Browse Source

new features: control OS users, create ssh tunnels

master
Vladimir Smagin 2 years ago
parent
commit
32b9c057d6
7 changed files with 104 additions and 7 deletions
  1. +11
    -6
      group_vars/hetzner-nodes.yml
  2. +3
    -1
      group_vars/hetzner.yml
  3. +18
    -0
      host_vars/monitor.yml
  4. +3
    -0
      roles/python2/tasks/main.yml
  5. +21
    -0
      roles/ssh_access/tasks/main.yml
  6. +22
    -0
      roles/ssh_tunnel/tasks/main.yml
  7. +26
    -0
      roles/ssh_tunnel/templates/ssh_tunnel.service.j2

+ 11
- 6
group_vars/hetzner-nodes.yml View File

@@ -3,15 +3,20 @@

access_list:
git: { keypath: "../keys/project-git.pub", username: "root" }
dev1: { keypath: "../keys/developer1.pub", username: "root" }
dev2: { keypath: "../keys/developer2.pub", username: "root" }
dev1: { keypath: "../keys/developer1.pub", username: "developer" }
dev2: { keypath: "../keys/developer2.pub", username: "developer" }
# disable fired employer
dev3: { keypath: "../keys/developer3.pub", username: "developer", key_state: "absent" }
# remove user from OS, no managers on servers! fuck them all!
dumb_manager: { keypath: "../keys/manager.pub", username: "manager", state: "absent" }


# use non-standart sshd config
# Set path to sshd config
# Default: /etc/ssh/sshd_config
sshd_config_path: "/var/local/etc/ssh/sshd_config"


# allow password auth instead of defaults
# Here you can change sshd parameters
# change defaults here roles/ssh_config/defaults/main.yml
sshd_options:

# allow password auth instead of defaults
PasswordAuthentication: "yes"

+ 3
- 1
group_vars/hetzner.yml View File

@@ -1,6 +1,8 @@
access_list:
admin: { keypath: "../keys/admin.pub", username: "root" }
techguy: { keypath: "../keys/techguy.pub", username: "root" }
# set username comment and shell
techguy: { keypath: "../keys/techguy.pub", username: "root", comment: "noodle", shell: "/bin/zsh" }
interserver: { keypath: "../keys/interserver.pub", username: "root" }

secret_list:
interserver: { keypath: "../keys/interserver.pem", username: "root" }

+ 18
- 0
host_vars/monitor.yml View File

@@ -1,3 +1,21 @@
access_list:
admin: { keypath: "../keys/admin.pub", username: "root" }
techguy: { keypath: "../keys/techguy.pub", username: "root" }

# key requied by ssh tunnel
secret_list:
interserver: { keypath: "../keys/interserver.pem", username: "tunneluser" }

# You can get fingerprint by simple command:
# ssh-keyscan blindage.org

ssh_tunnels:
CLICKHOUSE8123:
SSH_TUNNEL_LOCAL_HOST: "127.0.0.1"
SSH_TUNNEL_LOCAL_PORT: 8123
SSH_TUNNEL_REMOTE_USER: "tunneluser"
SSH_TUNNEL_REMOTE_HOST: "database.myserver.ru"
SSH_TUNNEL_REMOTE_HOST_FINGERPRINT: "|1|yt/vdfskjgklfjlLKJLKJKJLlkjldksjfjuxzngXn5B3cxKltgMGrN2U= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyfgdfkjlkjLKJLKJLKJLKJLKJJKTUOIWPEORIOPopopiuopiuxdfyG/h9FpdfLZudbGkPdhDdXRZGKKuGl4koqki/XdT1LbQ="
SSH_TUNNEL_REMOTE_PORT: 8123
SSH_TUNNEL_KEY: "/home/tunneluser/.ssh/interserver.pem"


+ 3
- 0
roles/python2/tasks/main.yml View File

@@ -5,3 +5,6 @@
- name: Install python pip
apt: name=python-pip state=present

- name: Install python python-setuptools
apt: name=python-setuptools state=present


+ 21
- 0
roles/ssh_access/tasks/main.yml View File

@@ -1,4 +1,25 @@
---

- name: Keys you want to set
debug:
msg: "{{item}}"
with_dict: "{{ access_list }}"
when: access_list != None and access_list is defined

- name: Set user parameters
become: true
user:
name: "{{ item.value.username }}"
comment: "{{ item.value.text | default(omit) }}"
shell: "{{ item.value.shell | default(omit) }}"
home: "{{ item.value.home | default(omit) }}"
state: "{{ item.value.state | default('present') }}"
register: user_result
with_dict: "{{ access_list }}"
when: access_list != None and access_list is defined

- debug: msg="{{user_result}}"

- name: Set authorized keys
become: true
become_user: "{{ item.value.username }}"


+ 22
- 0
roles/ssh_tunnel/tasks/main.yml View File

@@ -0,0 +1,22 @@
---
- name: Copy ssh tunnel files
template:
src: ssh_tunnel.service.j2
dest: /etc/systemd/system/ssh_tunnel_{{item.key}}.service
with_dict: "{{ssh_tunnels}}"

- name: Add remote host to known_hosts file
known_hosts:
path: /root/.ssh/known_hosts
key: "{{item.value.SSH_TUNNEL_REMOTE_HOST_FINGERPRINT}}"
name: "{{item.value.SSH_TUNNEL_REMOTE_HOST}}"
with_dict: "{{ssh_tunnels}}"

- name: Try to start ssh tunnel
systemd:
name: "ssh_tunnel_{{item.key}}"
state: restarted
daemon_reload: yes
enabled: yes
with_dict: "{{ssh_tunnels}}"


+ 26
- 0
roles/ssh_tunnel/templates/ssh_tunnel.service.j2 View File

@@ -0,0 +1,26 @@
[Unit]
Description=SSH tunnel to {{item.key}}
Documentation=man:ssh(1)
Wants=ssh-agent.service
After=network.target ssh.service

[Service]
Type=simple

Environment="LOCAL_ADDR={{item.value.SSH_TUNNEL_LOCAL_HOST}}"
Environment="LOCAL_PORT={{item.value.SSH_TUNNEL_LOCAL_PORT}}"
Environment="REMOTE_USER={{item.value.SSH_TUNNEL_REMOTE_USER}}"
Environment="REMOTE_HOST={{item.value.SSH_TUNNEL_REMOTE_HOST}}"
Environment="REMOTE_PORT={{item.value.SSH_TUNNEL_REMOTE_PORT}}"

ExecStart=/usr/bin/ssh -t -NT -i {{item.value.SSH_TUNNEL_KEY}} \
-o ExitOnForwardFailure=yes -o ServerAliveInterval=60 \
-L ${LOCAL_PORT}:${LOCAL_ADDR}:${REMOTE_PORT} ${REMOTE_USER}@${REMOTE_HOST}

RestartSec=10
Restart=on-success
RestartForceExitStatus=255

[Install]
WantedBy=multi-user.target


Loading…
Cancel
Save