From 0243f0c83260bacbf41b60a19fe7a5b828f2141c Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sun, 11 Apr 2021 20:22:33 +0200
Subject: add core role sshd/jump

---
 roles/core/sshd/jump/tasks/main.yml | 56 +++++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)
 create mode 100644 roles/core/sshd/jump/tasks/main.yml

(limited to 'roles/core/sshd/jump/tasks')

diff --git a/roles/core/sshd/jump/tasks/main.yml b/roles/core/sshd/jump/tasks/main.yml
new file mode 100644
index 00000000..3403d8f8
--- /dev/null
+++ b/roles/core/sshd/jump/tasks/main.yml
@@ -0,0 +1,56 @@
+---
+- name: load os/distrubtion/version specific variables
+  with_first_found:
+  - files:
+    - "{{ ansible_distribution_release }}.yml"
+    - "{{ ansible_distribution }}.yml"
+    - "{{ ansible_os_family }}.yml"
+  include_vars: "{{ item }}"
+
+- name: add jump users
+  loop: "{{ sshd_jump_users | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  user:
+    name: "{{ item.key }}"
+    shell: /bin/false
+    home: "/nonexistent/{{ item.key }}"
+    create_home: false
+
+- name: create directory for authorized_keys
+  file:
+    path: /etc/ssh/authorized_keys.d
+    mode: 0755
+    state: directory
+
+- name: install authorized_keys file for jump users
+  loop: "{{ sshd_jump_users | dict2items }}"
+  loop_control:
+    label: "{{ item.key }} ({{ item.value.authorized_keys | length }} keys)"
+  copy:
+    content: "{{ item.value.authorized_keys | join('\n') }}\n"
+    dest: "/etc/ssh/authorized_keys.d/{{ item.key }}"
+    mode: 0640
+    owner: root
+    group: "{{ item.key }}"
+
+- name: create match user configs
+  blockinfile:
+    marker: "# {mark} ansible core/sshd/jump"
+    block: |
+      Match User {{ sshd_jump_users | list | join(',') }}
+        AuthorizedKeysFile /etc/ssh/authorized_keys.d/%u
+        PasswordAuthentication no
+        PermitTTY no
+        X11Forwarding no
+        PermitTunnel no
+        GatewayPorts no
+        AllowAgentForwarding no
+        AllowStreamLocalForwarding no
+        ForceCommand /sbin/nologin
+        AllowTcpForwarding local
+        #PermitOpen any
+        PermitListen none
+    insertafter: "### ansible core/sshd/base config barrier ###"
+    dest: /etc/ssh/sshd_config
+  notify: restart ssh
-- 
cgit v1.2.3