projects / noc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
introduce ssh_users_root
[noc.git] / ansible / host_vars / torwaechter / main.yml
1 ---
2 ssh_keys_tuergit: "{{ ssh_keys_root }}"
3
4 openwrt_arch: x86
5 openwrt_target: geode
6 openwrt_output_image_suffixes:
7   - combined-ext4.img.gz
8   - combined-squashfs.img
9
10 openwrt_packages_extra:
11   - "-dropbear"
12   - hwclock
13   - flashrom
14   - git
15   - kmod-usb-acm
16   - openssh-server
17   - openssh-sftp-server
18   - screen
19   - sudo
20   - usbutils
21
22 openwrt_mixin:
23   # Go binaries
24   /usr/local/bin/door_client:
25     mode: '0755'
26     file: "{{ global_cache_dir }}/{{ inventory_hostname }}/door_and_sensors/door_client/door_client"
27   /usr/local/bin/door_daemon:
28     mode: '0755'
29     file: "{{ global_cache_dir }}/{{ inventory_hostname }}/door_and_sensors/door_daemon/door_daemon"
30   /usr/local/bin/update-keys:
31     mode: '0755'
32     file: "{{ global_cache_dir }}/{{ inventory_hostname }}/door_and_sensors/update-keys/update-keys"
33
34   /usr/local/bin/authorized_keys.sh:
35     mode: '0755'
36     file: "{{ global_files_dir }}/{{ inventory_hostname }}/authorized_keys.sh"
37
38   /usr/local/bin/update-keys-from-stdin.sh:
39     mode: '0755'
40     file: "{{ global_files_dir }}/{{ inventory_hostname }}/update-keys-from-stdin.sh"
41
42   /etc/ssh/sshd_config:
43     content: |
44       Port 22000
45
46       AllowUsers root tuerctl tuergit
47       AuthenticationMethods publickey
48       AuthorizedKeysFile /etc/ssh/authorized_keys.d/%u
49
50       AllowAgentForwarding no
51       AllowTcpForwarding no
52       X11Forwarding no
53       UsePrivilegeSeparation sandbox
54
55       Subsystem sftp /usr/libexec/sftp-server
56
57       Match User tuerctl
58         AuthorizedKeysFile /dev/null
59         AuthorizedKeysCommand /usr/local/bin/authorized_keys.sh
60         AuthorizedKeysCommandUser tuergit
61
62   /etc/ssh/authorized_keys.d/root:
63     content: |-
64       {% for key in ssh_keys_root %}
65       {{ key }}
66       {% endfor %}
67
68   /etc/ssh/authorized_keys.d/tuergit:
69     content: |-
70       {% for key in ssh_keys_tuergit %}
71       {{ key }}
72       {% endfor %}
73
74 openwrt_uci:
75   system:
76     - name: system
77       options:
78         hostname: '{{ inventory_hostname }}'
79         timezone: 'CET-1CEST,M3.5.0,M10.5.0/3'
80         ttylogin: '0'
81         log_size: '64'
82         urandom_seed: '0'
83
84     - name: timeserver 'ntp'
85       options:
86         enabled: '1'
87         enable_server: '0'
88         server:
89           - '0.lede.pool.ntp.org'
90           - '1.lede.pool.ntp.org'
91           - '2.lede.pool.ntp.org'
92           - '3.lede.pool.ntp.org'
93
94   network:
95     - name: globals 'globals'
96       options:
97         ula_prefix: fdc9:e01f:83db::/48
98
99     - name: interface 'loopback'
100       options:
101         ifname: lo
102         proto: static
103         ipaddr: 127.0.0.1
104         netmask: 255.0.0.0
105
106     - name: interface 'mgmt'
107       options:
108         ifname: eth0
109         accept_ra: 0
110         proto: static
111         ipaddr: "{{ net.mgmt.prefix | ipaddr(100) | ipaddr('address') }}"
112         netmask: "{{ net.mgmt.prefix | ipaddr('netmask') }}"
113         gateway: "{{ net.mgmt.gw }}"
114         dns: "{{ net.mgmt.dns | join(' ') }}"
115         dns_search: realraum.at
116
117
118 openwrt_mounts:
119   - path: /run
120     src: none
121     fstype: tmpfs
122     opts: nosuid,nodev,noexec,noatime
123
124 openwrt_users:
125   tuerd: {}
126   tuergit:
127     home:  /home/tuergit
128     shell: /usr/bin/git-shell
129   tuerctl:
130     shell: /bin/false # TODO fixme
realraum noc documentation and public ressources