AllowGroups in sshd_config"
+ lineinfile:
+ dest: /etc/ssh/sshd_config
+ regexp: "^#?AllowGroups"
+ line: AllowGroups {{ sshd_allowgroup }}
+
+ - name: "limit allowed users (2/3): Add allowed users to ssh group"
+ user:
+ name: "{{ item }}"
+ groups: "{{ sshd_allowgroup }}"
+ append: True
+ with_items: "{{ sshd_allowusers }}"
+
+ when: sshd_allowgroup is defined
+
+- name: limit allowed users (3/3)
lineinfile:
dest: /etc/ssh/sshd_config
- regexp: "^AllowUsers"
+ regexp: "^Allow(Users|Groups)"
state: absent
- when: "not {{ sshd_allowusers_set | default(true) }}"
+ when: sshd_allowusers_set is not defined and sshd_allowgroup is not defined
notify: restart ssh
- name: Set authorized keys for root user
- debian-goodies
- lsof
- haveged
+ - net-tools
- ntp
- screen
- aptitude
- ca-certificates
- file
- zsh
+ - python-apt
+
+- block:
+ - name: install systemd specific packages
+ apt: name={{ item }} state=present
+ with_items:
+ - dbus
+ - libpam-systemd
+
+ - name: set systemd-related environment variables
+ copy: src=xdg_runtime_dir.sh dest=/etc/profile.d/xdg_runtime_dir.sh mode=0644
-- name: install systemd specific packages
- apt: name={{ item }} state=present
- with_items:
- - dbus
- - libpam-systemd
when: ansible_service_mgr == "systemd"
- name: install zshrc
- copy: src={{ item.src }} dest={{ item.dest }} mode=0640
+ copy: src={{ item.src }} dest={{ item.dest }} mode=0644
with_items:
+ - { "src": "zprofile", "dest": "/etc/zsh/zprofile" }
- { "src": "zshrc", "dest": "/etc/zsh/zshrc" }
- { "src": "zshrc.skel", "dest": "/etc/skel/.zshrc" }
+++ /dev/null
-Ciphers aes256-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-cbc,aes128-cbc
-Macs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160
-
-Host *
- IdentityFile ~/.ssh/id_r3_rsa
- IdentitiesOnly yes
- PasswordAuthentication no
-
-Host gw
- Hostname gw.realraum.at
- Port 22000
-
-Host gnocchi1
- Hostname gnocchi1.realraum.at
-
-Host gnocchi2
- Hostname gnocchi2.realraum.at
-
-Host torwaechter
- Hostname torwaechter.mgmt.realraum.at
- User realraum
- Port 22000
-
-Host tuer
- Hostname torwaechter.mgmt.realraum.at
- Port 22000
- User tuerctl
-
-Host licht
- Hostname licht.realraum.at
- Port 22000
- User realraum
-
-Host ap
- Hostname ap.mgmt.realraum.at
- Port 22000
- User root
-
-Host ap5
- Hostname ap5.mgmt.realraum.at
- Port 22000
- User root
-
-Host alfred
- Hostname alfred.mgmt.realraum.at
- Port 22000
-
-Host ipa
- Hostname ipa.mgmt.realraum.at
- Port 22000
-
-Host tickets
- Hostname tickets.mgmt.realraum.at
- Port 22000
-
-Host home
- Hostname r3home.mgmt.realraum.at
- Port 22000
-
-Host hacksch
- Hostname hacksch.mgmt.realraum.at
- Port 22000
-
-Host entrance
- Hostname entrance.mgmt.realraum.at
- Port 22000
-
-Host ctf
- Hostname ctf.realraum.at
- Port 22000
-
-Host cal
- Hostname calendar.mgmt.realraum.at
- Port 22000
-
-Host tools
- Hostname tools.realraum.at
- Port 22000
-
-Host galley
- Hostname galley.mgmt.realraum.at
- Port 22000
-
-Host athsdisc
- Hostname athsdisc.realraum.at
- Port 22000
-
-Host wuerfel
- Hostname wuerfel.realraum.at
- Port 22000
-
-Host vex
- HostName vex.realraum.at
- Port 2342
--- /dev/null
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwF3hn3gSQR8tCb3Kk49GZ+zw7Usnvhy2yGm17mZx9Q37S2cVaRmHv4a5vIktq3x5ToZ0aD4CbuXQ2ln5Q1kh0bkAAp8udLL5m2MbdUv3G+pgr+L5yFnfCelNVpbq0qUBNODgvPaAdGiv33ChKmBoZ42tsU6sgULG2ohkQ7ePutsenBQqtcxeIdZgv6C+ZuDFY3MmX8sndA7tX84DIhC2NlPJocd0HKufzgNDqg8dQQEmiNLRs6jncry4aVAawRgIutA9uls/5UNKpdMh7i2TXLMQOLqhUyMtE6dj8ZdY9vmipE0lZWdLuoOxroUIeoMxbAt3M94zugoggyDZOI/JpfbyHDQbBGOypf+8e3+bVw1boDvPctYa1ZPrLupD0jvpgCOcDD5zczZOCkxMCLveiKL6UBZW/GBIANBMWZkvMVAz61Ge6Mlz2tOKZh7FoIJz5xoeBDePI/iiGcZTiJ1XrigJQ5TKKHfykg06r/rZ5Sxl9SiES9HY6WUOSgQAHGmNr8QbfOCGzlM3qmPmW9okiDdHIt9RwUxEyP6Kjz66XJ3ZLXFqaokUcuftoP1kgtLk3NasT6/usqUwQmDhLp8u2Ro4yi/SCl6+ZXvYS/vK3cl4vJUiTVZ4UlAyOifMrHEE3Zdydin+crYE9IuQZ/imlLF38RjtCg2AZfanhOj1wJw== cardno:000500004194
+++ /dev/null
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDirhW/XNWCDMBy9TAEZgrahGSMlYdddyc9bNAOBbLJ8TVDe0M7YAZ4kU5EYGZBmd4NGZ4Z2Vb+sc0xlJE1MYprL0hFoOSMmU17pa6uzXwAfWtiYAsm/Z8QssOVvyte629gCPUgw1oJM19N7/i8yZh+5j+iEpffbv66USpatLJqJgeM67VjcHPLHf75dEBwkqsWMvpIk3+8gtwXDR8t8YUuxJgHOLFUEWQ6wiXxBoIJTAvdzAzykIs/yJbsMpKjDNLfF0guaRDC5GnjwHqTkGegxBS3l/MzkOpXtWbbbhYX8yIvFkryBFbyB0oa/rnE2HnYbaq2riyZpcsKRXqIvvFFa80FqGE+8sQnMlHn2IaOlkmkBMBytL+6rP3feFWq+vGZLRMs7ezMs+o0ofe0svMhLjy79AJnRBfaFn350AnmqNGZ8HbS0A1vOpPJsJVMhcqx+0cPHfxIedNGs7BJZypmBiw6vZ0rzxm1YX7CZcpiIe2Ob9o/+ypwWVXlT1zcLMC6u5/2YXDCXea0QtiOnM9h4ahkRaBb8CUTMtDurOf9uPtwE8wzmq34baAOQMfY3Tb9uGvAlCcLbke5RDCLfvBx3C2g2KkaboFL/7V9YQ1DCpj+zpOEdr/Jr1wKoWBzgCfZcfXn954J2z2BjbHZRTpCW6EmaYXj4J2bRIX7FalKkw== nicoo@harbard