WIP: Various cleanups #83
3 changed files with 22 additions and 3 deletions
|
@ -1,6 +1,6 @@
|
||||||
#!/usr/bin/env ansible-playbook
|
#!/usr/bin/env ansible-playbook
|
||||||
---
|
---
|
||||||
- hosts: services-*.pve.auro.re
|
- hosts: all,!unifi
|
||||||
vars:
|
vars:
|
||||||
openssh_users_ca_public_key:
|
openssh_users_ca_public_key:
|
||||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAAB\
|
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAAB\
|
||||||
|
@ -9,6 +9,10 @@
|
||||||
openssh_authorized_principals:
|
openssh_authorized_principals:
|
||||||
- any
|
- any
|
||||||
- "{{ inventory_hostname }}"
|
- "{{ inventory_hostname }}"
|
||||||
|
openssh_whitelist_groups: "{{ ['adherent']
|
||||||
|
if inventory_hostname == 'camelot.adm.auro.re'
|
||||||
|
else [] }}"
|
||||||
|
openssh_allow_passwords: "{{ inventory_hostname == 'camelot.adm.auro.re' }}"
|
||||||
roles:
|
roles:
|
||||||
- openssh_server
|
- openssh_server
|
||||||
...
|
...
|
||||||
|
|
|
@ -1,4 +1,7 @@
|
||||||
---
|
---
|
||||||
openssh_authorized_principals:
|
openssh_authorized_principals:
|
||||||
- any
|
- any
|
||||||
|
openssh_allow_passwords: false
|
||||||
|
openssh_whitelist_users: []
|
||||||
|
openssh_whitelist_groups: []
|
||||||
...
|
...
|
||||||
|
|
|
@ -20,14 +20,19 @@ KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384
|
||||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
||||||
|
|
||||||
|
{% if openssh_allow_passwords %}
|
||||||
|
AuthenticationMethods password publickey
|
||||||
|
UsePAM yes
|
||||||
|
{% else %}
|
||||||
AuthenticationMethods publickey
|
AuthenticationMethods publickey
|
||||||
|
UsePAM no
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
TrustedUserCAKeys /etc/ssh/users_ca.pub
|
TrustedUserCAKeys /etc/ssh/users_ca.pub
|
||||||
AuthorizedPrincipalsFile /etc/ssh/authorized_principals
|
AuthorizedPrincipalsFile /etc/ssh/authorized_principals
|
||||||
|
|
||||||
StrictModes yes
|
StrictModes yes
|
||||||
UsePAM no
|
PermitRootLogin without-password
|
||||||
PermitRootLogin yes
|
|
||||||
PermitUserRC no
|
PermitUserRC no
|
||||||
PermitUserEnvironment no
|
PermitUserEnvironment no
|
||||||
AllowAgentForwarding no
|
AllowAgentForwarding no
|
||||||
|
@ -43,3 +48,10 @@ UseDNS no
|
||||||
AcceptEnv LANG LC_*
|
AcceptEnv LANG LC_*
|
||||||
|
|
||||||
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
|
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
|
||||||
|
|
||||||
|
AllowUsers {{ openssh_whitelist_users | default(['root'], true) | join(' ') }}
|
||||||
|
|
||||||
|
{% for group in openssh_whitelist_groups %}
|
||||||
|
Match group {{ group }}
|
||||||
|
AllowUsers *
|
||||||
|
{% endfor %}
|
||||||
|
|
Loading…
Reference in a new issue