diff --git a/config.yml b/config.yml index 750cd51..2ea62c8 100644 --- a/config.yml +++ b/config.yml @@ -1,5 +1,9 @@ hostname: fr.tild3.org roles: [ webserver, rust ] +peers: + - name: tilde.netlib.re + client_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHsVZvvVX3VPj2sWxrb8LJrn3650aoLAZgbY7+CB+NU" + server_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHUAIuwEhFXTDfOEG+hQ2d/xeUwsgPJQF7oeNYr1ZXnG" packages: debian: [ subversion, mercurial, htop, tmux, vim, emacs, mutt, weechat, elinks, rsync, dnsutils, make, g++, libssl-dev, mosh, gopher ] rust: [ lsd ] diff --git a/roles/common/files/ssh_config b/roles/common/files/ssh_config new file mode 100644 index 0000000..490782b --- /dev/null +++ b/roles/common/files/ssh_config @@ -0,0 +1,4 @@ +Host * + HostKeyAlgorithms ssh-ed25519 + PubkeyAcceptedKeyTypes ssh-ed25519 + PasswordAuthentication no diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 1a0d8e1..004004b 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -26,6 +26,10 @@ - include: users.yml +- name: Activer le peering + include: peering/main.yml + when: peers is defined + - name: Exécuter les rôles définis dans la config include_role: name: "{{ current_role }}" diff --git a/roles/common/tasks/peering/main.yml b/roles/common/tasks/peering/main.yml new file mode 100644 index 0000000..55c5ffb --- /dev/null +++ b/roles/common/tasks/peering/main.yml @@ -0,0 +1,15 @@ +- name: Créer le dossier /home/peers + file: + path: "/home/peers" + state: directory + +- stat: + path: "/home/peers/self" + register: local_peer + +- include: setup_local.yml + when: ! local_peer.stat.exists + +- name: Générer les comptes + include: setup_peer.yml + loop: "{{ peers }}" diff --git a/roles/common/tasks/peering/setup_local.yml b/roles/common/tasks/peering/setup_local.yml new file mode 100644 index 0000000..0132ac4 --- /dev/null +++ b/roles/common/tasks/peering/setup_local.yml @@ -0,0 +1,34 @@ +- name: Créer un compte peer pour se connecter avec d'autres serveurs + user: + name: "peer" + state: present + skeleton: /etc/skel + shell: /bin/bash + system: no + createhome: yes + home: "/home/peers/self" + + +- name: Créer un lien symbolique au hostname du serveur + file: + src: /home/peers/self + dest: "/home/peers/{{ hostname }}" + state: link + +- file: + path: /home/peers/self/.ssh + owner: peer + group: peer + state: directory + +- name: Générer une clé SSH pour le compte peer + become: yes + become_user: peer + command: + creates: /home/peers/self/.ssh/id_ed25519.pub + cmd: ssh-keygen -t ed25519 -f /home/peers/self/.ssh/id_ed25519 -N "" + +- name: Configurer SSH en ed25519 depuis le compte peer + copy: + src: ../files/ssh_config + dest: /home/peers/self/.ssh/config diff --git a/roles/common/tasks/peering/setup_peer.yml b/roles/common/tasks/peering/setup_peer.yml new file mode 100644 index 0000000..770f834 --- /dev/null +++ b/roles/common/tasks/peering/setup_peer.yml @@ -0,0 +1,23 @@ +- name: Créer un compte pour le serveur pair + user: + name: "{{ item.name }}" + state: present + skeleton: /etc/skel + shell: /bin/bash + system: no + createhome: yes + home: "/home/peers/{{ item.name }}" + +- name: Configurer la clé autorisée pour le serveur pair + lineinfile: + path: "/home/peers/{{ item.name }}/.ssh/authorized_keys" + line: "{{ item.client_key }}" + create: yes + # TODO: dans authorized_keys pour restreindre le compte à SCP + # no-port-forwarding,no-pty,command="scp source target" ssh-dss ... + # TODO: chroot +- name: Configurer le known_hosts du compte peer pour le serveur pair + lineinfile: + path: /home/peers/self/.ssh/known_hosts + create: yes + line: "{{ item.name }} {{ item.server_key }}"