Browse Source

Set additional SSHd options, check if required by Ansible Python2 is installed, bugfixes

master
Vladimir Smagin 2 years ago
parent
commit
783209e823
9 changed files with 84 additions and 9 deletions
  1. +7
    -0
      group_vars/hetzner-nodes.yml
  2. +2
    -0
      readme.md
  3. +1
    -1
      roles/master_key/tasks/main.yml
  4. +7
    -0
      roles/python2/tasks/main.yml
  5. +1
    -8
      roles/ssh_access/tasks/main.yml
  6. +10
    -0
      roles/ssh_config/defaults/main.yml
  7. +36
    -0
      roles/ssh_config/tasks/main.yml
  8. +5
    -0
      roles/upgrade_pip/tasks/main.yml
  9. +15
    -0
      ssh-keys.yml

+ 7
- 0
group_vars/hetzner-nodes.yml View File

@ -2,3 +2,10 @@ access_list:
git: { keypath: "../keys/project-git.pub", username: "root" }
dev1: { keypath: "../keys/developer1.pub", username: "root" }
dev2: { keypath: "../keys/developer2.pub", username: "root" }
# use non-standart sshd config
sshd_config_path: "/var/local/etc/ssh/sshd_config"
# allow password auth instead of defaults
sshd_options:
PasswordAuthentication: "yes"

+ 2
- 0
readme.md View File

@ -33,6 +33,8 @@ You want to make additional access to all nodes for developer guy. Configuring c
developer: { keypath: "../keys/developer.pub", username: "dev" }
```
You can set additional SSHd options, see example in defaults of ssh_config role.
No need to make additional config for ```hetzner-balancers``` because access list will be inherited, only admins accessible.
---

+ 1
- 1
roles/master_key/tasks/main.yml View File

@ -1,5 +1,5 @@
---
- name: Set primary ansible key and remove others
- name: Set administrative keys and delete others
authorized_key:
user: root
state: present

+ 7
- 0
roles/python2/tasks/main.yml View File

@ -0,0 +1,7 @@
---
- name: Install python2
apt: name=python state=present
- name: Install python pip
apt: name=python-pip state=present

+ 1
- 8
roles/ssh_access/tasks/main.yml View File

@ -1,21 +1,14 @@
---
#- debug:
# msg: "{{ access_list }}"
- name: Set public keys
- name: Set authorized keys
become: true
become_user: "{{ item.value.username }}"
authorized_key: user="{{ item.value.username }}" key="{{ lookup('file', item.value.keypath) }}" state=present
with_dict: "{{ access_list }}"
when: access_list != None and access_list is defined
#- debug:
# msg: "{{ secret_list }}"
- name: Upload secret keys
become: true
become_user: "{{ item.value.username }}"
copy: src="{{ item.value.keypath }}" dest="~/.ssh/{{ item.value.keypath | basename }}" mode=0600
with_dict: "{{ secret_list }}"
when: secret_list != None and secret_list is defined

+ 10
- 0
roles/ssh_config/defaults/main.yml View File

@ -0,0 +1,10 @@
---
# Set here defaults for ALL servers
# In other cases use group_vars or host_vars
sshd_config_path: "/etc/ssh/sshd_config"
sshd_options:
PubkeyAuthentication: "yes"
PasswordAuthentication: "no"

+ 36
- 0
roles/ssh_config/tasks/main.yml View File

@ -0,0 +1,36 @@
---
# Clean up config file
- name: SSHd config file
debug: msg="{{ sshd_config_path }}"
- name: SSHd config file
debug: msg="{{ sshd_options }}"
- name: Remove all marked options from config
become: yes
lineinfile:
path: "{{ sshd_config_path }}"
state: absent
regexp: '{{ item.key }}'
with_dict: "{{ sshd_options }}"
when: sshd_options != None and sshd_options is defined
# Nice, now add options from ansible configs
- name: Add marked options to config
become: yes
lineinfile:
path: "{{ sshd_config_path }}"
state: present
line: '{{ item.key }} {{ item.value }}'
with_dict: "{{ sshd_options }}"
when: sshd_options != None and sshd_options is defined
# Ok, applying new options
- name: Restart ssh
become: yes
service: name=ssh state=restarted

+ 5
- 0
roles/upgrade_pip/tasks/main.yml View File

@ -0,0 +1,5 @@
---
- name: Upgrade pip
pip:
name: pip
extra_args: --upgrade

+ 15
- 0
ssh-keys.yml View File

@ -1,7 +1,22 @@
---
# Check if python2 installed to server
- name: Checkout python2
hosts: all
ignore_errors: yes
vars:
ansible_python_interpreter: /usr/bin/python3
roles:
- python2
# Ok, now magic begins
- hosts: all
gather_facts: True
roles:
- master_key
- preinstall
- upgrade_pip
- ssh_config
- ssh_access

Loading…
Cancel
Save