From 0243f0c83260bacbf41b60a19fe7a5b828f2141c Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sun, 11 Apr 2021 20:22:33 +0200
Subject: add core role sshd/jump

---
 roles/core/sshd/base/tasks/main.yml    | 12 ++++----
 roles/core/sshd/jump/defaults/main.yml |  6 ++++
 roles/core/sshd/jump/handlers/main.yml |  5 +++
 roles/core/sshd/jump/tasks/main.yml    | 56 ++++++++++++++++++++++++++++++++++
 roles/core/sshd/jump/vars/Debian.yml   |  2 ++
 roles/core/sshd/jump/vars/OpenBSD.yml  |  2 ++
 6 files changed, 77 insertions(+), 6 deletions(-)
 create mode 100644 roles/core/sshd/jump/defaults/main.yml
 create mode 100644 roles/core/sshd/jump/handlers/main.yml
 create mode 100644 roles/core/sshd/jump/tasks/main.yml
 create mode 100644 roles/core/sshd/jump/vars/Debian.yml
 create mode 100644 roles/core/sshd/jump/vars/OpenBSD.yml

(limited to 'roles/core/sshd')

diff --git a/roles/core/sshd/base/tasks/main.yml b/roles/core/sshd/base/tasks/main.yml
index d7524ef7..e5c9f6a7 100644
--- a/roles/core/sshd/base/tasks/main.yml
+++ b/roles/core/sshd/base/tasks/main.yml
@@ -1,11 +1,11 @@
 ---
 - name: load os/distrubtion/version specific variables
-  include_vars: "{{ item }}"
   with_first_found:
-    - files:
-        - "{{ ansible_distribution_release }}.yml"
-        - "{{ ansible_distribution }}.yml"
-        - "{{ ansible_os_family }}.yml"
+  - files:
+    - "{{ ansible_distribution_release }}.yml"
+    - "{{ ansible_distribution }}.yml"
+    - "{{ ansible_os_family }}.yml"
+  include_vars: "{{ item }}"
 
 - name: hardening ssh-server config
   vars:
@@ -31,7 +31,7 @@
   lineinfile:
     dest: /etc/ssh/sshd_config
     regexp: "^AllowUsers\\s"
-    line: "AllowUsers {{ ' '.join([ 'root' ] | union(sshd_allowusers_group) | union(sshd_allowusers_host)) }}"
+    line: "AllowUsers {{ ' '.join([ 'root' ] | union(sshd_allowusers_group) | union(sshd_allowusers_host) | union(sshd_jump_users | default({}) | list)) }}"
     insertbefore: '^### ansible core/sshd/base config barrier ###'
   notify: restart ssh
 
diff --git a/roles/core/sshd/jump/defaults/main.yml b/roles/core/sshd/jump/defaults/main.yml
new file mode 100644
index 00000000..792c84a2
--- /dev/null
+++ b/roles/core/sshd/jump/defaults/main.yml
@@ -0,0 +1,6 @@
+---
+# sshd_jump_users:
+#   example:
+#     authorized_keys:
+#     - ssh-ed25519 ....
+#     - ssh-rsa ...
diff --git a/roles/core/sshd/jump/handlers/main.yml b/roles/core/sshd/jump/handlers/main.yml
new file mode 100644
index 00000000..ea76595a
--- /dev/null
+++ b/roles/core/sshd/jump/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: restart ssh
+  service:
+    name: "{{ sshd_service_name }}"
+    state: restarted
diff --git a/roles/core/sshd/jump/tasks/main.yml b/roles/core/sshd/jump/tasks/main.yml
new file mode 100644
index 00000000..3403d8f8
--- /dev/null
+++ b/roles/core/sshd/jump/tasks/main.yml
@@ -0,0 +1,56 @@
+---
+- name: load os/distrubtion/version specific variables
+  with_first_found:
+  - files:
+    - "{{ ansible_distribution_release }}.yml"
+    - "{{ ansible_distribution }}.yml"
+    - "{{ ansible_os_family }}.yml"
+  include_vars: "{{ item }}"
+
+- name: add jump users
+  loop: "{{ sshd_jump_users | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  user:
+    name: "{{ item.key }}"
+    shell: /bin/false
+    home: "/nonexistent/{{ item.key }}"
+    create_home: false
+
+- name: create directory for authorized_keys
+  file:
+    path: /etc/ssh/authorized_keys.d
+    mode: 0755
+    state: directory
+
+- name: install authorized_keys file for jump users
+  loop: "{{ sshd_jump_users | dict2items }}"
+  loop_control:
+    label: "{{ item.key }} ({{ item.value.authorized_keys | length }} keys)"
+  copy:
+    content: "{{ item.value.authorized_keys | join('\n') }}\n"
+    dest: "/etc/ssh/authorized_keys.d/{{ item.key }}"
+    mode: 0640
+    owner: root
+    group: "{{ item.key }}"
+
+- name: create match user configs
+  blockinfile:
+    marker: "# {mark} ansible core/sshd/jump"
+    block: |
+      Match User {{ sshd_jump_users | list | join(',') }}
+        AuthorizedKeysFile /etc/ssh/authorized_keys.d/%u
+        PasswordAuthentication no
+        PermitTTY no
+        X11Forwarding no
+        PermitTunnel no
+        GatewayPorts no
+        AllowAgentForwarding no
+        AllowStreamLocalForwarding no
+        ForceCommand /sbin/nologin
+        AllowTcpForwarding local
+        #PermitOpen any
+        PermitListen none
+    insertafter: "### ansible core/sshd/base config barrier ###"
+    dest: /etc/ssh/sshd_config
+  notify: restart ssh
diff --git a/roles/core/sshd/jump/vars/Debian.yml b/roles/core/sshd/jump/vars/Debian.yml
new file mode 100644
index 00000000..b6875260
--- /dev/null
+++ b/roles/core/sshd/jump/vars/Debian.yml
@@ -0,0 +1,2 @@
+---
+sshd_service_name: ssh
diff --git a/roles/core/sshd/jump/vars/OpenBSD.yml b/roles/core/sshd/jump/vars/OpenBSD.yml
new file mode 100644
index 00000000..abdaf180
--- /dev/null
+++ b/roles/core/sshd/jump/vars/OpenBSD.yml
@@ -0,0 +1,2 @@
+---
+sshd_service_name: sshd
-- 
cgit v1.2.3