feat(role): Secure SSH config

2022-06-12 00:15:27 +02:00
parent 3d856af8ea
commit 2e551bdd7c
13 changed files with 159 additions and 2 deletions
--- a/ansible/roles/20-common-20-ssh/tasks/20-ssh.yml
+++ b/ansible/roles/20-common-20-ssh/tasks/20-ssh.yml
@@ -0,0 +1,85 @@
+- name: 'Get secrets'
+  no_log: 'true'
+  loop_control:
+    loop_var: 'server'
+  with_community.hashi_vault.vault_kv2_get:
+    - '{{ inventory_hostname | split(".") | reverse | join("/") }}/os/root/creds'
+  ansible.builtin.set_fact:
+    vault_data: '{{ server.secret }}'
+
+
+
+- name: 'If first run: set SSH password'
+  tags:
+    - 'first_run'
+    - 'never'
+  no_log: 'true'
+  ansible.builtin.set_fact:
+    ansible_password: '{{ vault_data.initial_password }}'
+
+
+
+- name: 'Make sure ''{{ root_home_dir_abs }}/.ssh'' exists with correct permissions'
+  file:
+    path: '{{ root_home_dir_abs }}/.ssh'
+    state: 'directory'
+    mode: 'u=rwX,go='
+    owner: '{{ ansible_user }}'
+    group: '{{ ansible_user }}'
+    recurse: 'yes'
+
+
+
+- name: 'Copy ''authorized_keys'' file to server'
+  copy:
+    src: 'root/.ssh/authorized_keys'
+    dest: '{{ root_home_dir_abs }}/.ssh/authorized_keys'
+    mode: '0600'
+    owner: '{{ ansible_user }}'
+    group: '{{ ansible_user }}'
+
+
+
+- name: 'Copy ''known_hosts'' file to server'
+  copy:
+    src: 'root/.ssh/known_hosts'
+    dest: '{{ root_home_dir_abs }}/.ssh/known_hosts'
+    mode: '0600'
+    owner: '{{ ansible_user }}'
+    group: '{{ ansible_user }}'
+
+
+
+- name: 'If on Red Hat or derivative OS: secure sshd'
+  register: 'rv_secure_sshd'
+  when: '(ansible_facts[''os_family''] | lower == ''redhat'')'
+  blockinfile:
+    block: "{{ lookup('file', 'etc/ssh/sshd_config') }}"
+    dest: "/etc/ssh/sshd_config"
+    state: 'present'
+    insertbefore: 'BOF'
+    marker: '{mark}'
+    marker_begin: '####### Managed remotely via config management ####### quico-ops start'
+    marker_end: '####### Managed remotely via config management ####### quico-ops end'
+    validate: '/usr/sbin/sshd -T -f %s'
+  notify:
+    - 'Restart sshd.service'
+
+
+
+- name: 'Flush handlers'
+  meta: flush_handlers
+
+
+
+- name: 'Reset connection'
+  ansible.builtin.meta: 'reset_connection'
+
+
+
+- name: 'Wait for SSH connection to return'
+  when: '(rv_secure_sshd.changed)'
+  ansible.builtin.wait_for_connection:
+    connect_timeout: '1'
+    delay: '1'
+    sleep: '2'
--- a/ansible/roles/20-common-20-ssh/tasks/main.yml
+++ b/ansible/roles/20-common-20-ssh/tasks/main.yml
@@ -0,0 +1,3 @@
+- import_tasks: '20-ssh.yml'
+  tags:
+    - 'first_run'