Compare commits
	
		
			6 Commits
		
	
	
		
			transcaffe
			...
			lego/set-e
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| 9e76d11aa4 | |||
| e93bb182c0 | |||
| 27d9555428 | |||
| b14f36c7e8 | |||
| 762e2ffc27 | |||
| 115cfa8236 | 
							
								
								
									
										12
									
								
								galaxy.yml
									
									
									
									
									
								
							
							
						
						
									
										12
									
								
								galaxy.yml
									
									
									
									
									
								
							| @@ -1,21 +1,27 @@ | ||||
| namespace: finallycoffee | ||||
| name: base | ||||
| version: 0.2.1 | ||||
| version: 0.3.0 | ||||
| readme: README.md | ||||
| authors: | ||||
| - transcaffeine <transcaffeine@finally.coffee> | ||||
| description: Roles for base services which are common dependencies other services like databases | ||||
| description: >-2 | ||||
|   Roles for base services which are core functionality like managing packages | ||||
|   and ssh or common dependencies other services like databases | ||||
| dependencies: | ||||
|   "community.docker": "^4.2.0" | ||||
|   "community.general": "^10.0.0" | ||||
| license_file: LICENSE.md | ||||
| build_ignore: | ||||
| - '*.tar.gz' | ||||
| repository: https://git.finally.coffee/finallycoffee/base | ||||
| issues: https://codeberg.org/finallycoffee/ansible-collection-base/issues | ||||
| tags: | ||||
|   - bootstrap | ||||
|   - ssh | ||||
|   - mosh | ||||
|   - docker | ||||
|   - lego | ||||
|   - minio | ||||
|   - nginx | ||||
|   - restic | ||||
|   - docker | ||||
|   - user_management | ||||
|   | ||||
| @@ -1,10 +0,0 @@ | ||||
| --- | ||||
| - name: Ensure hostname is managed | ||||
|   hosts: "{{ hostname_targets | default('hostname_managed') }}" | ||||
|   become: "{{ hostname_target_become | default(true) }}" | ||||
|   gather_facts: false | ||||
|   tasks: | ||||
|     - name: Ensure hostname is up to date | ||||
|       ansible.builtin.hostname: | ||||
|         name: "{{ hostname | default(inventory_hostname, true) }}" | ||||
|         use: "{{ hostname_strategy | default(omit, true) }}" | ||||
							
								
								
									
										6
									
								
								playbooks/mosh.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										6
									
								
								playbooks/mosh.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,6 @@ | ||||
| --- | ||||
| - name: Manage and configure mosh | ||||
|   hosts: "{{ mosh_hosts | default('mosh', true) }}" | ||||
|   become: "{{ mosh_become | default(true) }}" | ||||
|   roles: | ||||
|     - role: finallycoffee.base.mosh | ||||
							
								
								
									
										7
									
								
								playbooks/openssh.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										7
									
								
								playbooks/openssh.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,7 @@ | ||||
| --- | ||||
| - name: Ensure openssh is installed and configured | ||||
|   hosts: "{{ openssh_target | default('openssh') }}" | ||||
|   become: "{{ openssh_become | default(true) }}" | ||||
|   gather_facts: "{{ openssh_gather_facts | default(true) }}" | ||||
|   roles: | ||||
|     - role: finallycoffee.base.openssh | ||||
| @@ -1,5 +1,5 @@ | ||||
| #!/usr/bin/env bash | ||||
| set -euo pipefail | ||||
| set -xeuo pipefail | ||||
|  | ||||
| LEGO_BINARY=$(/usr/bin/env which lego) | ||||
|  | ||||
| @@ -8,8 +8,11 @@ if [[ -n "${LEGO_HTTP_FALLBACK_PORT:-}" ]]; then | ||||
|     echo "nc not found (in PATH), exiting" | ||||
|     exit 1 | ||||
|   fi | ||||
|   set +e | ||||
|   nc -z 127.0.0.1 $LEGO_HTTP_PORT; | ||||
|   if [[ $? -eq 0 ]]; then | ||||
|   nc_exit_code=$?; | ||||
|   set -e | ||||
|   if [[ $nc_exit_code -eq 0 ]]; then | ||||
|       LEGO_HTTP_PORT=$LEGO_HTTP_FALLBACK_PORT | ||||
|   fi | ||||
| fi | ||||
|   | ||||
							
