From 05007804c0ab618363eb07e0ed0e481cc834fcf1 Mon Sep 17 00:00:00 2001 From: Aine Date: Sat, 18 Mar 2023 21:50:27 +0200 Subject: [PATCH 1/6] add sshd management --- docs/services/system.md | 29 +++++++++++++++++++++++++++++ requirements.yml | 3 +++ setup.yml | 2 ++ 3 files changed, 34 insertions(+) diff --git a/docs/services/system.md b/docs/services/system.md index 8091cf7..bfd4d0e 100644 --- a/docs/services/system.md +++ b/docs/services/system.md @@ -35,3 +35,32 @@ To avoid these calculations and set your own size explicitly, set the `system_sw ```yaml system_swap_size: 4096 ``` + +### ssh + +> **Warning**: advanced functionality! While the default config with a few adjustments was battle tested on hundreds of servers, +> you should use it with caution and verify everything before you apply the changes! + +To enable [ssh server](https://www.openssh.com/) config and authorized/unauthorized keys management, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process: + +```yaml +######################################################################## +# # +# system # +# # +######################################################################## + +system_security_ssh_enabled: true +system_security_ssh_authorizedkeys: [] # list of authorized public keys +system_security_ssh_unauthorizedkeys: [] # list of unauthorized/revoked public keys + +######################################################################## +# # +# /system # +# # +######################################################################## +``` + +[Default configuration](https://gitlab.com/etke.cc/roles/ssh/-/blob/main/defaults/main.yml) is good enough as-is, but we strongly suggest you to **verify everything before applying any changes!**, otherwise you may lock yourself out. + +There are various of different configuration options - check the defaults and adjust them to your needs. diff --git a/requirements.yml b/requirements.yml index 4c7420b..e666944 100644 --- a/requirements.yml +++ b/requirements.yml @@ -6,6 +6,9 @@ - src: git+https://gitlab.com/etke.cc/roles/swap version: 33ce32b065276a96b7e2562752f3a63913ed5480 +- src: git+https://gitlab.com/etke.cc/roles/ssh + version: 7458ce11f26822427eb5dc7356e59b3bd2399f7b + - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git version: 129c8590e106b83e6f4c259649a613c6279e937a diff --git a/setup.yml b/setup.yml index 1a1f7e8..8c329d5 100644 --- a/setup.yml +++ b/setup.yml @@ -39,6 +39,8 @@ - role: galaxy/swap + - role: galaxy/ssh + # This role exposes various tags (setup-postgres, setup-all, upgrade-postgres, import-postgres, etc.), so we don't tag it here. - role: galaxy/com.devture.ansible.role.postgres From bae6acb359679b916b6f0b5420a0bf7d195d4960 Mon Sep 17 00:00:00 2001 From: Aine Date: Sat, 18 Mar 2023 22:04:44 +0200 Subject: [PATCH 2/6] add fail2ban --- docs/services/system.md | 24 ++++++++++++++++++++++++ requirements.yml | 3 +++ setup.yml | 2 ++ 3 files changed, 29 insertions(+) diff --git a/docs/services/system.md b/docs/services/system.md index bfd4d0e..325ce82 100644 --- a/docs/services/system.md +++ b/docs/services/system.md @@ -64,3 +64,27 @@ system_security_ssh_unauthorizedkeys: [] # list of unauthorized/revoked public k [Default configuration](https://gitlab.com/etke.cc/roles/ssh/-/blob/main/defaults/main.yml) is good enough as-is, but we strongly suggest you to **verify everything before applying any changes!**, otherwise you may lock yourself out. There are various of different configuration options - check the defaults and adjust them to your needs. + +### fail2ban + +To enable [fail2ban](https://fail2ban.org/wiki/index.php/Main_Page) installation, management and integration with SSHd, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process: + +```yaml +######################################################################## +# # +# system # +# # +######################################################################## + +system_security_fail2ban_enabled: true +system_security_fail2ban_sshd_port: 22 +# if you decided to use the playbook-managed ssh described above, +# you can replace the line above with the following: +# system_security_fail2ban_sshd_port: "{{ system_security_ssh_port }}" + +######################################################################## +# # +# /system # +# # +######################################################################## +``` diff --git a/requirements.yml b/requirements.yml index e666944..85df2f6 100644 --- a/requirements.yml +++ b/requirements.yml @@ -9,6 +9,9 @@ - src: git+https://gitlab.com/etke.cc/roles/ssh version: 7458ce11f26822427eb5dc7356e59b3bd2399f7b +- src: git+https://gitlab.com/etke.cc/roles/fail2ban + version: 93f31e7153c521c8987091313a30938d6ae35337 + - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git version: 129c8590e106b83e6f4c259649a613c6279e937a diff --git a/setup.yml b/setup.yml index 8c329d5..96d3257 100644 --- a/setup.yml +++ b/setup.yml @@ -41,6 +41,8 @@ - role: galaxy/ssh + - role: galaxy/fail2ban + # This role exposes various tags (setup-postgres, setup-all, upgrade-postgres, import-postgres, etc.), so we don't tag it here. - role: galaxy/com.devture.ansible.role.postgres From 92fbafd2eeff10906f21ffe1454410ce6e5a2ebf