infra-ansible
ansible script to ship alpine/ssh/wireguard
git clone https://9o.is/git/infra-ansible.git
commit 0c85b06976416c4bb8412b9434aadc47a01f8ebe Author: Jul <jul@9o.is> Date: Wed, 8 May 2024 13:39:55 +0800 set hardened openssh server Diffstat:
| A | host/hosts | | | 2 | ++ |
| A | host/readme.md | | | 6 | ++++++ |
| A | host/roles/hostname/tasks/main.yml | | | 27 | +++++++++++++++++++++++++++ |
| A | host/roles/openssh/files/sshd_config | | | 30 | ++++++++++++++++++++++++++++++ |
| A | host/roles/openssh/handlers/main.yml | | | 6 | ++++++ |
| A | host/roles/openssh/tasks/main.yml | | | 54 | ++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
| A | host/site.yml | | | 10 | ++++++++++ |
7 files changed, 135 insertions(+), 0 deletions(-)
diff --git a/host/hosts b/host/hosts @@ -0,0 +1,2 @@ +[servers] +server01.9o.is diff --git a/host/readme.md b/host/readme.md @@ -0,0 +1,6 @@ +### Starting Requirements + +- Server must be ssh-authorized via root +- Server must set mtu to 576 (`ip link set ens3 mtu 576`) + - else 1984 hosting will drop fragmented packets from large, sftp files + diff --git a/host/roles/hostname/tasks/main.yml b/host/roles/hostname/tasks/main.yml @@ -0,0 +1,27 @@ +--- +- name: set hostname in /etc/hostname + copy: + dest: /etc/hostname + owner: root + group: root + mode: '0644' + content: | + {{ ansible_host }} + +- name: set hostname in /etc/hosts + lineinfile: + path: /etc/hosts + regexp: '^127\.0\.0\.1' + line: 127.0.0.1 localhost {{ ansible_host }} + owner: root + group: root + mode: '0644' + +- name: register current hostname + shell: hostnamectl hostname + register: current_hostname + +- name: set hostname with hostnamectl + shell: hostnamectl set-hostname {{ ansible_host }} + when: current_hostname.stdout != ansible_host + diff --git a/host/roles/openssh/files/sshd_config b/host/roles/openssh/files/sshd_config @@ -0,0 +1,30 @@ +Port 2222 +AllowUsers user + +# Supported HostKey algorithms by order of preference. +HostKey /etc/ssh/ssh_host_ed25519_key + +# Specifies the available ciphers, kex, and mac algorithms. +KexAlgorithms curve25519-sha256 +Ciphers chacha20-poly1305@openssh.com +MACs hmac-sha2-512-etm@openssh.com + +# LogLevel VERBOSE logs user's key fingerprint on login +# Needed to have a clear audit track of which key was using to log in. +LogLevel VERBOSE + +# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise. +Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO + +# Disable root user login +PermitRootLogin no +ChallengeResponseAuthentication no +PasswordAuthentication no +UsePAM no + +# Disable password-based login +AuthenticationMethods publickey +PubkeyAuthentication yes +PermitEmptyPasswords no +AuthorizedKeysFile .ssh/authorized_keys + diff --git a/host/roles/openssh/handlers/main.yml b/host/roles/openssh/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: restart sshd + service: + name: sshd + state: restarted + diff --git a/host/roles/openssh/tasks/main.yml b/host/roles/openssh/tasks/main.yml @@ -0,0 +1,54 @@ +--- +- name: install sudo + package: + name: sudo + state: present + +- name: create user + user: + name: user + password: '*' + shell: /bin/bash + +- name: assign user sudo privilege + copy: + dest: /etc/sudoers.d/user + owner: root + group: root + mode: '0440' + validate: /usr/sbin/visudo -csf %s + content: | + user ALL=(ALL) NOPASSWD:ALL + +- name: create user ssh directory + file: + path: /home/user/.ssh + state: directory + +- name: authorize user ssh keys + copy: + dest: /home/user/.ssh/authorized_keys + owner: user + group: user + mode: '0644' + content: | + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4zNrHVit/S7gU3qW2IbSP8jtUpGSP3tb+z/PBSXD66 jul@9o.is + +- name: empty motd + copy: + content: '' + dest: /etc/motd + owner: root + group: root + mode: '0644' + +- name: configure sshd + copy: + src: sshd_config + dest: /etc/ssh/sshd_config + owner: root + group: root + mode: '0644' + validate: sshd -t -f %s + notify: restart sshd + diff --git a/host/site.yml b/host/site.yml @@ -0,0 +1,10 @@ +--- +- name: Set up kubernetes + hosts: servers + remote_user: user + become: true + roles: + - hostname + - openssh +# - k0s +