add core role sshd/jump

author: Christian Pointner <equinox@spreadspace.org> 2021-04-11 20:22:33 +0200
committer: Christian Pointner <equinox@spreadspace.org> 2021-04-11 20:22:37 +0200
commit: 0243f0c83260bacbf41b60a19fe7a5b828f2141c (patch)
tree: 4e7e0f95d74a782d7037a0e7348ec0f5a01877b3 /roles/core/sshd
parent: move core/sshd to core/sshd/base (diff)
6 files changed, 77 insertions, 6 deletions
diff --git a/roles/core/sshd/base/tasks/main.yml b/roles/core/sshd/base/tasks/main.yml
index d7524ef7..e5c9f6a7 100644
--- a/roles/core/sshd/base/tasks/main.yml
+++ b/roles/core/sshd/base/tasks/main.yml
@@ -1,11 +1,11 @@
 ---
 - name: load os/distrubtion/version specific variables
-  include_vars: "{{ item }}"
   with_first_found:
-    - files:
-        - "{{ ansible_distribution_release }}.yml"
-        - "{{ ansible_distribution }}.yml"
-        - "{{ ansible_os_family }}.yml"
+  - files:
+    - "{{ ansible_distribution_release }}.yml"
+    - "{{ ansible_distribution }}.yml"
+    - "{{ ansible_os_family }}.yml"
+  include_vars: "{{ item }}"
 
 - name: hardening ssh-server config
   vars:
@@ -31,7 +31,7 @@
   lineinfile:
     dest: /etc/ssh/sshd_config
     regexp: "^AllowUsers\\s"
-    line: "AllowUsers {{ ' '.join([ 'root' ] | union(sshd_allowusers_group) | union(sshd_allowusers_host)) }}"
+    line: "AllowUsers {{ ' '.join([ 'root' ] | union(sshd_allowusers_group) | union(sshd_allowusers_host) | union(sshd_jump_users | default({}) | list)) }}"
     insertbefore: '^### ansible core/sshd/base config barrier ###'
   notify: restart ssh
 
diff --git a/roles/core/sshd/jump/defaults/main.yml b/roles/core/sshd/jump/defaults/main.yml
new file mode 100644
index 00000000..792c84a2
--- /dev/null
+++ b/roles/core/sshd/jump/defaults/main.yml
@@ -0,0 +1,6 @@
+---
+# sshd_jump_users:
+#   example:
+#     authorized_keys:
+#     - ssh-ed25519 ....
+#     - ssh-rsa ...
diff --git a/roles/core/sshd/jump/handlers/main.yml b/roles/core/sshd/jump/handlers/main.yml
new file mode 100644
index 00000000..ea76595a
--- /dev/null
+++ b/roles/core/sshd/jump/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: restart ssh
+  service:
+    name: "{{ sshd_service_name }}"
+    state: restarted
diff --git a/roles/core/sshd/jump/tasks/main.yml b/roles/core/sshd/jump/tasks/main.yml
new file mode 100644
index 00000000..3403d8f8
--- /dev/null
+++ b/roles/core/sshd/jump/tasks/main.yml
@@ -0,0 +1,56 @@
+---
+- name: load os/distrubtion/version specific variables
+  with_first_found:
+  - files:
+    - "{{ ansible_distribution_release }}.yml"
+    - "{{ ansible_distribution }}.yml"
+    - "{{ ansible_os_family }}.yml"
+  include_vars: "{{ item }}"
+
+- name: add jump users
+  loop: "{{ sshd_jump_users | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  user:
+    name: "{{ item.key }}"
+    shell: /bin/false
+    home: "/nonexistent/{{ item.key }}"
+    create_home: false
+
+- name: create directory for authorized_keys
+  file:
+    path: /etc/ssh/authorized_keys.d
+    mode: 0755
+    state: directory
+
+- name: install authorized_keys file for jump users
+  loop: "{{ sshd_jump_users | dict2items }}"
+  loop_control:
+    label: "{{ item.key }} ({{ item.value.authorized_keys | length }} keys)"
+  copy:
+    content: "{{ item.value.authorized_keys | join('\n') }}\n"
+    dest: "/etc/ssh/authorized_keys.d/{{ item.key }}"
+    mode: 0640
+    owner: root
+    group: "{{ item.key }}"
+
+- name: create match user configs
+  blockinfile:
+    marker: "# {mark} ansible core/sshd/jump"
+    block: |
+      Match User {{ sshd_jump_users | list | join(',') }}
+        AuthorizedKeysFile /etc/ssh/authorized_keys.d/%u
+        PasswordAuthentication no
+        PermitTTY no
+        X11Forwarding no
+        PermitTunnel no
+        GatewayPorts no
+        AllowAgentForwarding no
+        AllowStreamLocalForwarding no
+        ForceCommand /sbin/nologin
+        AllowTcpForwarding local
+        #PermitOpen any
+        PermitListen none
+    insertafter: "### ansible core/sshd/base config barrier ###"
+    dest: /etc/ssh/sshd_config
+  notify: restart ssh
diff --git a/roles/core/sshd/jump/vars/Debian.yml b/roles/core/sshd/jump/vars/Debian.yml
new file mode 100644
index 00000000..b6875260
--- /dev/null
+++ b/roles/core/sshd/jump/vars/Debian.yml
@@ -0,0 +1,2 @@
+---
+sshd_service_name: ssh
diff --git a/roles/core/sshd/jump/vars/OpenBSD.yml b/roles/core/sshd/jump/vars/OpenBSD.yml
new file mode 100644
index 00000000..abdaf180
--- /dev/null
+++ b/roles/core/sshd/jump/vars/OpenBSD.yml
@@ -0,0 +1,2 @@
+---
+sshd_service_name: sshd
author	Christian Pointner <equinox@spreadspace.org>	2021-04-11 20:22:33 +0200
committer	Christian Pointner <equinox@spreadspace.org>	2021-04-11 20:22:37 +0200
commit	0243f0c83260bacbf41b60a19fe7a5b828f2141c (patch)
tree	4e7e0f95d74a782d7037a0e7348ec0f5a01877b3 /roles/core/sshd
parent	move core/sshd to core/sshd/base (diff)