From: nicoo Date: Fri, 17 Nov 2017 13:15:08 +0000 (+0100) Subject: Merge branch 'master' into ansible-fixup X-Git-Url: https://git.realraum.at/?a=commitdiff_plain;h=605383e1bfc115b3133b105565593d565a9f740d;hp=a73b796383168aba8a021d2adf0a147d3501c9e8;p=noc.git Merge branch 'master' into ansible-fixup --- diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg index 9f97815..9621dfc 100644 --- a/ansible/ansible.cfg +++ b/ansible/ansible.cfg @@ -1,6 +1,5 @@ [defaults] inventory = ./hosts -remote_user = root log_path = ./log nocows=1 vault_password_file = ./gpg/get-vault-pass.sh @@ -8,6 +7,8 @@ vault_password_file = ./gpg/get-vault-pass.sh gathering = smart var_compression_level = 9 +timeout=30 + [ssh_connection] pipelining = True -ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s -F ssh/config +ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s diff --git a/ansible/host_vars/athsdisc b/ansible/host_vars/athsdisc new file mode 100644 index 0000000..1540b11 --- /dev/null +++ b/ansible/host_vars/athsdisc @@ -0,0 +1,5 @@ +sshd_allowusers_host: + - luto + - robelix + - tomk32 + diff --git a/ansible/host_vars/ctf b/ansible/host_vars/ctf new file mode 100644 index 0000000..bbd7e60 --- /dev/null +++ b/ansible/host_vars/ctf @@ -0,0 +1,3 @@ +sshd_allowusers_set: + - f0rki + - verr diff --git a/ansible/host_vars/vex b/ansible/host_vars/vex new file mode 100644 index 0000000..9616e7d --- /dev/null +++ b/ansible/host_vars/vex @@ -0,0 +1,3 @@ +sshd_allowusers_host: + - www + - www-data diff --git a/ansible/host_vars/wuerfel b/ansible/host_vars/wuerfel new file mode 100644 index 0000000..c7f5f5c --- /dev/null +++ b/ansible/host_vars/wuerfel @@ -0,0 +1 @@ +sshd_allowgroup: ssh diff --git a/ansible/hosts b/ansible/hosts index d5bfc2f..05f89b9 100644 --- a/ansible/hosts +++ b/ansible/hosts @@ -1,19 +1,25 @@ +[all:vars] +host_domain=realraum.at +ansible_host={{ inventory_hostname }}.{{ host_domain }} +ansible_user=root + [baremetalservers] -alfred +alfred.mgmt [kvmhosts] -alfred +alfred.mgmt [virtualservers] athsdisc -calendar +calendar.mgmt ctf entrance -galley -hacksch -r3home -tickets -tools +galley.mgmt +hacksch.mgmt +metrics.mgmt +r3home.mgmt +tickets.mgmt +vex [servers:children] baremetalservers @@ -24,10 +30,10 @@ virtualservers wuerfel -[alix] -gw -torwaechter +#[alix] +#gw +#torwaechter.mgmt -[apu] -gnocchi1 -gnocchi2 +#[apu] +#gnocchi1 +#gnocchi2 diff --git a/ansible/roles/base/files/xdg_runtime_dir.sh b/ansible/roles/base/files/xdg_runtime_dir.sh new file mode 100644 index 0000000..d2428b1 --- /dev/null +++ b/ansible/roles/base/files/xdg_runtime_dir.sh @@ -0,0 +1,4 @@ +# Set XDG_RUNTIME_DIR correctly +if [ "$UID" -ne 0 ] && [ -z "${XDG_RUNTIME_DIR}" ]; then + export XDG_RUNTIME_DIR="/run/user/$(id -u)" +fi diff --git a/ansible/roles/base/files/zprofile b/ansible/roles/base/files/zprofile new file mode 100644 index 0000000..4fd82ad --- /dev/null +++ b/ansible/roles/base/files/zprofile @@ -0,0 +1,9 @@ +# /etc/zsh/zprofile: system-wide .zprofile file for zsh(1). +# +# This file is sourced only for login shells (i.e. shells +# invoked with "-" as the first character of argv[0], and +# shells invoked with the -l flag.) +# +# Global Order: zshenv, zprofile, zshrc, zlogin +umask 077 +emulate sh -c 'source /etc/profile' diff --git a/ansible/roles/base/tasks/main.yaml b/ansible/roles/base/tasks/main.yaml index 2b82e4f..c62d223 100644 --- a/ansible/roles/base/tasks/main.yaml +++ b/ansible/roles/base/tasks/main.yaml @@ -1,4 +1,9 @@ --- +- set_fact: + sshd_allowusers: >- + {{ [ 'root' ] | union(sshd_allowusers_group | default([])) + | union(sshd_allowusers_host | default([])) }} + - name: only allow pubkey auth for root lineinfile: dest: /etc/ssh/sshd_config @@ -6,20 +11,42 @@ line: "PermitRootLogin without-password" notify: restart ssh -- name: limit allowed users (1/2) +- name: limit allowed users (1/3) lineinfile: dest: /etc/ssh/sshd_config - regexp: "^AllowUsers" - line: "AllowUsers {{ ' '.join([ 'root' ] | union(sshd_allowusers_group | default([])) | union(sshd_allowusers_host | default([]))) }}" - when: "{{ sshd_allowusers_set | default(true) }}" + regexp: "^#?AllowUsers" + line: "AllowUsers {{ ' '.join(sshd_allowusers) }}" + when: sshd_allowusers_set is defined and sshd_allowgroup is not defined notify: restart ssh -- name: limit allowed users (2/2) +- block: + - name: "limit allowed users (2/3): Make sure AllowUsers is not in sshd_config" + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^AllowUsers" + state: absent + + - name: "limit allowed users (2/3): Set AllowGroups in sshd_config" + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^#?AllowGroups" + line: AllowGroups {{ sshd_allowgroup }} + + - name: "limit allowed users (2/3): Add allowed users to ssh group" + user: + name: "{{ item }}" + groups: "{{ sshd_allowgroup }}" + append: True + with_items: "{{ sshd_allowusers }}" + + when: sshd_allowgroup is defined + +- name: limit allowed users (3/3) lineinfile: dest: /etc/ssh/sshd_config - regexp: "^AllowUsers" + regexp: "^Allow(Users|Groups)" state: absent - when: "not {{ sshd_allowusers_set | default(true) }}" + when: sshd_allowusers_set is not defined and sshd_allowgroup is not defined notify: restart ssh - name: Set authorized keys for root user @@ -44,6 +71,7 @@ - debian-goodies - lsof - haveged + - net-tools - ntp - screen - aptitude @@ -51,17 +79,24 @@ - ca-certificates - file - zsh + - python-apt + +- block: + - name: install systemd specific packages + apt: name={{ item }} state=present + with_items: + - dbus + - libpam-systemd + + - name: set systemd-related environment variables + copy: src=xdg_runtime_dir.sh dest=/etc/profile.d/xdg_runtime_dir.sh mode=0644 -- name: install systemd specific packages - apt: name={{ item }} state=present - with_items: - - dbus - - libpam-systemd when: ansible_service_mgr == "systemd" - name: install zshrc - copy: src={{ item.src }} dest={{ item.dest }} mode=0640 + copy: src={{ item.src }} dest={{ item.dest }} mode=0644 with_items: + - { "src": "zprofile", "dest": "/etc/zsh/zprofile" } - { "src": "zshrc", "dest": "/etc/zsh/zshrc" } - { "src": "zshrc.skel", "dest": "/etc/skel/.zshrc" } diff --git a/ansible/ssh/config b/ansible/ssh/config deleted file mode 100644 index f0d30e2..0000000 --- a/ansible/ssh/config +++ /dev/null @@ -1,94 +0,0 @@ -Ciphers aes256-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-cbc,aes128-cbc -Macs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160 - -Host * - IdentityFile ~/.ssh/id_r3_rsa - IdentitiesOnly yes - PasswordAuthentication no - -Host gw - Hostname gw.realraum.at - Port 22000 - -Host gnocchi1 - Hostname gnocchi1.realraum.at - -Host gnocchi2 - Hostname gnocchi2.realraum.at - -Host torwaechter - Hostname torwaechter.mgmt.realraum.at - User realraum - Port 22000 - -Host tuer - Hostname torwaechter.mgmt.realraum.at - Port 22000 - User tuerctl - -Host licht - Hostname licht.realraum.at - Port 22000 - User realraum - -Host ap - Hostname ap.mgmt.realraum.at - Port 22000 - User root - -Host ap5 - Hostname ap5.mgmt.realraum.at - Port 22000 - User root - -Host alfred - Hostname alfred.mgmt.realraum.at - Port 22000 - -Host ipa - Hostname ipa.mgmt.realraum.at - Port 22000 - -Host tickets - Hostname tickets.mgmt.realraum.at - Port 22000 - -Host home - Hostname r3home.mgmt.realraum.at - Port 22000 - -Host hacksch - Hostname hacksch.mgmt.realraum.at - Port 22000 - -Host entrance - Hostname entrance.mgmt.realraum.at - Port 22000 - -Host ctf - Hostname ctf.realraum.at - Port 22000 - -Host cal - Hostname calendar.mgmt.realraum.at - Port 22000 - -Host tools - Hostname tools.realraum.at - Port 22000 - -Host galley - Hostname galley.mgmt.realraum.at - Port 22000 - -Host athsdisc - Hostname athsdisc.realraum.at - Port 22000 - -Host wuerfel - Hostname wuerfel.realraum.at - Port 22000 - -Host vex - HostName vex.realraum.at - Port 2342 diff --git a/ansible/ssh/noc/nicoo@card.pub b/ansible/ssh/noc/nicoo@card.pub new file mode 100644 index 0000000..3a965ec --- /dev/null +++ b/ansible/ssh/noc/nicoo@card.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwF3hn3gSQR8tCb3Kk49GZ+zw7Usnvhy2yGm17mZx9Q37S2cVaRmHv4a5vIktq3x5ToZ0aD4CbuXQ2ln5Q1kh0bkAAp8udLL5m2MbdUv3G+pgr+L5yFnfCelNVpbq0qUBNODgvPaAdGiv33ChKmBoZ42tsU6sgULG2ohkQ7ePutsenBQqtcxeIdZgv6C+ZuDFY3MmX8sndA7tX84DIhC2NlPJocd0HKufzgNDqg8dQQEmiNLRs6jncry4aVAawRgIutA9uls/5UNKpdMh7i2TXLMQOLqhUyMtE6dj8ZdY9vmipE0lZWdLuoOxroUIeoMxbAt3M94zugoggyDZOI/JpfbyHDQbBGOypf+8e3+bVw1boDvPctYa1ZPrLupD0jvpgCOcDD5zczZOCkxMCLveiKL6UBZW/GBIANBMWZkvMVAz61Ge6Mlz2tOKZh7FoIJz5xoeBDePI/iiGcZTiJ1XrigJQ5TKKHfykg06r/rZ5Sxl9SiES9HY6WUOSgQAHGmNr8QbfOCGzlM3qmPmW9okiDdHIt9RwUxEyP6Kjz66XJ3ZLXFqaokUcuftoP1kgtLk3NasT6/usqUwQmDhLp8u2Ro4yi/SCl6+ZXvYS/vK3cl4vJUiTVZ4UlAyOifMrHEE3Zdydin+crYE9IuQZ/imlLF38RjtCg2AZfanhOj1wJw== cardno:000500004194 diff --git a/ansible/ssh/noc/nicoo@harbard.pub b/ansible/ssh/noc/nicoo@harbard.pub deleted file mode 100644 index ec60523..0000000 --- a/ansible/ssh/noc/nicoo@harbard.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDirhW/XNWCDMBy9TAEZgrahGSMlYdddyc9bNAOBbLJ8TVDe0M7YAZ4kU5EYGZBmd4NGZ4Z2Vb+sc0xlJE1MYprL0hFoOSMmU17pa6uzXwAfWtiYAsm/Z8QssOVvyte629gCPUgw1oJM19N7/i8yZh+5j+iEpffbv66USpatLJqJgeM67VjcHPLHf75dEBwkqsWMvpIk3+8gtwXDR8t8YUuxJgHOLFUEWQ6wiXxBoIJTAvdzAzykIs/yJbsMpKjDNLfF0guaRDC5GnjwHqTkGegxBS3l/MzkOpXtWbbbhYX8yIvFkryBFbyB0oa/rnE2HnYbaq2riyZpcsKRXqIvvFFa80FqGE+8sQnMlHn2IaOlkmkBMBytL+6rP3feFWq+vGZLRMs7ezMs+o0ofe0svMhLjy79AJnRBfaFn350AnmqNGZ8HbS0A1vOpPJsJVMhcqx+0cPHfxIedNGs7BJZypmBiw6vZ0rzxm1YX7CZcpiIe2Ob9o/+ypwWVXlT1zcLMC6u5/2YXDCXea0QtiOnM9h4ahkRaBb8CUTMtDurOf9uPtwE8wzmq34baAOQMfY3Tb9uGvAlCcLbke5RDCLfvBx3C2g2KkaboFL/7V9YQ1DCpj+zpOEdr/Jr1wKoWBzgCfZcfXn954J2z2BjbHZRTpCW6EmaYXj4J2bRIX7FalKkw== nicoo@harbard