Premier jet pour un système de peering (#23)

2020-04-15 16:48:56 +00:00 · 2020-04-15 16:48:56 +00:00 · 2b0f2947da
parent b26a12973e
commit 2b0f2947da
6 changed files with 84 additions and 0 deletions
--- a/config.yml
+++ b/config.yml
@ -1,5 +1,9 @@
 hostname: fr.tild3.org
 roles: [ webserver, rust ]
+peers:
+   - name: tilde.netlib.re
+     client_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHsVZvvVX3VPj2sWxrb8LJrn3650aoLAZgbY7+CB+NU"
+     server_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHUAIuwEhFXTDfOEG+hQ2d/xeUwsgPJQF7oeNYr1ZXnG"
 packages:
  debian: [ subversion, mercurial, htop, tmux, vim, emacs, mutt, weechat, elinks, rsync, dnsutils, make, g++, libssl-dev, mosh, gopher ]
  rust: [ lsd ]
--- a/roles/common/files/ssh_config
+++ b/roles/common/files/ssh_config
@ -0,0 +1,4 @@
+Host *
+	HostKeyAlgorithms ssh-ed25519
+	PubkeyAcceptedKeyTypes ssh-ed25519
+	PasswordAuthentication no
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -26,6 +26,10 @@

 - include: users.yml

+- name: Activer le peering
+  include: peering/main.yml
+  when: peers is defined
+
 - name: Exécuter les rôles définis dans la config
  include_role:
    name: "{{ current_role }}"
--- a/roles/common/tasks/peering/main.yml
+++ b/roles/common/tasks/peering/main.yml
@ -0,0 +1,15 @@
+- name: Créer le dossier /home/peers
+  file:
+    path: "/home/peers"
+    state: directory
+
+- stat:
+    path: "/home/peers/self"
+  register: local_peer
+
+- include: setup_local.yml
+  when: ! local_peer.stat.exists
+
+- name: Générer les comptes 
+  include: setup_peer.yml
+  loop: "{{ peers }}"
--- a/roles/common/tasks/peering/setup_local.yml
+++ b/roles/common/tasks/peering/setup_local.yml
@ -0,0 +1,34 @@
+- name: Créer un compte peer pour se connecter avec d'autres serveurs
+  user:
+    name: "peer"
+    state: present
+    skeleton: /etc/skel
+    shell: /bin/bash
+    system: no
+    createhome: yes
+    home: "/home/peers/self"
+
+
+- name: Créer un lien symbolique au hostname du serveur
+  file:
+    src: /home/peers/self
+    dest: "/home/peers/{{ hostname }}"
+    state: link
+
+- file:
+    path: /home/peers/self/.ssh
+    owner: peer
+    group: peer
+    state: directory
+
+- name: Générer une clé SSH pour le compte peer
+  become: yes
+  become_user: peer
+  command:
+    creates: /home/peers/self/.ssh/id_ed25519.pub
+    cmd: ssh-keygen -t ed25519 -f /home/peers/self/.ssh/id_ed25519 -N ""
+
+- name: Configurer SSH en ed25519 depuis le compte peer
+  copy:
+    src: ../files/ssh_config
+    dest: /home/peers/self/.ssh/config
--- a/roles/common/tasks/peering/setup_peer.yml
+++ b/roles/common/tasks/peering/setup_peer.yml
@ -0,0 +1,23 @@
+- name: Créer un compte pour le serveur pair
+  user:
+    name: "{{ item.name }}"
+    state: present
+    skeleton: /etc/skel
+    shell: /bin/bash
+    system: no
+    createhome: yes
+    home: "/home/peers/{{ item.name }}"
+
+- name: Configurer la clé autorisée pour le serveur pair
+  lineinfile:
+    path: "/home/peers/{{ item.name }}/.ssh/authorized_keys"
+    line: "{{ item.client_key }}"
+    create: yes
+    # TODO: dans authorized_keys pour restreindre le compte à SCP
+    #     no-port-forwarding,no-pty,command="scp source target" ssh-dss ...
+    # TODO: chroot
+- name: Configurer le known_hosts du compte peer pour le serveur pair
+  lineinfile:
+    path: /home/peers/self/.ssh/known_hosts
+    create: yes
+    line: "{{ item.name }} {{ item.server_key }}"