								
								
									
										4
									
								
								roles/mosh/README.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										4
									
								
								roles/mosh/README.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,4 @@ | ||||
| # `finallycoffee.base.mosh` | ||||
|  | ||||
| Installs [`mosh`](https://mosh.org/#), a remote 'mobile shell' which supports | ||||
| roaming and re-uses SSH for the authentication layer. | ||||
							
								
								
									
										2
									
								
								roles/mosh/defaults/main/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										2
									
								
								roles/mosh/defaults/main/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,2 @@ | ||||
| --- | ||||
| mosh_state: present | ||||
							
								
								
									
										15
									
								
								roles/mosh/defaults/main/packages.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										15
									
								
								roles/mosh/defaults/main/packages.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,15 @@ | ||||
| --- | ||||
| mosh_debian_packages: | ||||
|   - "mosh" | ||||
|   - "openssh-server" | ||||
| mosh_fedora_packages: | ||||
|   - "mosh" | ||||
|   - "openssh-server" | ||||
| mosh_archlinux_packages: | ||||
|   - "mosh" | ||||
|   - "openssh" | ||||
|  | ||||
| mosh_packages: | ||||
|   debian: "{{ mosh_debian_packages }}" | ||||
|   fedora: "{{ mosh_fedora_packages }}" | ||||
|   archlinux: "{{ mosh_archlinux_packages }}" | ||||
							
								
								
									
										30
									
								
								roles/mosh/tasks/install.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										30
									
								
								roles/mosh/tasks/install.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,30 @@ | ||||
| --- | ||||
| - name: Ensure mosh is {{ mosh_state }} (dnf) | ||||
|   ansible.builtin.dnf: | ||||
|     name: "{{ mosh_packages[_key] }}" | ||||
|     state: "{{ mosh_state }}" | ||||
|   when: | ||||
|     - ansible_facts['pkg_mgr'] in ['dnf', 'dnf5'] | ||||
|     - _key in mosh_packages.keys() | ||||
|   vars: | ||||
|     _key: "{{ ansible_distribution | lower }}" | ||||
|  | ||||
| - name: Ensure mosh is {{ mosh_state }} (apt) | ||||
|   ansible.builtin.apt: | ||||
|     package: "{{ mosh_packages[_key] }}" | ||||
|     state: "{{ mosh_state }}" | ||||
|   when: | ||||
|     - ansible_facts['pkg_mgr'] in ['apt'] | ||||
|     - _key in mosh_packages.keys() | ||||
|   vars: | ||||
|     _key: "{{ ansible_distribution | lower }}" | ||||
|  | ||||
| - name: Ensure mosh is {{ mosh_state }} (pacman) | ||||
|   community.general.pacman: | ||||
|     name: "{{ mosh_packages[_key] }}" | ||||
|     state: "{{ mosh_state }}" | ||||
|   when: | ||||
|     - ansible_facts['pkg_mgr'] in ['pacman'] | ||||
|     - _key in mosh_packages.keys() | ||||
|   vars: | ||||
|     _key: "{{ ansible_distribution | lower }}" | ||||
							
								
								
									
										11
									
								
								roles/mosh/tasks/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										11
									
								
								roles/mosh/tasks/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,11 @@ | ||||
| --- | ||||
| - name: Ensure 'mosh_state' is valid | ||||
|   ansible.builtin.fail: | ||||
|     msg: >-2 | ||||
|       Invalid state '{{ mosh_state }}' for 'mosh_state'! | ||||
|       Allowed states are {{ mosh_states | join(', ') }}. | ||||
|   when: mosh_state not in mosh_states | ||||
|  | ||||
| - name: Ensure mosh is {{ mosh_state }} | ||||
|   ansible.builtin.include_tasks: | ||||
|     file: "install.yml" | ||||
							
								
								
									
										4
									
								
								roles/mosh/vars/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										4
									
								
								roles/mosh/vars/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,4 @@ | ||||
| --- | ||||
| mosh_states: | ||||
|   - "present" | ||||
|   - "absent" | ||||
							
								
								