Mon Sep 17 00:00:00 2001 From: Aine Date: Sat, 18 Mar 2023 22:08:28 +0200 Subject: [PATCH 3/6] add missing group vars --- group_vars/mash_servers | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/group_vars/mash_servers b/group_vars/mash_servers index b2d8967..0633e8a 100644 --- a/group_vars/mash_servers +++ b/group_vars/mash_servers @@ -1,5 +1,23 @@ --- +######################################################################## +# # +# system/security # +# # +######################################################################## + +system_security_ssh_enabled: false +system_security_fail2ban_enabled: false + +######################################################################## +# # +# /system/security # +# # +######################################################################## + + + + ######################################################################## # # # system/swap # @@ -10,7 +28,7 @@ system_swap_enabled: false ######################################################################## # # -# system/swap # +# /system/swap # # # ######################################################################## From 794f0992e5f6e7bf3d04dbdf2e376848642a184e Mon Sep 17 00:00:00 2001 From: Aine Date: Sat, 18 Mar 2023 22:45:31 +0200 Subject: [PATCH 4/6] ssh and fail2ban refactoring --- requirements.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements.yml b/requirements.yml index 85df2f6..6bba281 100644 --- a/requirements.yml +++ b/requirements.yml @@ -7,10 +7,10 @@ version: 33ce32b065276a96b7e2562752f3a63913ed5480 - src: git+https://gitlab.com/etke.cc/roles/ssh - version: 7458ce11f26822427eb5dc7356e59b3bd2399f7b + version: 237adf859f9270db8a60e720bc4a58164806644e - src: git+https://gitlab.com/etke.cc/roles/fail2ban - version: 93f31e7153c521c8987091313a30938d6ae35337 + version: 09886730e8d3c061f22d1da4a542899063f97f0a - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git version: 129c8590e106b83e6f4c259649a613c6279e937a From 93e5a4eab5948e2003429f84fe087d9e0f2c0fdf Mon Sep 17 00:00:00 2001 From: Aine Date: Sat, 18 Mar 2023 22:47:41 +0200 Subject: [PATCH 5/6] activate ssh and fail2ban roles only when enabled --- setup.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/setup.yml b/setup.yml index 96d3257..4a7a26d 100644 --- a/setup.yml +++ b/setup.yml @@ -39,9 +39,11 @@ - role: galaxy/swap - - role: galaxy/ssh + - when: system_security_ssh_enabled | bool + role: galaxy/ssh - - role: galaxy/fail2ban + - when: system_security_fail2ban_enabled | bool + role: galaxy/fail2ban # This role exposes various tags (setup-postgres, setup-all, upgrade-postgres, import-postgres, etc.), so we don't tag it here. - role: galaxy/com.devture.ansible.role.postgres From 2617c8801308a62c75659a044bcff2d351e3196e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 19 Mar 2023 08:25:33 +0200 Subject: [PATCH 6/6] Update system.md --- docs/services/system.md | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/docs/services/system.md b/docs/services/system.md index 325ce82..bdbad60 100644 --- a/docs/services/system.md +++ b/docs/services/system.md @@ -51,6 +51,9 @@ To enable [ssh server](https://www.openssh.com/) config and authorized/unauthori ######################################################################## system_security_ssh_enabled: true + +system_security_ssh_port: 22 + system_security_ssh_authorizedkeys: [] # list of authorized public keys system_security_ssh_unauthorizedkeys: [] # list of unauthorized/revoked public keys @@ -61,9 +64,11 @@ system_security_ssh_unauthorizedkeys: [] # list of unauthorized/revoked public k ######################################################################## ``` -[Default configuration](https://gitlab.com/etke.cc/roles/ssh/-/blob/main/defaults/main.yml) is good enough as-is, but we strongly suggest you to **verify everything before applying any changes!**, otherwise you may lock yourself out. +The [default configuration](https://gitlab.com/etke.cc/roles/ssh/-/blob/main/defaults/main.yml) is good enough as-is, but we strongly suggest you to **verify everything before applying any changes!**, otherwise you may lock yourself out of the server. -There are various of different configuration options - check the defaults and adjust them to your needs. +With this configuration, the default `/etc/ssh/sshd_config` file on your server will be replaced by a new one, managed by the [ssh role](https://gitlab.com/etke.cc/roles/ssh) (see its [templates/etc/ssh/sshd_config.j2](https://gitlab.com/etke.cc/roles/ssh/-/blob/main/templates/etc/ssh/sshd_config.j2) file). + +There are various configuration options - check the defaults and adjust them to your needs. ### fail2ban @@ -77,8 +82,9 @@ To enable [fail2ban](https://fail2ban.org/wiki/index.php/Main_Page) installation ######################################################################## system_security_fail2ban_enabled: true + system_security_fail2ban_sshd_port: 22 -# if you decided to use the playbook-managed ssh described above, +# If you enabled playbook-managed ssh as described above, # you can replace the line above with the following: # system_security_fail2ban_sshd_port: "{{ system_security_ssh_port }}"