summaryrefslogtreecommitdiff
path: root/roles/core/sshd/jump/tasks/main.yml
blob: 59cb4f6607c5ccf6cbe49896f3f058b31c7c0fcf (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
---
- name: load os/distrubtion/version specific variables
  with_first_found:
  - files:
    - "{{ ansible_distribution_release }}.yml"
    - "{{ ansible_distribution }}.yml"
    - "{{ ansible_os_family }}.yml"
  include_vars: "{{ item }}"

- name: add jump users
  loop: "{{ sshd_jump_users | dict2items }}"
  loop_control:
    label: "{{ item.key }}"
  user:
    name: "{{ item.key }}"
    shell: /bin/false
    home: "/nonexistent/{{ item.key }}"
    create_home: false

- name: create directory for authorized_keys
  file:
    path: /etc/ssh/authorized_keys.d
    mode: 0755
    state: directory

- name: install authorized_keys file for jump users
  loop: "{{ sshd_jump_users | dict2items }}"
  loop_control:
    label: "{{ item.key }} ({{ item.value.authorized_keys | length }} keys)"
  copy:
    content: "{{ item.value.authorized_keys | join('\n') }}\n"
    dest: "/etc/ssh/authorized_keys.d/{{ item.key }}"
    mode: 0640
    owner: root
    group: "{{ item.key }}"

- name: create match user configs
  blockinfile:
    marker: "# {mark} ansible core/sshd/jump"
    block: |
      {% for name, config in sshd_jump_users.items() %}
      Match User {{ name }}
        AuthorizedKeysFile /etc/ssh/authorized_keys.d/%u
        PasswordAuthentication no
        PermitTTY no
        X11Forwarding no
        PermitTunnel no
        GatewayPorts no
        AllowAgentForwarding no
        AllowStreamLocalForwarding no
        ForceCommand /sbin/nologin
        AllowTcpForwarding {{ config.tcp_forwarding | default('local') }}
        PermitOpen {{ config.permit_open | default(['any']) | list | join(' ') }}
        PermitListen {{ config.permit_listen | default(['none']) | list | join(' ') }}
      {%   if not loop.last %}

      {%   endif %}
      {% endfor %}
    insertafter: "### ansible core/sshd/base config barrier ###"
    dest: /etc/ssh/sshd_config
  notify: restart ssh