Mise en place d'un canal d'échange de secrets entre pairs par SSH
This commit is contained in:
parent
06409485c9
commit
4954035456
|
@ -1,4 +1,8 @@
|
|||
hostname: fr.tild3.org
|
||||
peers:
|
||||
- name: tilde.netlib.re
|
||||
client_key: "SSH key"
|
||||
server_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHUAIuwEhFXTDfOEG+hQ2d/xeUwsgPJQF7oeNYr1ZXnG"
|
||||
users:
|
||||
- name: tofu
|
||||
sudo: true
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
Host *
|
||||
HostKeyAlgorithms ssh-ed25519
|
||||
PubkeyAcceptedKeyTypes ssh-ed25519
|
||||
PasswordAuthentication no
|
|
@ -43,3 +43,46 @@
|
|||
- include: rust_packages.yml
|
||||
|
||||
- include: users.yml
|
||||
|
||||
- name: Créer le dossier /home/peers
|
||||
file:
|
||||
path: "/home/peers"
|
||||
state: directory
|
||||
|
||||
- name: Créer un compte peer pour se connecter avec d'autres serveurs
|
||||
user:
|
||||
name: "peer"
|
||||
state: present
|
||||
skeleton: /etc/skel
|
||||
shell: /bin/bash
|
||||
system: no
|
||||
createhome: yes
|
||||
home: "/home/peers/{{ hostname }}"
|
||||
|
||||
- name: Créer un lien symbolique /home/peers/self
|
||||
file:
|
||||
dest: /home/peers/self
|
||||
src: "/home/peers/{{ hostname }}"
|
||||
state: link
|
||||
|
||||
- file:
|
||||
path: /home/peers/self/.ssh
|
||||
owner: peer
|
||||
group: peer
|
||||
state: directory
|
||||
|
||||
- name: Générer une clé SSH pour le compte peer
|
||||
become: yes
|
||||
become_user: peer
|
||||
command:
|
||||
creates: /home/peers/self/.ssh/id_ed25519.pub
|
||||
cmd: ssh-keygen -t ed25519 -f /home/peers/self/.ssh/id_ed25519 -N ""
|
||||
|
||||
- name: Configurer SSH en ed25519 depuis le compte peer
|
||||
copy:
|
||||
src: ../files/ssh_config
|
||||
dest: /home/peers/self/.ssh/config
|
||||
|
||||
- name: Générer les comptes
|
||||
include: peers.yml
|
||||
loop: "{{ peers }}"
|
||||
|
|
|
@ -0,0 +1,23 @@
|
|||
- name: Créer un compte pour le serveur pair
|
||||
user:
|
||||
name: "{{ item.name }}"
|
||||
state: present
|
||||
skeleton: /etc/skel
|
||||
shell: /bin/bash
|
||||
system: no
|
||||
createhome: yes
|
||||
home: "/home/peers/{{ item.name }}"
|
||||
|
||||
- name: Configurer la clé autorisée pour le serveur pair
|
||||
lineinfile:
|
||||
path: "/home/peers/{{ item.name }}/.ssh/authorized_keys"
|
||||
line: "{{ item.client_key }}"
|
||||
create: yes
|
||||
# TODO: dans authorized_keys pour restreindre le compte à SCP
|
||||
# no-port-forwarding,no-pty,command="scp source target" ssh-dss ...
|
||||
# TODO: chroot
|
||||
- name: Configurer le known_hosts du compte peer pour le serveur pair
|
||||
lineinfile:
|
||||
path: /home/peers/self/.ssh/known_hosts
|
||||
create: yes
|
||||
line: "{{ item.name }} {{ item.server_key }}"
|
Loading…
Reference in New Issue