Mise en place d'un canal d'échange de secrets entre pairs par SSH

2020-04-14 13:27:31 +00:00 · 2020-04-14 13:27:31 +00:00 · 4954035456
parent 06409485c9
commit 4954035456
5 changed files with 87 additions and 0 deletions
--- a/host_vars/fr.yml
+++ b/host_vars/fr.yml
@ -1,4 +1,8 @@
 hostname: fr.tild3.org
+peers:
+  - name: tilde.netlib.re
+    client_key: "SSH key"
+    server_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHUAIuwEhFXTDfOEG+hQ2d/xeUwsgPJQF7oeNYr1ZXnG"
 users:
  - name: tofu
    sudo: true
--- a/roles/common/files/ssh_config
+++ b/roles/common/files/ssh_config
@ -0,0 +1,4 @@
+Host *
+	HostKeyAlgorithms ssh-ed25519
+	PubkeyAcceptedKeyTypes ssh-ed25519
+	PasswordAuthentication no
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -43,3 +43,46 @@
 - include: rust_packages.yml

 - include: users.yml
+
+- name: Créer le dossier /home/peers
+  file:
+    path: "/home/peers"
+    state: directory
+
+- name: Créer un compte peer pour se connecter avec d'autres serveurs
+  user:
+    name: "peer"
+    state: present
+    skeleton: /etc/skel
+    shell: /bin/bash
+    system: no
+    createhome: yes
+    home: "/home/peers/{{ hostname }}"
+
+- name: Créer un lien symbolique /home/peers/self
+  file:
+    dest: /home/peers/self
+    src: "/home/peers/{{ hostname }}"
+    state: link
+
+- file:
+    path: /home/peers/self/.ssh
+    owner: peer
+    group: peer
+    state: directory
+
+- name: Générer une clé SSH pour le compte peer
+  become: yes
+  become_user: peer
+  command:
+    creates: /home/peers/self/.ssh/id_ed25519.pub
+    cmd: ssh-keygen -t ed25519 -f /home/peers/self/.ssh/id_ed25519 -N ""
+
+- name: Configurer SSH en ed25519 depuis le compte peer
+  copy:
+    src: ../files/ssh_config
+    dest: /home/peers/self/.ssh/config
+
+- name: Générer les comptes 
+  include: peers.yml
+  loop: "{{ peers }}"
--- a/roles/common/tasks/peers.yml
+++ b/roles/common/tasks/peers.yml
@ -0,0 +1,23 @@
+- name: Créer un compte pour le serveur pair
+  user:
+    name: "{{ item.name }}"
+    state: present
+    skeleton: /etc/skel
+    shell: /bin/bash
+    system: no
+    createhome: yes
+    home: "/home/peers/{{ item.name }}"
+
+- name: Configurer la clé autorisée pour le serveur pair
+  lineinfile:
+    path: "/home/peers/{{ item.name }}/.ssh/authorized_keys"
+    line: "{{ item.client_key }}"
+    create: yes
+    # TODO: dans authorized_keys pour restreindre le compte à SCP
+    #     no-port-forwarding,no-pty,command="scp source target" ssh-dss ...
+    # TODO: chroot
+- name: Configurer le known_hosts du compte peer pour le serveur pair
+  lineinfile:
+    path: /home/peers/self/.ssh/known_hosts
+    create: yes
+    line: "{{ item.name }} {{ item.server_key }}"
--- a/site.yml
+++ b/site.yml
@ -7,3 +7,16 @@
  hosts: all
  roles:
    - webserver
+
+- name: installer le serveur de noms
+  hosts: all
+  roles:
+    - nameserver
+  vars:
+    primary:
+      - name: fr.tild3.org
+        file: ../files/fr.tild3.org.zone
+#    secondary:
+#      - ns1.tildeverse.org
+    send_to_secondary:
+      - myimaginaryfriend.example.com