From 83e27ac758c38ffd9931ef8830e0256e772e5881 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sat, 12 Jan 2019 03:30:30 +0100 Subject: added dyndns client role --- roles/dyndns/client/tasks/main.yml | 60 +++++++++++++++++++++++++ roles/dyndns/client/templates/dyndns.service.j2 | 19 ++++++++ roles/dyndns/client/templates/dyndns.timer.j2 | 8 ++++ roles/dyndns/client/templates/ssh_config.j2 | 6 +++ 4 files changed, 93 insertions(+) create mode 100644 roles/dyndns/client/tasks/main.yml create mode 100644 roles/dyndns/client/templates/dyndns.service.j2 create mode 100644 roles/dyndns/client/templates/dyndns.timer.j2 create mode 100644 roles/dyndns/client/templates/ssh_config.j2 (limited to 'roles/dyndns/client') diff --git a/roles/dyndns/client/tasks/main.yml b/roles/dyndns/client/tasks/main.yml new file mode 100644 index 00000000..81f74936 --- /dev/null +++ b/roles/dyndns/client/tasks/main.yml @@ -0,0 +1,60 @@ +--- +- name: create user for dyndns + user: + name: dyndns + home: /var/lib/dyndns + system: yes + shell: /bin/false + generate_ssh_key: yes + ssh_key_type: ed25519 + ssh_key_comment: "dyndns@{{ host_name }}.{{ host_domain }}" + register: dyndns_user + +- name: install ssh key on server + delegate_to: "{{ dyndns_server }}" + lineinfile: + path: /var/lib/dyndns/.ssh/authorized_keys + mode: 0600 + regexp: 'command="/usr/local/bin/dyndns.py {{ dyndns_client_name }}"' + line: 'no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding,no-user-rc,command="/usr/local/bin/dyndns.py {{ dyndns_client_name }}" {{ dyndns_user.ssh_public_key }}' + +- name: install ssh config + template: + src: ssh_config.j2 + dest: /var/lib/dyndns/.ssh/config + owner: dyndns + group: dyndns + + + ## TODO: fix me!!! +- name: hack to make known_hosts work (1/2) + command: "ssh-keyscan -p {{ hostvars[dyndns_server].ansible_port }} {{ hostvars[dyndns_server].host_name }}.{{ hostvars[dyndns_server].host_domain }}" + args: + creates: /var/lib/dyndns/.ssh/known_hosts + changed_when: False + check_mode: False + register: dyndns_ssh_keyscan + +- name: hack to make known_hosts work (1/2) + copy: + content: "{{ dyndns_ssh_keyscan.stdout }}" + dest: /var/lib/dyndns/.ssh/known_hosts + owner: dyndns + group: dyndns + # fix me + + +- name: install systemd uints + template: + src: "dyndns.{{ item }}.j2" + dest: "/etc/systemd/system/dyndns.{{ item }}" + with_items: + - service + - timer + +- name: make sure the systemd timer is enabled and running + systemd: + daemon_reload: yes + name: dyndns.timer + enabled: yes + state: started diff --git a/roles/dyndns/client/templates/dyndns.service.j2 b/roles/dyndns/client/templates/dyndns.service.j2 new file mode 100644 index 00000000..31a430ee --- /dev/null +++ b/roles/dyndns/client/templates/dyndns.service.j2 @@ -0,0 +1,19 @@ +[Unit] +Description=Update dyndns using {{ hostvars[dyndns_server].host_name }}.{{ hostvars[dyndns_server].host_domain }} + +[Service] +Type=oneshot +ExecStart=/usr/bin/ssh {{ hostvars[dyndns_server].host_name }}.{{ hostvars[dyndns_server].host_domain }} {{ dyndns_client_name }} +User=dyndns +Group=dyndns +Nice=19 +CapabilityBoundingSet=CAP_CHOWN CAP_NET_BIND_SERVICE +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +ProtectSystem=strict +ProtectHome=yes +ProtectKernelTunables=yes +ProtectControlGroups=yes +RestrictRealtime=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 diff --git a/roles/dyndns/client/templates/dyndns.timer.j2 b/roles/dyndns/client/templates/dyndns.timer.j2 new file mode 100644 index 00000000..c5a08c8d --- /dev/null +++ b/roles/dyndns/client/templates/dyndns.timer.j2 @@ -0,0 +1,8 @@ +[Unit] +Description=Trigger dyndns updates + +[Timer] +OnCalendar=*:1/3 + +[Install] +WantedBy=timers.target diff --git a/roles/dyndns/client/templates/ssh_config.j2 b/roles/dyndns/client/templates/ssh_config.j2 new file mode 100644 index 00000000..fd15bc49 --- /dev/null +++ b/roles/dyndns/client/templates/ssh_config.j2 @@ -0,0 +1,6 @@ +Host {{ hostvars[dyndns_server].host_name }}.{{ hostvars[dyndns_server].host_domain }} + Port {{ hostvars[dyndns_server].ansible_port }} + User {{ hostvars[dyndns_server].user | default('dyndns') }} + IdentityFile {{ dyndns_user.ssh_key_file }} + IdentitiesOnly yes + PasswordAuthentication no -- cgit v1.2.3