From 13804dc388ccd7e8b8344de5fbbcf52395565297 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Wed, 24 Jan 2024 00:34:32 +0100 Subject: whawty/auth/store role mostly done --- roles/whawty/auth/app/defaults/main.yml | 2 ++ roles/whawty/auth/app/tasks/main.yml | 5 +++ roles/whawty/auth/store/defaults/main.yml | 27 ++++++++++++++ roles/whawty/auth/store/tasks/main.yml | 30 ++++++++++++++++ roles/whawty/auth/store/tasks/sync-client.yml | 42 ++++++++++++++++++++++ roles/whawty/auth/store/tasks/sync-server.yml | 5 +++ .../whawty/auth/store/templates/systemd.service.j2 | 41 +++++++++++++++++++++ roles/whawty/auth/store/templates/systemd.timer.j2 | 11 ++++++ 8 files changed, 163 insertions(+) create mode 100644 roles/whawty/auth/app/defaults/main.yml create mode 100644 roles/whawty/auth/app/tasks/main.yml create mode 100644 roles/whawty/auth/store/defaults/main.yml create mode 100644 roles/whawty/auth/store/tasks/main.yml create mode 100644 roles/whawty/auth/store/tasks/sync-client.yml create mode 100644 roles/whawty/auth/store/tasks/sync-server.yml create mode 100644 roles/whawty/auth/store/templates/systemd.service.j2 create mode 100644 roles/whawty/auth/store/templates/systemd.timer.j2 (limited to 'roles/whawty/auth') diff --git a/roles/whawty/auth/app/defaults/main.yml b/roles/whawty/auth/app/defaults/main.yml new file mode 100644 index 00000000..fa188349 --- /dev/null +++ b/roles/whawty/auth/app/defaults/main.yml @@ -0,0 +1,2 @@ +--- +whawty_install_pam_module: no diff --git a/roles/whawty/auth/app/tasks/main.yml b/roles/whawty/auth/app/tasks/main.yml new file mode 100644 index 00000000..00a02c7e --- /dev/null +++ b/roles/whawty/auth/app/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- name: install whawty app + apt: + name: "{{ ['whawty-auth'] | union(whawty_auth_install_pam_module | ternary(['libpam-whawty'], [])) }}" + state: present diff --git a/roles/whawty/auth/store/defaults/main.yml b/roles/whawty/auth/store/defaults/main.yml new file mode 100644 index 00000000..b8cb08b7 --- /dev/null +++ b/roles/whawty/auth/store/defaults/main.yml @@ -0,0 +1,27 @@ +--- +# whawty_auth_store: +# name: foo +# config: +# basedir: "/var/lib/whawty/auth/foo" +# default: 2 +# params: +# - id: 1 +# scryptauth: +# hmackey: "<32bytes random secret data base64-encoded>" +# cost: 12 +# - id: 2 +# argon2id: +# time: 1 +# memory: 65536 ## 64 MB +# threads: 4 +# length: 32 +# permissions: +# owner: root +# group: foo +# file-mode: "0640" +# dir-mode: "0750" +# sync: +# type: client +# hostname: passwd.example.com +# port: 3022 +# user: sync diff --git a/roles/whawty/auth/store/tasks/main.yml b/roles/whawty/auth/store/tasks/main.yml new file mode 100644 index 00000000..72fc61b4 --- /dev/null +++ b/roles/whawty/auth/store/tasks/main.yml @@ -0,0 +1,30 @@ +--- +- name: install rsync + apt: + name: rsync + state: present + +- name: make sure config directory exists + file: + path: /etc/whawty/auth/ + state: directory + +- name: create store base directory + file: + path: "{{ whawty_auth_store.config.basedir }}" + state: directory + mode: "{{ whawty_auth_store.permissions['dir-mode'] | default(omit) }}" + owner: "{{ whawty_auth_store.permissions.owner | default(omit) }}" + group: "{{ whawty_auth_store.permissions.group | default(omit) }}" + +- name: generate store config file + copy: + content: "{{ whawty_auth_store.config | to_nice_yaml(indent=2) }}" + dest: "/etc/whawty/auth/store-{{ whawty_auth_store.name }}.yml" + mode: "{{ whawty_auth_store.permissions['file-mode'] | default(omit) }}" + owner: "{{ whawty_auth_store.permissions.owner | default(omit) }}" + group: "{{ whawty_auth_store.permissions.group | default(omit) }}" + +- name: configure sync + when: "'sync' in whawty_auth_store" + include_tasks: "sync-{{ whawty_auth_store.sync.type }}.yml" diff --git a/roles/whawty/auth/store/tasks/sync-client.yml b/roles/whawty/auth/store/tasks/sync-client.yml new file