Merge branch 'master' into ansible-fixup

diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg
index 9f97815..9621dfc 100644 (file)
--- a/ansible/ansible.cfg
+++ b/ansible/ansible.cfg
@@ -1,6 +1,5 @@
 [defaults]
 inventory = ./hosts
-remote_user = root
 log_path = ./log
 nocows=1
 vault_password_file = ./gpg/get-vault-pass.sh
@@ -8,6 +7,8 @@ vault_password_file = ./gpg/get-vault-pass.sh
 gathering = smart
 var_compression_level = 9
 
+timeout=30
+
 [ssh_connection]
 pipelining = True
-ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s -F ssh/config
+ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s

diff --git a/ansible/host_vars/athsdisc b/ansible/host_vars/athsdisc
new file mode 100644 (file)
index 0000000..1540b11
--- /dev/null
+++ b/ansible/host_vars/athsdisc
@@ -0,0 +1,5 @@
+sshd_allowusers_host:
+  - luto
+  - robelix
+  - tomk32
+

diff --git a/ansible/host_vars/ctf b/ansible/host_vars/ctf
new file mode 100644 (file)
index 0000000..bbd7e60
--- /dev/null
+++ b/ansible/host_vars/ctf
@@ -0,0 +1,3 @@
+sshd_allowusers_set:
+  - f0rki
+  - verr

diff --git a/ansible/host_vars/vex b/ansible/host_vars/vex
new file mode 100644 (file)
index 0000000..9616e7d
--- /dev/null
+++ b/ansible/host_vars/vex
@@ -0,0 +1,3 @@
+sshd_allowusers_host:
+  - www
+  - www-data

diff --git a/ansible/host_vars/wuerfel b/ansible/host_vars/wuerfel
new file mode 100644 (file)
index 0000000..c7f5f5c
--- /dev/null
+++ b/ansible/host_vars/wuerfel
@@ -0,0 +1 @@
+sshd_allowgroup: ssh

diff --git a/ansible/hosts b/ansible/hosts
index d5bfc2f..05f89b9 100644 (file)
--- a/ansible/hosts
+++ b/ansible/hosts
@@ -1,19 +1,25 @@
+[all:vars]
+host_domain=realraum.at
+ansible_host={{ inventory_hostname }}.{{ host_domain }}
+ansible_user=root
+
 [baremetalservers]
-alfred
+alfred.mgmt
 
 [kvmhosts]
-alfred
+alfred.mgmt
 
 [virtualservers]
 athsdisc
-calendar
+calendar.mgmt
 ctf
 entrance
-galley
-hacksch
-r3home
-tickets
-tools
+galley.mgmt
+hacksch.mgmt
+metrics.mgmt
+r3home.mgmt
+tickets.mgmt
+vex
 
 [servers:children]
 baremetalservers
@@ -24,10 +30,10 @@ virtualservers
 wuerfel
 
 
-[alix]
-gw
-torwaechter
+#[alix]
+#gw
+#torwaechter.mgmt
 
-[apu]
-gnocchi1
-gnocchi2
+#[apu]
+#gnocchi1
+#gnocchi2

diff --git a/ansible/roles/base/files/xdg_runtime_dir.sh b/ansible/roles/base/files/xdg_runtime_dir.sh
new file mode 100644 (file)
index 0000000..d2428b1
--- /dev/null
+++ b/ansible/roles/base/files/xdg_runtime_dir.sh
@@ -0,0 +1,4 @@
+# Set XDG_RUNTIME_DIR correctly
+if [ "$UID" -ne 0 ] && [ -z "${XDG_RUNTIME_DIR}" ]; then
+    export XDG_RUNTIME_DIR="/run/user/$(id -u)"
+fi

diff --git a/ansible/roles/base/files/zprofile b/ansible/roles/base/files/zprofile
new file mode 100644 (file)
index 0000000..4fd82ad
--- /dev/null
+++ b/ansible/roles/base/files/zprofile
@@ -0,0 +1,9 @@
+# /etc/zsh/zprofile: system-wide .zprofile file for zsh(1).
+#
+# This file is sourced only for login shells (i.e. shells
+# invoked with "-" as the first character of argv[0], and
+# shells invoked with the -l flag.)
+#
+# Global Order: zshenv, zprofile, zshrc, zlogin
+umask 077
+emulate sh -c 'source /etc/profile'

diff --git a/ansible/roles/base/tasks/main.yaml b/ansible/roles/base/tasks/main.yaml
index 2b82e4f..c62d223 100644 (file)
--- a/ansible/roles/base/tasks/main.yaml
+++ b/ansible/roles/base/tasks/main.yaml
@@ -1,4 +1,9 @@
 ---
+- set_fact:
+    sshd_allowusers: >-
+      {{ [ 'root' ] | union(sshd_allowusers_group | default([]))
+                    | union(sshd_allowusers_host  | default([])) }}
+
 - name: only allow pubkey auth for root
   lineinfile:
      dest: /etc/ssh/sshd_config
@@ -6,20 +11,42 @@
      line: "PermitRootLogin without-password"
   notify: restart ssh
 
