Merge pull request #9 from mother-of-all-self-hosting/ssh

add sshd management
This commit is contained in:
Slavi Pantaleev 2023-03-19 08:25:41 +02:00 committed by GitHub
commit a0b2889455
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 90 additions and 1 deletions

View file

@ -35,3 +35,62 @@ To avoid these calculations and set your own size explicitly, set the `system_sw
```yaml ```yaml
system_swap_size: 4096 system_swap_size: 4096
``` ```
### ssh
> **Warning**: advanced functionality! While the default config with a few adjustments was battle tested on hundreds of servers,
> you should use it with caution and verify everything before you apply the changes!
To enable [ssh server](https://www.openssh.com/) config and authorized/unauthorized keys management, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
```yaml
########################################################################
# #
# system #
# #
########################################################################
system_security_ssh_enabled: true
system_security_ssh_port: 22
system_security_ssh_authorizedkeys: [] # list of authorized public keys
system_security_ssh_unauthorizedkeys: [] # list of unauthorized/revoked public keys
########################################################################
# #
# /system #
# #
########################################################################
```
The [default configuration](https://gitlab.com/etke.cc/roles/ssh/-/blob/main/defaults/main.yml) is good enough as-is, but we strongly suggest you to **verify everything before applying any changes!**, otherwise you may lock yourself out of the server.
With this configuration, the default `/etc/ssh/sshd_config` file on your server will be replaced by a new one, managed by the [ssh role](https://gitlab.com/etke.cc/roles/ssh) (see its [templates/etc/ssh/sshd_config.j2](https://gitlab.com/etke.cc/roles/ssh/-/blob/main/templates/etc/ssh/sshd_config.j2) file).
There are various configuration options - check the defaults and adjust them to your needs.
### fail2ban
To enable [fail2ban](https://fail2ban.org/wiki/index.php/Main_Page) installation, management and integration with SSHd, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
```yaml
########################################################################
# #
# system #
# #
########################################################################
system_security_fail2ban_enabled: true
system_security_fail2ban_sshd_port: 22
# If you enabled playbook-managed ssh as described above,
# you can replace the line above with the following:
# system_security_fail2ban_sshd_port: "{{ system_security_ssh_port }}"
########################################################################
# #
# /system #
# #
########################################################################
```

View file

@ -1,5 +1,23 @@
--- ---
########################################################################
# #
# system/security #
# #
########################################################################
system_security_ssh_enabled: false
system_security_fail2ban_enabled: false
########################################################################
# #
# /system/security #
# #
########################################################################
######################################################################## ########################################################################
# # # #
# system/swap # # system/swap #
@ -10,7 +28,7 @@ system_swap_enabled: false
######################################################################## ########################################################################
# # # #
# system/swap # # /system/swap #
# # # #
######################################################################## ########################################################################

View file

@ -6,6 +6,12 @@
- src: git+https://gitlab.com/etke.cc/roles/swap - src: git+https://gitlab.com/etke.cc/roles/swap
version: 33ce32b065276a96b7e2562752f3a63913ed5480 version: 33ce32b065276a96b7e2562752f3a63913ed5480
- src: git+https://gitlab.com/etke.cc/roles/ssh
version: 237adf859f9270db8a60e720bc4a58164806644e
- src: git+https://gitlab.com/etke.cc/roles/fail2ban
version: 09886730e8d3c061f22d1da4a542899063f97f0a
- src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git
version: 129c8590e106b83e6f4c259649a613c6279e937a version: 129c8590e106b83e6f4c259649a613c6279e937a

View file

@ -39,6 +39,12 @@
- role: galaxy/swap - role: galaxy/swap
- when: system_security_ssh_enabled | bool
role: galaxy/ssh
- when: system_security_fail2ban_enabled | bool
role: galaxy/fail2ban
# This role exposes various tags (setup-postgres, setup-all, upgrade-postgres, import-postgres, etc.), so we don't tag it here. # This role exposes various tags (setup-postgres, setup-all, upgrade-postgres, import-postgres, etc.), so we don't tag it here.
- role: galaxy/com.devture.ansible.role.postgres - role: galaxy/com.devture.ansible.role.postgres