ctucx.git: ansible-configs

My personal ansible roles and playbooks [deprecated in favor of nixos]

commit e31eac0af7a4a00b5cfb11cbb0c2ea4f63cc8c43
parent c3b03419b6a3a0ab787acdc682542dee6af2c8eb
Author: Leah (ctucx) <leah@ctu.cx>
Date: Sun, 21 Feb 2021 16:28:09 +0100

add new role: openssh

7 files changed, 192 insertions(+), 0 deletions(-)
A
roles/openssh/tasks/configure.yml
|
9
+++++++++
A
roles/openssh/tasks/firewall.yml
|
20
++++++++++++++++++++
A
roles/openssh/tasks/install.yml
|
17
+++++++++++++++++
A
roles/openssh/tasks/main.yml
|
27
+++++++++++++++++++++++++++
A
roles/openssh/tasks/remove.yml
|
56
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A
roles/openssh/tasks/start.yml
|
33
+++++++++++++++++++++++++++++++++
A
roles/openssh/templates/sshd_config.j2
|
30
++++++++++++++++++++++++++++++
diff --git a/roles/openssh/tasks/configure.yml b/roles/openssh/tasks/configure.yml
@@ -0,0 +1,9 @@
+---
+
+- name: "Create file: /etc/ssh/sshd_config"
+  template:
+    src: sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    mode: 0755
+    validate: "/usr/sbin/sshd -T -f %s"
+  register: sshdConfig

diff --git a/roles/openssh/tasks/firewall.yml b/roles/openssh/tasks/firewall.yml
@@ -0,0 +1,20 @@
+---
+
+- name: "[nftables] Create rule for: openssh"
+  template:
+    src: nftables-rule.nft.j2
+    dest: /etc/nftables.d/openssh.nft
+
+- name: "[OpenRC] Restart service: nftables"
+  service:
+    name: nftables
+    state: restarted
+  when:
+    - ansible_service_mgr == "openrc"
+
+- name: "[systemd] Restart service: nftables"
+  systemd:
+    name: nftables
+    state: restarted
+  when:
+    - ansible_service_mgr == "systemd"

diff --git a/roles/openssh/tasks/install.yml b/roles/openssh/tasks/install.yml
@@ -0,0 +1,17 @@
+---
+
+- name: "[Alpine] Install package: openssh" 
+  apk:
+    name: openssh 
+    state: present
+    update_cache: yes
+  when:
+    - ansible_distribution == "Alpine"
+
+- name: "[Archlinux] Install package: openssh" 
+  pacman:
+    name: openssh 
+    state: present
+    update_cache: yes
+  when:
+    - ansible_distribution == "Archlinux"

diff --git a/roles/openssh/tasks/main.yml b/roles/openssh/tasks/main.yml
@@ -0,0 +1,27 @@
+---
+
+- include: install.yml
+  when:
+    - services.openssh.enable is defined
+    - services.openssh.enable is true
+
+- include: firewall.yml
+  when:
+    - services.openssh.enable is defined
+    - services.openssh.enable is true
+    - network.nftables.enable is true
+
+- include: configure.yml
+  when:
+    - services.openssh.enable is defined
+    - services.openssh.enable is true
+
+- include: start.yml
+  when:
+    - services.openssh.enable is defined
+    - services.openssh.enable is true
+
+- include: remove.yml
+  when:
+    - services.openssh.enable is defined
+    - services.openssh.enable is false

diff --git a/roles/openssh/tasks/remove.yml b/roles/openssh/tasks/remove.yml
@@ -0,0 +1,56 @@
+---
+
+- name: "[OpenRC] Disable and stop service: sshd"
+  service:
+    name: sshd
+    enabled: no
+    state: stopped
+  when:
+    - ansible_service_mgr == "openrc"
+
+- name: "[systemd] Disable and stop service: sshd"
+  systemd:
+    name: sshd
+    enabled: no
+    state: stopped
+  when:
+    - ansible_service_mgr == "systemd"
+
+
+- name: "[Alpine] Remove package: openssh" 
+  apk:
+    name: openssh 
+    state: absent
+  when:
+    - ansible_distribution == "Alpine"
+
+- name: "[Archlinux] Remove package: openssh" 
+  pacman:
+    name: openssh 
+    state: absent
+  when: 
+    - ansible_distribution == "Archlinux"
+
+- name: "Delete leftovers"
+  file:
+    path: "{{ item }}"
+    state: absent
+  with_items:
+    - "/etc/ssh"
+    - "/etc/nftables.d/openssh.nft"
+
+- name: "[OpenRC] Restart service: nftables"
+  service:
+    name: nftables
+    state: restarted
+  when:
+    - ansible_service_mgr == "openrc"
+    - network.nftables.enable is true
+
+- name: "[systemd] Restart service: nftables"
+  systemd:
+    name: nftables
+    state: restarted
+  when:
+    - ansible_service_mgr == "systemd"
+    - network.nftables.enable is true

diff --git a/roles/openssh/tasks/start.yml b/roles/openssh/tasks/start.yml
@@ -0,0 +1,33 @@
+---
+
+- name: "[OpenRC] Enable and start service: sshd"
+  service:
+    name: sshd
+    enabled: yes
+    state: started
+  when: 
+    - ansible_service_mgr == "openrc"
+
+- name: "[systemd] Enable and start service: sshd"
+  systemd:
+    name: sshd
+    enabled: yes
+    state: started
+  when: 
+    - ansible_service_mgr == "systemd"
+
+- name: "[OpenRC] Restart start service: sshd (to deploy new config)"
+  service:
+    name: sshd
+    state: started
+  when:
+    - ansible_service_mgr == "openrc" 
+    - sshdConfig.changed
+
+- name: "[systemd] Enable and start service: sshd (to deploy new config)"
+  systemd:
+    name: sshd
+    state: restarted
+  when: 
+    - ansible_service_mgr == "systemd"
+    - sshdConfig.changed

diff --git a/roles/openssh/templates/sshd_config.j2 b/roles/openssh/templates/sshd_config.j2
@@ -0,0 +1,29 @@
+#
+# !!! This file is managed by Ansible !!!
+#
+
+Port {{ services.openssh.port | default(22) }}
+
+{% if services.openssh.permitRootLogin is true %}
+PermitRootLogin prohibit-password
+{% else %}
+PermitRootLogin no
+{% endif %}
+
+{% if services.openssh.passwordAuthentication is true %}
+PasswordAuthentication yes
+{% else %}
+PasswordAuthentication no
+{% endif %}
+
+AuthorizedKeysFile	.ssh/authorized_keys
+
+ChallengeResponseAuthentication no
+
+UsePAM yes
+
+Subsystem	sftp	/usr/lib/ssh/sftp-server
+
+{% if services.openssh.extraConfig is defined %}
+{{ services.openssh.extraConfig }}
+{% endif %}+
\ No newline at end of file