Browse Source

new features: control OS users, create ssh tunnels

Vladimir Smagin 1 month ago
parent
commit
32b9c057d6

+ 11
- 6
group_vars/hetzner-nodes.yml View File

@@ -3,15 +3,20 @@
3 3
 
4 4
 access_list:
5 5
   git: { keypath: "../keys/project-git.pub", username: "root" }
6
-  dev1: { keypath: "../keys/developer1.pub", username: "root" }
7
-  dev2: { keypath: "../keys/developer2.pub", username: "root" }
6
+  dev1: { keypath: "../keys/developer1.pub", username: "developer" }
7
+  dev2: { keypath: "../keys/developer2.pub", username: "developer" }
8
+  # disable fired employer
9
+  dev3: { keypath: "../keys/developer3.pub", username: "developer", key_state: "absent" }
10
+  # remove user from OS, no managers on servers! fuck them all!
11
+  dumb_manager: { keypath: "../keys/manager.pub", username: "manager", state: "absent" }
8 12
 
9
-
10
-# use non-standart sshd config
13
+# Set path to sshd config
14
+# Default: /etc/ssh/sshd_config
11 15
 sshd_config_path: "/var/local/etc/ssh/sshd_config"
12 16
 
13
-
14
-# allow password auth instead of defaults
17
+# Here you can change sshd parameters
15 18
 # change defaults here roles/ssh_config/defaults/main.yml
16 19
 sshd_options:
20
+
21
+  # allow password auth instead of defaults
17 22
   PasswordAuthentication: "yes"

+ 3
- 1
group_vars/hetzner.yml View File

@@ -1,6 +1,8 @@
1 1
 access_list:
2 2
   admin: { keypath: "../keys/admin.pub", username: "root" }
3
-  techguy: { keypath: "../keys/techguy.pub", username: "root" }
3
+  # set username comment and shell
4
+  techguy: { keypath: "../keys/techguy.pub", username: "root", comment: "noodle", shell: "/bin/zsh" }
4 5
   interserver: { keypath: "../keys/interserver.pub", username: "root" }
6
+
5 7
 secret_list:
6 8
   interserver: { keypath: "../keys/interserver.pem", username: "root" }

+ 18
- 0
host_vars/monitor.yml View File

@@ -1,3 +1,21 @@
1 1
 access_list:
2 2
   admin: { keypath: "../keys/admin.pub", username: "root" }
3 3
   techguy: { keypath: "../keys/techguy.pub", username: "root" }
4
+
5
+# key requied by ssh tunnel
6
+secret_list:
7
+  interserver: { keypath: "../keys/interserver.pem", username: "tunneluser" }
8
+
9
+# You can get fingerprint by simple command:
10
+# ssh-keyscan blindage.org
11
+
12
+ssh_tunnels:
13
+  CLICKHOUSE8123:
14
+    SSH_TUNNEL_LOCAL_HOST: "127.0.0.1"
15
+    SSH_TUNNEL_LOCAL_PORT: 8123
16
+    SSH_TUNNEL_REMOTE_USER: "tunneluser"
17
+    SSH_TUNNEL_REMOTE_HOST: "database.myserver.ru"
18
+    SSH_TUNNEL_REMOTE_HOST_FINGERPRINT: "|1|yt/vdfskjgklfjlLKJLKJKJLlkjldksjfjuxzngXn5B3cxKltgMGrN2U= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyfgdfkjlkjLKJLKJLKJLKJLKJJKTUOIWPEORIOPopopiuopiuxdfyG/h9FpdfLZudbGkPdhDdXRZGKKuGl4koqki/XdT1LbQ="
19
+    SSH_TUNNEL_REMOTE_PORT: 8123
20
+    SSH_TUNNEL_KEY: "/home/tunneluser/.ssh/interserver.pem"
21
+

+ 3
- 0
roles/python2/tasks/main.yml View File

@@ -5,3 +5,6 @@
5 5
 - name: Install python pip
6 6
   apt: name=python-pip state=present
7 7
 
