diff --git a/ansible/roles/apt/defaults/main.yml b/ansible/roles/apt/defaults/main.yml index b23f4ff..738a1d7 100644 --- a/ansible/roles/apt/defaults/main.yml +++ b/ansible/roles/apt/defaults/main.yml @@ -8,6 +8,11 @@ apt_packages: - nmap - sysstat - vim + - gnupg + - software-properties-common + - psmisc + - sudo + - mosh apt_install_packages: false apt_update_packages: true diff --git a/ansible/roles/configure-nomad/tasks/main.yml b/ansible/roles/configure-nomad/tasks/main.yml index ecb90f9..84596e5 100644 --- a/ansible/roles/configure-nomad/tasks/main.yml +++ b/ansible/roles/configure-nomad/tasks/main.yml @@ -41,25 +41,3 @@ enabled: yes state: started when: ansible_check_mode == false - -- name: Check nomad status - become: true - shell: nomad status - register: nomad_status - when: ansible_check_mode == false - -- name: Print nomad status - debug: - msg: '{{ nomad_status.stdout }}' - when: ansible_check_mode == false - -- name: Check nomad members - become: true - shell: nomad server members - register: nomad_members - when: ansible_check_mode == false - -- name: Print nomad members - debug: - msg: '{{ nomad_members.stdout }}' - when: ansible_check_mode == false diff --git a/ansible/roles/ssh/defaults/main.yml b/ansible/roles/ssh/defaults/main.yml index bf05dc2..74bb32f 100644 --- a/ansible/roles/ssh/defaults/main.yml +++ b/ansible/roles/ssh/defaults/main.yml @@ -6,6 +6,9 @@ github_users: - user: mojito # omitting account variable won't add any github keys to the user. account: DistroByte - groups: [sudo, docker] + groups: [sudo] + - user: slatt + account: cawnj + groups: [sudo] github_url: https://github.com diff --git a/ansible/roles/ssh/tasks/main.yml b/ansible/roles/ssh/tasks/main.yml index 479032a..ac0fc61 100644 --- a/ansible/roles/ssh/tasks/main.yml +++ b/ansible/roles/ssh/tasks/main.yml @@ -17,16 +17,39 @@ with_items: "{{ github_users }}" - name: Ensure authorized_keys for GitHub user accounts are present + become: true authorized_key: user: "{{ item.user | default(item) }}" key: "{{ github_url }}/{{ item.account | default('') }}.keys" manage_dir: true + state: present exclusive: False with_items: "{{ github_users }}" - ignore_errors: yes + ignore_errors: true register: task_result failed_when: "'blah' in task_result" - name: Tell user to generate openVPN configuration for users debug: msg: "Please generate openVPN configuration for users: {{ task_result.results | map(attribute='item') | map(attribute='user') | list | join(', ') }}. See https://docs.redbrick.dcu.ie/aperture/vpn/ for more information." + +- name: Copy configuraion to host + become: true + ansible.builtin.copy: + src: templates/sshd_config.j2 + dest: /etc/ssh/sshd_config + force: true + +- name: Restart sshd + become: true + service: + name: sshd + state: restarted + +- name: Inform user to add password for account + debug: + msg: "Please add a password for the following accounts: {{ github_users | map(attribute='user') | list | join(', ') }}. See https://docs.redbrick.dcu.ie/aperture/ssh/ for more information." + +# - name: Remove user account +# debug: +# msg: 'ansible -i hosts all -m user -a "name={{ user }} state=absent remove=true" --become"' \ No newline at end of file diff --git a/ansible/templates/nomad-client.hcl b/ansible/templates/nomad-client.hcl index 1ca0be3..993a595 100644 --- a/ansible/templates/nomad-client.hcl +++ b/ansible/templates/nomad-client.hcl @@ -15,4 +15,4 @@ plugin "docker" { enabled = true } } -} +} \ No newline at end of file diff --git a/ansible/templates/sshd_config.j2 b/ansible/templates/sshd_config.j2 new file mode 100644 index 0000000..e11275f --- /dev/null +++ b/ansible/templates/sshd_config.j2 @@ -0,0 +1,22 @@ +Include /etc/ssh/sshd_config.d/*.conf + +ChallengeResponseAuthentication no + +UsePAM no + +X11Forwarding yes +PrintMotd no +AcceptEnv LANG LC_* +Subsystem sftp /usr/lib/openssh/sftp-server +Port 22 + +PermitRootLogin no +PubkeyAuthentication yes +AuthorizedKeysFile %h/.ssh/authorized_keys +PasswordAuthentication yes +PermitEmptyPasswords no +GSSAPIAuthentication no +AuthenticationMethods publickey,password + +Match address 10.10.0.0/24,10.8.0.0/24,10.230.0.0/16,136.206.15.0/24,136.206.16.0/24 + AuthenticationMethods publickey password \ No newline at end of file