									
										13
									
								
								roles/openssh/README.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										13
									
								
								roles/openssh/README.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,13 @@ | ||||
| # `finallycoffee.base.openssh` | ||||
|  | ||||
| Ansible role to manage and configure openssh and it's components (like `sshd`). | ||||
|  | ||||
| Currently supports `fedora` and `debian` linux distributions. | ||||
|  | ||||
| ## `sshd` | ||||
|  | ||||
| To configure `sshd`, see the [`defaults/main/sshd.yml`](defaults/main/sshd.yml), | ||||
| where snake\_cased config keys for `/etc/ssh/sshd_config` are available in | ||||
| the `openssh_sshd_config_` namespace. | ||||
|  | ||||
| To add your own config on top, simply use key-value syntax in `openssh_sshd_config`. | ||||
							
								
								
									
										3
									
								
								roles/openssh/defaults/main/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										3
									
								
								roles/openssh/defaults/main/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,3 @@ | ||||
| --- | ||||
| openssh_state: 'present' | ||||
| openssh_sshd_config_file: "/etc/ssh/sshd_config" | ||||
							
								
								
									
										8
									
								
								roles/openssh/defaults/main/packages.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										8
									
								
								roles/openssh/defaults/main/packages.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,8 @@ | ||||
| --- | ||||
| openssh_packages: | ||||
|   fedora: "{{ openssh_fedora_packages }}" | ||||
|   debian: "{{ openssh_debian_packages }}" | ||||
| openssh_fedora_packages: | ||||
|   - "openssh-server" | ||||
| openssh_debian_packages: | ||||
|   - "openssh-server" | ||||
							
								
								
									
										33
									
								
								roles/openssh/defaults/main/sshd.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										33
									
								
								roles/openssh/defaults/main/sshd.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,33 @@ | ||||
| --- | ||||
| openssh_sshd_enable: true | ||||
| openssh_sshd_config_pubkey_authentication: true | ||||
| openssh_sshd_config_password_authentication: false | ||||
| openssh_sshd_config_challenge_response_authentication: false | ||||
| openssh_sshd_config_permit_root_login: false | ||||
|  | ||||
| # Limits | ||||
| openssh_sshd_config_max_sessions: ~ | ||||
| openssh_sshd_config_max_startups: ~ | ||||
|  | ||||
| # Hardening | ||||
| openssh_sshd_config_protocol: 2 | ||||
| openssh_sshd_config_x11_forwarding: false | ||||
| openssh_sshd_config_allow_agent_forwarding: false | ||||
| openssh_sshd_config_allow_tcp_forwarding: false | ||||
|  | ||||
| openssh_sshd_default_config: | ||||
|   PubkeyAuthentication: "{{ openssh_sshd_config_pubkey_authentication }}" | ||||
|   PasswordAuthentication: "{{ openssh_sshd_config_password_authentication }}" | ||||
|   ChallengeResponseAuthentication: >-2 | ||||
|     {{ openssh_sshd_config_challenge_response_authentication }} | ||||
|   PermitRootLogin: "{{ openssh_sshd_config_permit_root_login }}" | ||||
|   MaxSessions: "{{ openssh_sshd_config_max_sessions }}" | ||||
|   MaxStartups: "{{ openssh_sshd_config_max_startups }}" | ||||
|   Protocol: "{{ openssh_sshd_config_protocol }}" | ||||
|   X11Forwarding: "{{ openssh_sshd_config_x11_forwarding }}" | ||||
|   AllowAgentForwarding: "{{ openssh_sshd_config_allow_agent_forwarding }}" | ||||
|   AllowTcpForwarding: "{{ openssh_sshd_config_allow_tcp_forwarding }}" | ||||
|  | ||||
| openssh_sshd_merged_config: >-2 | ||||
|   {{ openssh_sshd_default_config | default({}, true) | ||||
|      | combine(openssh_sshd_config | default({}, true)) }} | ||||
							
								
								
									
										2
									
								
								roles/openssh/defaults/main/systemd.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										2
									
								
								roles/openssh/defaults/main/systemd.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,2 @@ | ||||
| --- | ||||
| openssh_sshd_systemd_service_name: "sshd.service" | ||||
							
								
								
