From fa8ab1026ee131ab8d68808bd7ebab3c5657f5bb Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Wed, 24 Jan 2024 15:09:06 +0100 Subject: whawty/auth/store: fix permission handling and add know-hosts file --- inventory/host_vars/ch-testvm-prometheus.yml | 26 ++++++++++++++++++++++ roles/whawty/auth/store/tasks/sync-client.yml | 5 ++++- .../whawty/auth/store/templates/systemd.service.j2 | 2 +- 3 files changed, 31 insertions(+), 2 deletions(-) diff --git a/inventory/host_vars/ch-testvm-prometheus.yml b/inventory/host_vars/ch-testvm-prometheus.yml index 415e6774..91a55830 100644 --- a/inventory/host_vars/ch-testvm-prometheus.yml +++ b/inventory/host_vars/ch-testvm-prometheus.yml @@ -35,3 +35,29 @@ network: - *_network_primary_ ntp_variant: systemd-timesyncd + + + +### +whawty_auth_store: + name: foo + config: + basedir: "/var/lib/whawty/auth/foo" + default: 1 + params: + - id: 1 + argon2id: + time: 1 + memory: 65536 ## 64 MB + threads: 4 + length: 32 + permissions: + owner: root + group: foo + file-mode: "0640" + dir-mode: "0750" + sync: + type: client + hostname: 192.168.32.1 + port: 3022 + user: sync diff --git a/roles/whawty/auth/store/tasks/sync-client.yml b/roles/whawty/auth/store/tasks/sync-client.yml index 106e347b..92657312 100644 --- a/roles/whawty/auth/store/tasks/sync-client.yml +++ b/roles/whawty/auth/store/tasks/sync-client.yml @@ -24,7 +24,10 @@ type: ed25519 comment: "whawty-auth-sync-{{ whawty_auth_store.name }}@{{ inventory_hostname }}" -## TODO: known-hosts file... +- name: generate known_hosts file + shell: "ssh-keyscan{% if 'port' in whawty_auth_store.sync %} -p {{ whawty_auth_store.sync.port }}{% endif %} {{ whawty_auth_store.sync.hostname }} > /etc/whawty/auth/.store-{{ whawty_auth_store.name }}-sync/known_hosts" + args: + creates: "/etc/whawty/auth/.store-{{ whawty_auth_store.name }}-sync/known_hosts" - name: install systemd units for whawty-auth store sync client loop: diff --git a/roles/whawty/auth/store/templates/systemd.service.j2 b/roles/whawty/auth/store/templates/systemd.service.j2 index 1081df60..5b1db6b2 100644 --- a/roles/whawty/auth/store/templates/systemd.service.j2 +++ b/roles/whawty/auth/store/templates/systemd.service.j2 @@ -12,7 +12,7 @@ Description=sync for whawty-auth store {{ whawty_auth_store.name }} [Service] Type=oneshot -ExecStart=/usr/bin/rsync -rtpW --delete --delete-delay --delay-updates --partial-dir=.tmp{{ rsync_args | join('') }} -e 'ssh -F "/etc/whawty/auth/.store-{{ whawty_auth_store.name }}-sync/ssh_config"' 'rsync://whawty-auth-server/store' '{{ whawty_auth_store.config.basedir }}' +ExecStart=/usr/bin/rsync -rtW --delete --delete-delay --delay-updates --partial-dir=.tmp{{ rsync_args | join('') }} -e 'ssh -F "/etc/whawty/auth/.store-{{ whawty_auth_store.name }}-sync/ssh_config"' 'rsync://whawty-auth-server/store' '{{ whawty_auth_store.config.basedir }}' TimeoutStartSec=40s # systemd hardening-options -- cgit v1.2.3