projects / noc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
tuer: Add sftp support
[noc.git] / ansible / tuer.yml
1 ---
2 - hosts: torwaechter
3   connection: local
4   pre_tasks:
5     - name: Create go directories
6       file:
7         path: .cache/openwrt/tuer/{{ item }}
8         state: directory
9       with_items: [ gopath, gocache ]
10
11     - name: Clone necessary git repositories
12       git:
13         repo: https://github.com/realraum/{{ item }}.git
14         dest: .cache/openwrt/tuer/{{ item }}
15         update: True
16       with_items: [ door_and_sensors ]
17
18     - name: Download dependencies
19       command: go get -d ./...
20       args:
21         chdir: .cache/openwrt/tuer/door_and_sensors/{{ item }}
22       environment:
23         GOCACHE: "{{ playbook_dir }}/.cache/openwrt/tuer/gocache"
24         GOPATH:  "{{ playbook_dir }}/.cache/openwrt/tuer/gopath"
25       with_items: [ door_client, door_daemon, update-keys ]
26
27     - name: Cross-compile Go binaries
28       command: go build -ldflags "-s"
29       args:
30         chdir: .cache/openwrt/tuer/door_and_sensors/{{ item }}
31       environment:
32         GOCACHE: "{{ playbook_dir }}/.cache/openwrt/tuer/gocache"
33         GOPATH:  "{{ playbook_dir }}/.cache/openwrt/tuer/gopath"
34         GO386: 387
35         CGO_ENABLED: 0
36         GOOS: linux
37         GOARCH: 386
38       with_items: [ door_client, door_daemon, update-keys ]
39
40   roles:
41     - role: openwrt-image
42       delegate_to: localhost
43       vars:
44         openwrt_arch: x86
45         openwrt_target: geode
46         openwrt_output_image_suffixes:
47           - combined-ext4.img.gz
48           - combined-squashfs.img
49         openwrt_packages_remove:
50           - ppp
51           - ppp-mod-pppoe
52           - dnsmasq
53           - firewall
54           - odhcpd
55         openwrt_packages_add:
56           - flashrom
57           - haveged
58           - htop
59           - hwclock
60           - ip
61           - less
62           - nano
63           - tcpdump
64         openwrt_packages_extra:
65           - "-dropbear"
66           - git
67           - kmod-usb-acm
68           - openssh-server
69           - openssh-sftp-server
70           - screen
71           - sudo
72           - usbutils
73
74         openwrt_mixin:
75           # Go binaries
76           /usr/local/bin/door_client:
77             mode: '0755'
78             file: "{{ playbook_dir }}/.cache/openwrt/tuer/door_and_sensors/door_client/door_client"
79           /usr/local/bin/door_daemon:
80             mode: '0755'
81             file: "{{ playbook_dir }}/.cache/openwrt/tuer/door_and_sensors/door_daemon/door_daemon"
82           /usr/local/bin/update-keys:
83             mode: '0755'
84             file: "{{ playbook_dir }}/.cache/openwrt/tuer/door_and_sensors/update-keys/update-keys"
85
86           /usr/local/bin/authorized_keys.sh:
87             mode: '0755'
88             file: "{{ playbook_dir }}/files/tuer/authorized_keys.sh"
89
90           /usr/local/bin/update-keys-from-stdin.sh:
91             mode: '0755'
92             file: "{{ playbook_dir }}/files/tuer/update-keys-from-stdin.sh"
93
94           /etc/ssh/sshd_config:
95             content: |
96               Port 22000
97
98               AllowUsers root tuerctl tuergit
99               AuthenticationMethods publickey
100               AuthorizedKeysFile /etc/ssh/authorized_keys.d/%u
101
102               AllowAgentForwarding no
103               AllowTcpForwarding no
104               X11Forwarding no
105               UsePrivilegeSeparation sandbox
106
107               Subsystem sftp /usr/libexec/sftp-server
108
109               Match User tuerctl
110                 AuthorizedKeysFile /dev/null
111                 AuthorizedKeysCommand /usr/local/bin/authorized_keys.sh
112                 AuthorizedKeysCommandUser tuergit
113               
114
115           /etc/ssh/authorized_keys.d/root:
116             content: |-
117               {% for key in noc_ssh_keys %}
118               {{ key }}
119               {% endfor %}
120
121           /etc/ssh/authorized_keys.d/tuergit:
122             content: |-
123               {% for key in noc_ssh_keys %}
124               {{ key }}
125               {% endfor %}
126
127         openwrt_uci:
128           system:
129             - name: system
130               options:
131                 hostname: '{{ inventory_hostname }}'
132                 timezone: 'CET-1CEST,M3.5.0,M10.5.0/3'
133                 ttylogin: '0'
134                 log_size: '64'
135                 urandom_seed: '0'
136
137             - name: timeserver 'ntp'
138               options:
139                 enabled: '1'
140                 enable_server: '0'
141                 server:
142                   - '0.lede.pool.ntp.org'
143                   - '1.lede.pool.ntp.org'
144                   - '2.lede.pool.ntp.org'
145                   - '3.lede.pool.ntp.org'
146
147           network:
148             - name: globals 'globals'
149               options:
150                 ula_prefix: fdc9:e01f:83db::/48
151
152             - name: interface 'loopback'
153               options:
154                 ifname: lo
155                 proto: static
156                 ipaddr: 127.0.0.1
157                 netmask: 255.0.0.0
158
159             - name: interface 'lan'
160               options:
161                 ifname: eth0
162                 accept_ra: 0
163                 proto: static
164                 ipaddr: 192.168.33.7
165                 netmask: 255.255.255.0
166                 gateway: 192.168.33.1
167                 dns: 192.168.33.1
168                 dns_search: realraum.at
169
170
171         openwrt_mounts:
172           - path: /run
173             src: none
174             fstype: tmpfs
175             opts: nosuid,nodev,noexec,noatime
176
177         openwrt_users:
178           tuerd: {}
179           tuergit:
180             home:  /home/tuergit
181             shell: /usr/bin/git-shell
182           tuerctl:
183             shell: /bin/false # TODO fixme
realraum noc documentation and public ressources