8
+- name: Install python python-setuptools
9
+  apt: name=python-setuptools state=present
10
+

+ 21
- 0
roles/ssh_access/tasks/main.yml View File

@@ -1,4 +1,25 @@
1 1
 ---
2
+
3
+- name: Keys you want to set
4
+  debug:
5
+    msg: "{{item}}"
6
+  with_dict: "{{ access_list }}"
7
+  when: access_list != None and access_list is defined 
8
+
9
+- name: Set user parameters
10
+  become: true
11
+  user:
12
+    name: "{{ item.value.username }}"
13
+    comment: "{{ item.value.text | default(omit) }}"
14
+    shell: "{{ item.value.shell | default(omit) }}"
15
+    home: "{{ item.value.home | default(omit) }}"
16
+    state: "{{ item.value.state | default('present') }}"
17
+  register: user_result
18
+  with_dict: "{{ access_list }}"
19
+  when: access_list != None and access_list is defined 
20
+
21
+- debug: msg="{{user_result}}" 
22
+
2 23
 - name: Set authorized keys
3 24
   become: true
4 25
   become_user: "{{ item.value.username }}"

+ 22
- 0
roles/ssh_tunnel/tasks/main.yml View File

@@ -0,0 +1,22 @@
1
+---
2
+- name: Copy ssh tunnel files
3
+  template:
4
+    src: ssh_tunnel.service.j2
5
+    dest: /etc/systemd/system/ssh_tunnel_{{item.key}}.service
6
+  with_dict: "{{ssh_tunnels}}"
7
+
8
+- name: Add remote host to known_hosts file
9
+  known_hosts:
10
+    path: /root/.ssh/known_hosts
11
+    key: "{{item.value.SSH_TUNNEL_REMOTE_HOST_FINGERPRINT}}"
12
+    name: "{{item.value.SSH_TUNNEL_REMOTE_HOST}}"
13
+  with_dict: "{{ssh_tunnels}}"
14
+
15
+- name: Try to start ssh tunnel
16
+  systemd:
17
+    name: "ssh_tunnel_{{item.key}}"
18
+    state: restarted
19
+    daemon_reload: yes
20
+    enabled: yes
21
+  with_dict: "{{ssh_tunnels}}"
22
+

+ 26
- 0
roles/ssh_tunnel/templates/ssh_tunnel.service.j2 View File

@@ -0,0 +1,26 @@
1
+[Unit]
2
+Description=SSH tunnel to {{item.key}}
3
+Documentation=man:ssh(1)
4
+Wants=ssh-agent.service
5
+After=network.target ssh.service
6
+
7
+[Service]
8
+Type=simple
9
+
10
+Environment="LOCAL_ADDR={{item.value.SSH_TUNNEL_LOCAL_HOST}}"
11
+Environment="LOCAL_PORT={{item.value.SSH_TUNNEL_LOCAL_PORT}}"
12
+Environment="REMOTE_USER={{item.value.SSH_TUNNEL_REMOTE_USER}}"
13
+Environment="REMOTE_HOST={{item.value.SSH_TUNNEL_REMOTE_HOST}}"
14
+Environment="REMOTE_PORT={{item.value.SSH_TUNNEL_REMOTE_PORT}}"
15
+
16
+ExecStart=/usr/bin/ssh -t -NT -i {{item.value.SSH_TUNNEL_KEY}} \
17
+  -o ExitOnForwardFailure=yes -o ServerAliveInterval=60 \
18
+  -L ${LOCAL_PORT}:${LOCAL_ADDR}:${REMOTE_PORT} ${REMOTE_USER}@${REMOTE_HOST}
19
+
20
+RestartSec=10
21
+Restart=on-success
22
+RestartForceExitStatus=255
23
+
24
+[Install]
25
+WantedBy=multi-user.target
26
+

Loading…
Cancel
Save