-- name: limit allowed users (1/2)
+- name: limit allowed users (1/3)
   lineinfile:
      dest: /etc/ssh/sshd_config
-     regexp: "^AllowUsers"
-     line: "AllowUsers {{ ' '.join([ 'root' ] | union(sshd_allowusers_group | default([])) | union(sshd_allowusers_host | default([]))) }}"
-  when: "{{ sshd_allowusers_set | default(true) }}"
+     regexp: "^#?AllowUsers"
+     line: "AllowUsers {{ ' '.join(sshd_allowusers) }}"
+  when: sshd_allowusers_set is defined and sshd_allowgroup is not defined
   notify: restart ssh
 
-- name: limit allowed users (2/2)
+- block:
+    - name: "limit allowed users (2/3): Make sure AllowUsers is not in sshd_config"
+      lineinfile:
+        dest: /etc/ssh/sshd_config
+        regexp: "^AllowUsers"
+        state: absent
+
+    - name: "limit allowed users (2/3): Set AllowGroups in sshd_config"
+      lineinfile:
+        dest: /etc/ssh/sshd_config
+        regexp: "^#?AllowGroups"
+        line: AllowGroups {{ sshd_allowgroup }}
+
+    - name: "limit allowed users (2/3): Add allowed users to ssh group"
+      user:
+        name: "{{ item }}"
+        groups: "{{ sshd_allowgroup }}"
+        append: True
+      with_items: "{{ sshd_allowusers }}"
+
+  when: sshd_allowgroup is defined
+
+- name: limit allowed users (3/3)
   lineinfile:
      dest: /etc/ssh/sshd_config
-     regexp: "^AllowUsers"
+     regexp: "^Allow(Users|Groups)"
      state: absent
-  when: "not {{ sshd_allowusers_set | default(true) }}"
+  when: sshd_allowusers_set is not defined and sshd_allowgroup is not defined
   notify: restart ssh
 
 - name: Set authorized keys for root user
@@ -44,6 +71,7 @@
     - debian-goodies
     - lsof
     - haveged
+    - net-tools
     - ntp
     - screen
     - aptitude
@@ -51,17 +79,24 @@
     - ca-certificates
     - file
     - zsh
+    - python-apt
+
+- block:
+    - name: install systemd specific packages
+      apt: name={{ item }} state=present
+      with_items:
+        - dbus
+        - libpam-systemd
+
+    - name: set systemd-related environment variables
+      copy: src=xdg_runtime_dir.sh dest=/etc/profile.d/xdg_runtime_dir.sh mode=0644
 
-- name: install systemd specific packages
-  apt: name={{ item }} state=present
-  with_items:
-    - dbus
-    - libpam-systemd
   when: ansible_service_mgr == "systemd"
 
 - name: install zshrc
-  copy: src={{ item.src }} dest={{ item.dest }} mode=0640
+  copy: src={{ item.src }} dest={{ item.dest }} mode=0644
   with_items:
+    - { "src": "zprofile", "dest": "/etc/zsh/zprofile" }
     - { "src": "zshrc", "dest": "/etc/zsh/zshrc" }
     - { "src": "zshrc.skel", "dest": "/etc/skel/.zshrc" }
 

diff --git a/ansible/ssh/config b/ansible/ssh/config
deleted file mode 100644 (file)
index f0d30e2..0000000
--- a/ansible/ssh/config
+++ /dev/null
@@ -1,94 +0,0 @@
-Ciphers  aes256-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-cbc,aes128-cbc
-Macs     hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160
-
-Host *
-    IdentityFile ~/.ssh/id_r3_rsa
-    IdentitiesOnly yes
-    PasswordAuthentication no
-
-Host gw
-    Hostname gw.realraum.at
-    Port 22000
-
-Host gnocchi1
-    Hostname gnocchi1.realraum.at
-
-Host gnocchi2
-    Hostname gnocchi2.realraum.at
-
-Host torwaechter
-    Hostname torwaechter.mgmt.realraum.at
-    User realraum
-    Port 22000
-
-Host tuer
-    Hostname torwaechter.mgmt.realraum.at
-    Port 22000
-    User tuerctl
-
-Host licht
-    Hostname licht.realraum.at
-    Port 22000
-    User realraum
-
-Host ap
-    Hostname ap.mgmt.realraum.at
-    Port 22000
-    User root
-
-Host ap5
-    Hostname ap5.mgmt.realraum.at
-    Port 22000
-    User root
-
-Host alfred
-    Hostname alfred.mgmt.realraum.at
-    Port 22000
-
-Host ipa
-    Hostname ipa.mgmt.realraum.at
-    Port 22000
-
-Host tickets
-    Hostname tickets.mgmt.realraum.at
-    Port 22000
-
-Host home
-    Hostname r3home.mgmt.realraum.at
-    Port 22000
-
-Host hacksch
-    Hostname hacksch.mgmt.realraum.at
-    Port 22000
-
-Host entrance
-    Hostname entrance.mgmt.realraum.at
-    Port 22000
-
-Host ctf
-    Hostname ctf.realraum.at
-    Port 22000
-
-Host cal
-    Hostname calendar.mgmt.realraum.at
-    Port 22000
-
-Host tools
-    Hostname tools.realraum.at
-    Port 22000
-
-Host galley
-    Hostname galley.mgmt.realraum.at
-    Port 22000
-
-Host athsdisc
-    Hostname athsdisc.realraum.at
-    Port 22000
-
-Host wuerfel
-    Hostname wuerfel.realraum.at
-    Port 22000
-
-Host vex
-    HostName vex.realraum.at
-    Port 2342

