Mise en place d'un canal d'échange de secrets entre pairs par SSH
This commit is contained in:
parent
06409485c9
commit
4954035456
|
@ -1,4 +1,8 @@
|
||||||
hostname: fr.tild3.org
|
hostname: fr.tild3.org
|
||||||
|
peers:
|
||||||
|
- name: tilde.netlib.re
|
||||||
|
client_key: "SSH key"
|
||||||
|
server_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHUAIuwEhFXTDfOEG+hQ2d/xeUwsgPJQF7oeNYr1ZXnG"
|
||||||
users:
|
users:
|
||||||
- name: tofu
|
- name: tofu
|
||||||
sudo: true
|
sudo: true
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
Host *
|
||||||
|
HostKeyAlgorithms ssh-ed25519
|
||||||
|
PubkeyAcceptedKeyTypes ssh-ed25519
|
||||||
|
PasswordAuthentication no
|
|
@ -43,3 +43,46 @@
|
||||||
- include: rust_packages.yml
|
- include: rust_packages.yml
|
||||||
|
|
||||||
- include: users.yml
|
- include: users.yml
|
||||||
|
|
||||||
|
- name: Créer le dossier /home/peers
|
||||||
|
file:
|
||||||
|
path: "/home/peers"
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Créer un compte peer pour se connecter avec d'autres serveurs
|
||||||
|
user:
|
||||||
|
name: "peer"
|
||||||
|
state: present
|
||||||
|
skeleton: /etc/skel
|
||||||
|
shell: /bin/bash
|
||||||
|
system: no
|
||||||
|
createhome: yes
|
||||||
|
home: "/home/peers/{{ hostname }}"
|
||||||
|
|
||||||
|
- name: Créer un lien symbolique /home/peers/self
|
||||||
|
file:
|
||||||
|
dest: /home/peers/self
|
||||||
|
src: "/home/peers/{{ hostname }}"
|
||||||
|
state: link
|
||||||
|
|
||||||
|
- file:
|
||||||
|
path: /home/peers/self/.ssh
|
||||||
|
owner: peer
|
||||||
|
group: peer
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Générer une clé SSH pour le compte peer
|
||||||
|
become: yes
|
||||||
|
become_user: peer
|
||||||
|
command:
|
||||||
|
creates: /home/peers/self/.ssh/id_ed25519.pub
|
||||||
|
cmd: ssh-keygen -t ed25519 -f /home/peers/self/.ssh/id_ed25519 -N ""
|
||||||
|
|
||||||
|
- name: Configurer SSH en ed25519 depuis le compte peer
|
||||||
|
copy:
|
||||||
|
src: ../files/ssh_config
|
||||||
|
dest: /home/peers/self/.ssh/config
|
||||||
|
|
||||||
|
- name: Générer les comptes
|
||||||
|
include: peers.yml
|
||||||
|
loop: "{{ peers }}"
|
||||||
|
|
|
@ -0,0 +1,23 @@
|
||||||
|
- name: Créer un compte pour le serveur pair
|
||||||
|
user:
|
||||||
|
name: "{{ item.name }}"
|
||||||
|
state: present
|
||||||
|
skeleton: /etc/skel
|
||||||
|
shell: /bin/bash
|
||||||
|
system: no
|
||||||
|
createhome: yes
|
||||||
|
home: "/home/peers/{{ item.name }}"
|
||||||
|
|
||||||
|
- name: Configurer la clé autorisée pour le serveur pair
|
||||||
|
lineinfile:
|
||||||
|
path: "/home/peers/{{ item.name }}/.ssh/authorized_keys"
|
||||||
|
line: "{{ item.client_key }}"
|
||||||
|
create: yes
|
||||||
|
# TODO: dans authorized_keys pour restreindre le compte à SCP
|
||||||
|
# no-port-forwarding,no-pty,command="scp source target" ssh-dss ...
|
||||||
|
# TODO: chroot
|
||||||
|
- name: Configurer le known_hosts du compte peer pour le serveur pair
|
||||||
|
lineinfile:
|
||||||
|
path: /home/peers/self/.ssh/known_hosts
|
||||||
|
create: yes
|
||||||
|
line: "{{ item.name }} {{ item.server_key }}"
|
13
site.yml
13
site.yml
|
@ -7,3 +7,16 @@
|
||||||
hosts: all
|
hosts: all
|
||||||
roles:
|
roles:
|
||||||
- webserver
|
- webserver
|
||||||
|
|
||||||
|
- name: installer le serveur de noms
|
||||||
|
hosts: all
|
||||||
|
roles:
|
||||||
|
- nameserver
|
||||||
|
vars:
|
||||||
|
primary:
|
||||||
|
- name: fr.tild3.org
|
||||||
|
file: ../files/fr.tild3.org.zone
|
||||||
|
# secondary:
|
||||||
|
# - ns1.tildeverse.org
|
||||||
|
send_to_secondary:
|
||||||
|
- myimaginaryfriend.example.com
|
||||||
|
|
Loading…
Reference in New Issue