									
										7
									
								
								roles/openssh/handlers/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										7
									
								
								roles/openssh/handlers/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,7 @@ | ||||
| --- | ||||
| - name: Ensure sshd is reloaded | ||||
|   ansible.builtin.systemd_service: | ||||
|     name: "{{ openssh_sshd_systemd_service_name }}" | ||||
|     state: "reloaded" | ||||
|   when: ansible_facts['service_mgr'] == 'systemd' | ||||
|   listen: openssh_sshd_reload | ||||
							
								
								
									
										28
									
								
								roles/openssh/tasks/configure-sshd.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										28
									
								
								roles/openssh/tasks/configure-sshd.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,28 @@ | ||||
| --- | ||||
| - name: Configure sshd | ||||
|   ansible.builtin.lineinfile: | ||||
|     path: "{{ openssh_sshd_config_file }}" | ||||
|     regexp: "{{ openssh_sshd_config_regexp }}" | ||||
|     line: "{{ openssh_sshd_config_line }}" | ||||
|     firstmatch: true | ||||
|     state: present | ||||
|     validate: "sshd -Tf %s" | ||||
|   loop: "{{ openssh_sshd_merged_config | dict2items }}" | ||||
|   loop_control: | ||||
|     loop_var: "tuple" | ||||
|     label: "{{ tuple.key }}" | ||||
|   notify: | ||||
|     - openssh_sshd_reload | ||||
|   vars: | ||||
|     openssh_sshd_config_regexp: "^\\s*#?\\s*{{ tuple.key }}" | ||||
|     openssh_sshd_config_line: >-2 | ||||
|       {{ openssh_sshd_config_line_commented }}{{ tuple.key }} {{ openssh_sshd_config_value }} | ||||
|     openssh_sshd_config_value_is_none: "{{ tuple.value is none }}" | ||||
|     openssh_sshd_config_line_commented: >-2 | ||||
|       {{ openssh_sshd_config_value_is_none | ternary('#', '') }} | ||||
|     openssh_sshd_config_value: >-2 | ||||
|       {{ (tuple.value is boolean) | ternary( | ||||
|            tuple.value | ternary('yes', 'no'), | ||||
|            tuple.value | ||||
|          ) | ||||
|       }} | ||||
							
								
								
									
										16
									
								
								roles/openssh/tasks/install.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										16
									
								
								roles/openssh/tasks/install.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,16 @@ | ||||
| --- | ||||
| - name: Ensure openssh server package is {{ openssh_state }} (dnf) | ||||
|   ansible.builtin.dnf: | ||||
|     name: "{{ openssh_packages[ansible_distribution | lower] }}" | ||||
|     state: "{{ openssh_state }}" | ||||
|   when: | ||||
|     - ansible_facts['pkg_mgr'] in ['dnf', 'dnf5'] | ||||
|     - ansible_distribution | lower in openssh_packages.keys() | ||||
|  | ||||
| - name: Ensure openssh server package is {{ openssh_state }} (apt) | ||||
|   ansible.builtin.apt: | ||||
|     package: "{{ openssh_packages[ansible_distribution | lower] }}" | ||||
|     state: "{{ openssh_state }}" | ||||
|   when: | ||||
|     - ansible_facts['pkg_mgr'] in ['apt'] | ||||
|     - ansible_distribution | lower in openssh_packages.keys() | ||||
							
								
								
									
										15
									
								
								roles/openssh/tasks/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										15
									
								
								roles/openssh/tasks/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,15 @@ | ||||
| --- | ||||
| - name: Ensure 'openssh_state' is valid | ||||
|   ansible.builtin.fail: | ||||
|     msg: >-2 | ||||
|       Invalid value '{{ openssh_state }}' for 'openssh_state'. | ||||
|       Valid values are {{ openssh_states | join(', ') }}! | ||||
|   when: openssh_state not in openssh_states | ||||
|  | ||||
| - name: Ensure openssh is {{ openssh_state }} | ||||
|   ansible.builtin.include_tasks: | ||||
|     file: "install.yml" | ||||
|  | ||||
| - name: Ensure sshd is configured | ||||
|   ansible.builtin.include_tasks: | ||||
|     file: "configure-sshd.yml" | ||||
							
								
								
									
										4
									
								
								roles/openssh/vars/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										4
									
								
								roles/openssh/vars/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,4 @@ | ||||
| --- | ||||
| openssh_states: | ||||
|   - "present" | ||||
|   - "absent" | ||||
		Reference in New Issue
	
	Block a user