From 49540354564158b08030593d9ae3da755513892a Mon Sep 17 00:00:00 2001 From: southerntofu Date: Tue, 14 Apr 2020 13:27:31 +0000 Subject: [PATCH] =?UTF-8?q?Mise=20en=20place=20d'un=20canal=20d'=C3=A9chan?= =?UTF-8?q?ge=20de=20secrets=20entre=20pairs=20par=20SSH?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- host_vars/fr.yml | 4 ++++ roles/common/files/ssh_config | 4 ++++ roles/common/tasks/main.yml | 43 +++++++++++++++++++++++++++++++++++ roles/common/tasks/peers.yml | 23 +++++++++++++++++++ site.yml | 13 +++++++++++ 5 files changed, 87 insertions(+) create mode 100644 roles/common/files/ssh_config create mode 100644 roles/common/tasks/peers.yml diff --git a/host_vars/fr.yml b/host_vars/fr.yml index 2c0da12..0febf9b 100644 --- a/host_vars/fr.yml +++ b/host_vars/fr.yml @@ -1,4 +1,8 @@ hostname: fr.tild3.org +peers: + - name: tilde.netlib.re + client_key: "SSH key" + server_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHUAIuwEhFXTDfOEG+hQ2d/xeUwsgPJQF7oeNYr1ZXnG" users: - name: tofu sudo: true diff --git a/roles/common/files/ssh_config b/roles/common/files/ssh_config new file mode 100644 index 0000000..490782b --- /dev/null +++ b/roles/common/files/ssh_config @@ -0,0 +1,4 @@ +Host * + HostKeyAlgorithms ssh-ed25519 + PubkeyAcceptedKeyTypes ssh-ed25519 + PasswordAuthentication no diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index dd72c2a..8adfcbd 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -43,3 +43,46 @@ - include: rust_packages.yml - include: users.yml + +- name: Créer le dossier /home/peers + file: + path: "/home/peers" + state: directory + +- name: Créer un compte peer pour se connecter avec d'autres serveurs + user: + name: "peer" + state: present + skeleton: /etc/skel + shell: /bin/bash + system: no + createhome: yes + home: "/home/peers/{{ hostname }}" + +- name: Créer un lien symbolique /home/peers/self + file: + dest: /home/peers/self + src: "/home/peers/{{ hostname }}" + state: link + +- file: + path: /home/peers/self/.ssh + owner: peer + group: peer + state: directory + +- name: Générer une clé SSH pour le compte peer + become: yes + become_user: peer + command: + creates: /home/peers/self/.ssh/id_ed25519.pub + cmd: ssh-keygen -t ed25519 -f /home/peers/self/.ssh/id_ed25519 -N "" + +- name: Configurer SSH en ed25519 depuis le compte peer + copy: + src: ../files/ssh_config + dest: /home/peers/self/.ssh/config + +- name: Générer les comptes + include: peers.yml + loop: "{{ peers }}" diff --git a/roles/common/tasks/peers.yml b/roles/common/tasks/peers.yml new file mode 100644 index 0000000..770f834 --- /dev/null +++ b/roles/common/tasks/peers.yml @@ -0,0 +1,23 @@ +- name: Créer un compte pour le serveur pair + user: + name: "{{ item.name }}" + state: present + skeleton: /etc/skel + shell: /bin/bash + system: no + createhome: yes + home: "/home/peers/{{ item.name }}" + +- name: Configurer la clé autorisée pour le serveur pair + lineinfile: + path: "/home/peers/{{ item.name }}/.ssh/authorized_keys" + line: "{{ item.client_key }}" + create: yes + # TODO: dans authorized_keys pour restreindre le compte à SCP + # no-port-forwarding,no-pty,command="scp source target" ssh-dss ... + # TODO: chroot +- name: Configurer le known_hosts du compte peer pour le serveur pair + lineinfile: + path: /home/peers/self/.ssh/known_hosts + create: yes + line: "{{ item.name }} {{ item.server_key }}" diff --git a/site.yml b/site.yml index dc9b5e4..94529e9 100644 --- a/site.yml +++ b/site.yml @@ -7,3 +7,16 @@ hosts: all roles: - webserver + +- name: installer le serveur de noms + hosts: all + roles: + - nameserver + vars: + primary: + - name: fr.tild3.org + file: ../files/fr.tild3.org.zone +# secondary: +# - ns1.tildeverse.org + send_to_secondary: + - myimaginaryfriend.example.com