mode 100644 index 00000000..106e347b --- /dev/null +++ b/roles/whawty/auth/store/tasks/sync-client.yml @@ -0,0 +1,42 @@ +--- +- name: make sure sync client config directory exists + file: + path: "/etc/whawty/auth/.store-{{ whawty_auth_store.name }}-sync" + state: directory + +- name: generate ssh config for whawty-auth store sync client + copy: + content: | + Host whawty-auth-server + Hostname {{ whawty_auth_store.sync.hostname }} + {% if 'port' in whawty_auth_store.sync %} + Port {{ whawty_auth_store.sync.port }} + {% endif %} + User {{ whawty_auth_store.sync.user }} + IdentityFile /etc/whawty/auth/.store-{{ whawty_auth_store.name }}-sync/id_ed25519 + IdentitiesOnly yes + UserKnownHostsFile /etc/whawty/auth/.store-{{ whawty_auth_store.name }}-sync/known_hosts + dest: "/etc/whawty/auth/.store-{{ whawty_auth_store.name }}-sync/ssh_config" + +- name: generate ssh keypair for sync client + openssh_keypair: + path: /etc/whawty/auth/.store-{{ whawty_auth_store.name }}-sync/id_ed25519 + type: ed25519 + comment: "whawty-auth-sync-{{ whawty_auth_store.name }}@{{ inventory_hostname }}" + +## TODO: known-hosts file... + +- name: install systemd units for whawty-auth store sync client + loop: + - service + - timer + template: + src: "systemd.{{ item }}.j2" + dest: "/etc/systemd/system/whawty-auth-store-sync-{{ whawty_auth_store.name }}.{{ item }}" + +- name: make sure whawty-auth store sync client timer is enabled and started + systemd: + daemon_reload: yes + name: "whawty-auth-store-sync-{{ whawty_auth_store.name }}.timer" + state: started + enabled: yes diff --git a/roles/whawty/auth/store/tasks/sync-server.yml b/roles/whawty/auth/store/tasks/sync-server.yml new file mode 100644 index 00000000..c4d7442f --- /dev/null +++ b/roles/whawty/auth/store/tasks/sync-server.yml @@ -0,0 +1,5 @@ +--- +## TODO: implement this +- name: sync server not yet implemented + fail: + msg: "whawty-store sync server is not yet implemented!" diff --git a/roles/whawty/auth/store/templates/systemd.service.j2 b/roles/whawty/auth/store/templates/systemd.service.j2 new file mode 100644 index 00000000..1081df60 --- /dev/null +++ b/roles/whawty/auth/store/templates/systemd.service.j2 @@ -0,0 +1,41 @@ +{% set rsync_args = [] %} +{% if 'permissions' in whawty_auth_store %} +{% if 'file-mode' in whawty_auth_store.permissions %} +{% set _dummy = rsync_args.append(" --chmod=F"~whawty_auth_store.permissions['file-mode']) %} +{% endif %} +{% if 'owner' in whawty_auth_store.permissions %} +{% set _dummy = rsync_args.append(" --chown="~whawty_auth_store.permissions.owner~":"~whawty_auth_store.permissions.group) %} +{% endif %} +{% endif %} +[Unit] +Description=sync for whawty-auth store {{ whawty_auth_store.name }} + +[Service] +Type=oneshot +ExecStart=/usr/bin/rsync -rtpW --delete --delete-delay --delay-updates --partial-dir=.tmp{{ rsync_args | join('') }} -e 'ssh -F "/etc/whawty/auth/.store-{{ whawty_auth_store.name }}-sync/ssh_config"' 'rsync://whawty-auth-server/store' '{{ whawty_auth_store.config.basedir }}' +TimeoutStartSec=40s + +# systemd hardening-options +AmbientCapabilities=CAP_CHOWN CAP_FOWNER +CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER +DeviceAllow=/dev/null rw +DevicePolicy=strict +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +ReadWritePaths={{ whawty_auth_store.config.basedir }} +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +SystemCallArchitectures=native + +[Install] +WantedBy=multi-user.target diff --git a/roles/whawty/auth/store/templates/systemd.timer.j2 b/roles/whawty/auth/store/templates/systemd.timer.j2 new file mode 100644 index 00000000..603295a5 --- /dev/null +++ b/roles/whawty/auth/store/templates/systemd.timer.j2 @@ -0,0 +1,11 @@ +[Unit] +Description=sync for whawty-auth store {{ whawty_auth_store.name }} + +[Timer] +OnBootSec=30s +OnActiveSec=5s +OnUnitActiveSec=1m +AccuracySec=5s + +[Install] +WantedBy=timers.target -- cgit v1.2.3