diff --git a/ansible/ssh/noc/nicoo@card.pub b/ansible/ssh/noc/nicoo@card.pub
new file mode 100644 (file)
index 0000000..3a965ec
--- /dev/null
+++ b/ansible/ssh/noc/nicoo@card.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwF3hn3gSQR8tCb3Kk49GZ+zw7Usnvhy2yGm17mZx9Q37S2cVaRmHv4a5vIktq3x5ToZ0aD4CbuXQ2ln5Q1kh0bkAAp8udLL5m2MbdUv3G+pgr+L5yFnfCelNVpbq0qUBNODgvPaAdGiv33ChKmBoZ42tsU6sgULG2ohkQ7ePutsenBQqtcxeIdZgv6C+ZuDFY3MmX8sndA7tX84DIhC2NlPJocd0HKufzgNDqg8dQQEmiNLRs6jncry4aVAawRgIutA9uls/5UNKpdMh7i2TXLMQOLqhUyMtE6dj8ZdY9vmipE0lZWdLuoOxroUIeoMxbAt3M94zugoggyDZOI/JpfbyHDQbBGOypf+8e3+bVw1boDvPctYa1ZPrLupD0jvpgCOcDD5zczZOCkxMCLveiKL6UBZW/GBIANBMWZkvMVAz61Ge6Mlz2tOKZh7FoIJz5xoeBDePI/iiGcZTiJ1XrigJQ5TKKHfykg06r/rZ5Sxl9SiES9HY6WUOSgQAHGmNr8QbfOCGzlM3qmPmW9okiDdHIt9RwUxEyP6Kjz66XJ3ZLXFqaokUcuftoP1kgtLk3NasT6/usqUwQmDhLp8u2Ro4yi/SCl6+ZXvYS/vK3cl4vJUiTVZ4UlAyOifMrHEE3Zdydin+crYE9IuQZ/imlLF38RjtCg2AZfanhOj1wJw== cardno:000500004194

diff --git a/ansible/ssh/noc/nicoo@harbard.pub b/ansible/ssh/noc/nicoo@harbard.pub
deleted file mode 100644 (file)
index ec60523..0000000
--- a/ansible/ssh/noc/nicoo@harbard.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDirhW/XNWCDMBy9TAEZgrahGSMlYdddyc9bNAOBbLJ8TVDe0M7YAZ4kU5EYGZBmd4NGZ4Z2Vb+sc0xlJE1MYprL0hFoOSMmU17pa6uzXwAfWtiYAsm/Z8QssOVvyte629gCPUgw1oJM19N7/i8yZh+5j+iEpffbv66USpatLJqJgeM67VjcHPLHf75dEBwkqsWMvpIk3+8gtwXDR8t8YUuxJgHOLFUEWQ6wiXxBoIJTAvdzAzykIs/yJbsMpKjDNLfF0guaRDC5GnjwHqTkGegxBS3l/MzkOpXtWbbbhYX8yIvFkryBFbyB0oa/rnE2HnYbaq2riyZpcsKRXqIvvFFa80FqGE+8sQnMlHn2IaOlkmkBMBytL+6rP3feFWq+vGZLRMs7ezMs+o0ofe0svMhLjy79AJnRBfaFn350AnmqNGZ8HbS0A1vOpPJsJVMhcqx+0cPHfxIedNGs7BJZypmBiw6vZ0rzxm1YX7CZcpiIe2Ob9o/+ypwWVXlT1zcLMC6u5/2YXDCXea0QtiOnM9h4ahkRaBb8CUTMtDurOf9uPtwE8wzmq34baAOQMfY3Tb9uGvAlCcLbke5RDCLfvBx3C2g2KkaboFL/7V9YQ1DCpj+zpOEdr/Jr1wKoWBzgCfZcfXn954J2z2BjbHZRTpCW6EmaYXj4J2bRIX7FalKkw== nicoo@harbard