Merge pull request #9 from mother-of-all-self-hosting/ssh
add sshd management
This commit is contained in:
commit
a0b2889455
4 changed files with 90 additions and 1 deletions
|
@ -35,3 +35,62 @@ To avoid these calculations and set your own size explicitly, set the `system_sw
|
|||
```yaml
|
||||
system_swap_size: 4096
|
||||
```
|
||||
|
||||
### ssh
|
||||
|
||||
> **Warning**: advanced functionality! While the default config with a few adjustments was battle tested on hundreds of servers,
|
||||
> you should use it with caution and verify everything before you apply the changes!
|
||||
|
||||
To enable [ssh server](https://www.openssh.com/) config and authorized/unauthorized keys management, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
|
||||
|
||||
```yaml
|
||||
########################################################################
|
||||
# #
|
||||
# system #
|
||||
# #
|
||||
########################################################################
|
||||
|
||||
system_security_ssh_enabled: true
|
||||
|
||||
system_security_ssh_port: 22
|
||||
|
||||
system_security_ssh_authorizedkeys: [] # list of authorized public keys
|
||||
system_security_ssh_unauthorizedkeys: [] # list of unauthorized/revoked public keys
|
||||
|
||||
########################################################################
|
||||
# #
|
||||
# /system #
|
||||
# #
|
||||
########################################################################
|
||||
```
|
||||
|
||||
The [default configuration](https://gitlab.com/etke.cc/roles/ssh/-/blob/main/defaults/main.yml) is good enough as-is, but we strongly suggest you to **verify everything before applying any changes!**, otherwise you may lock yourself out of the server.
|
||||
|
||||
With this configuration, the default `/etc/ssh/sshd_config` file on your server will be replaced by a new one, managed by the [ssh role](https://gitlab.com/etke.cc/roles/ssh) (see its [templates/etc/ssh/sshd_config.j2](https://gitlab.com/etke.cc/roles/ssh/-/blob/main/templates/etc/ssh/sshd_config.j2) file).
|
||||
|
||||
There are various configuration options - check the defaults and adjust them to your needs.
|
||||
|
||||
### fail2ban
|
||||
|
||||
To enable [fail2ban](https://fail2ban.org/wiki/index.php/Main_Page) installation, management and integration with SSHd, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
|
||||
|
||||
```yaml
|
||||
########################################################################
|
||||
# #
|
||||
# system #
|
||||
# #
|
||||
########################################################################
|
||||
|
||||
system_security_fail2ban_enabled: true
|
||||
|
||||
system_security_fail2ban_sshd_port: 22
|
||||
# If you enabled playbook-managed ssh as described above,
|
||||
# you can replace the line above with the following:
|
||||
# system_security_fail2ban_sshd_port: "{{ system_security_ssh_port }}"
|
||||
|
||||
########################################################################
|
||||
# #
|
||||
# /system #
|
||||
# #
|
||||
########################################################################
|
||||
```
|
||||
|
|
|
@ -1,5 +1,23 @@
|
|||
---
|
||||
|
||||
########################################################################
|
||||
# #
|
||||
# system/security #
|
||||
# #
|
||||
########################################################################
|
||||
|
||||
system_security_ssh_enabled: false
|
||||
system_security_fail2ban_enabled: false
|
||||
|
||||
########################################################################
|
||||
# #
|
||||
# /system/security #
|
||||
# #
|
||||
########################################################################
|
||||
|
||||
|
||||
|
||||
|
||||
########################################################################
|
||||
# #
|
||||
# system/swap #
|
||||
|
@ -10,7 +28,7 @@ system_swap_enabled: false
|
|||
|
||||
########################################################################
|
||||
# #
|
||||
# system/swap #
|
||||
# /system/swap #
|
||||
# #
|
||||
########################################################################
|
||||
|
||||
|
|
|
@ -6,6 +6,12 @@
|
|||
- src: git+https://gitlab.com/etke.cc/roles/swap
|
||||
version: 33ce32b065276a96b7e2562752f3a63913ed5480
|
||||
|
||||
- src: git+https://gitlab.com/etke.cc/roles/ssh
|
||||
version: 237adf859f9270db8a60e720bc4a58164806644e
|
||||
|
||||
- src: git+https://gitlab.com/etke.cc/roles/fail2ban
|
||||
version: 09886730e8d3c061f22d1da4a542899063f97f0a
|
||||
|
||||
- src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git
|
||||
version: 129c8590e106b83e6f4c259649a613c6279e937a
|
||||
|
||||
|
|
|
@ -39,6 +39,12 @@
|
|||
|
||||
- role: galaxy/swap
|
||||
|
||||
- when: system_security_ssh_enabled | bool
|
||||
role: galaxy/ssh
|
||||
|
||||
- when: system_security_fail2ban_enabled | bool
|
||||
role: galaxy/fail2ban
|
||||
|
||||
# This role exposes various tags (setup-postgres, setup-all, upgrade-postgres, import-postgres, etc.), so we don't tag it here.
|
||||
- role: galaxy/com.devture.ansible.role.postgres
|
||||
|
||||
|
|
Loading…
Reference in a new issue