From 25f82ca854fd145ca3953f22a1f957b6c78c68da Mon Sep 17 00:00:00 2001 From: Arthur BOUDREAULT Date: Tue, 28 Feb 2023 13:19:41 +0000 Subject: [PATCH] feat(ynh_config): add the posibility to change SSH Port --- roles/ynh_config/README-FR.md | 11 ++++++++ roles/ynh_config/README.md | 11 ++++++++ roles/ynh_config/defaults/main.yml | 2 ++ roles/ynh_config/tasks/main.yml | 9 ++++++- roles/ynh_config/tasks/sshd_configuration.yml | 26 +++++++++++++++++++ 5 files changed, 58 insertions(+), 1 deletion(-) create mode 100644 roles/ynh_config/tasks/sshd_configuration.yml diff --git a/roles/ynh_config/README-FR.md b/roles/ynh_config/README-FR.md index bc959f0..e23b072 100644 --- a/roles/ynh_config/README-FR.md +++ b/roles/ynh_config/README-FR.md @@ -50,6 +50,17 @@ Si des mises à jour sont disponibles, elles sont faites automatiquement. En cas Pour en savoir plus sur le fonctionnement des mises à jour dans Yunohost vous pouvez vous rendre [ici](https://yunohost.org/fr/update). Le changelog des versions de Yunohost est aussi disponible [ici](https://forum.yunohost.org/tag/ynh_release). +### Modification du port SSH + +Parmi les paramètres proposés dans YunoHost, il est possible de modifier le port SSH. Vous devez juste créer la variable `ynh_ssh_port` et le rôle se chargera d'aller récupérer le port SSH et de le modifier si nécessaire. Il va aussi effectuer les changements appropriés pour fail2ban et le firewall interne de YunoHost. +Si votre instance YunoHost est derrière un firewall applicatif ou propre à votre fournisseur cloud, il faudra également ouvrir le groupe de sécurité approprié. + +```yml +ynh_ssh_port: "812" +``` + +⚠️ Attention, à partir du moment où le port SSH est modifié, la prochaine fois que vous voudrez vous connecter en SSH sur le serveur YunoHost, il faudra renseigner le port SSH utilisé (par exemple `ssh -p 812 username@hostname`). Vous pouvez également externaliser cette configuration vers un fichier de configuration SSH (plus d'infos [ici](https://linuxize.com/post/using-the-ssh-config-file/)). Vous pouvez aussi indiquer cette configuration dans votre fichier d'inventaire sinon Ansible ne pourra plus se connecter à votre serveur. (plus d'infos [ici](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-handle-different-machines-needing-different-user-accounts-or-ports-to-log-in-with)). + ## Dépendances Aucune. diff --git a/roles/ynh_config/README.md b/roles/ynh_config/README.md index 829ccc5..e072a1c 100644 --- a/roles/ynh_config/README.md +++ b/roles/ynh_config/README.md @@ -50,6 +50,17 @@ If available, updates are done automatically. In case of problems following an a To learn more about how updates work in Yunohost you can go [here](https://yunohost.org/fr/update). The changelog of Yunohost versions is also available [here](https://forum.yunohost.org/tag/ynh_release). +### SSH port modification + +Among the settings available in YunoHost, it is possible to change the SSH port. You just have to create the `ynh_ssh_port` variable and the role will retrieve the SSH port and modify it if necessary. It will also perform the adequate modifications regarding fail2ban and the internal firewall of YunoHost. +In your YunoHost host is behind a firewall, you may consider creating the appropriate security group. + +``yml +ynh_ssh_port: "812" +``` + +⚠️ Be careful, from the moment the SSH port is modified, the next time you want to connect to the YunoHost server with SSH, you will have to specify the SSH port to be used (for example `ssh -p 812 username@hostname`). You can also externalize this configuration to an SSH configuration file (more info [here](https://linuxize.com/post/using-the-ssh-config-file/)). You can indicate that configuration in your inventory file otherwise Ansible won't be able to connect to your server. (More info [here](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-handle-different-machines-needing-different-user-accounts-or-ports-to-log-in-with)). + ## Dependencies None. diff --git a/roles/ynh_config/defaults/main.yml b/roles/ynh_config/defaults/main.yml index 502df6d..1359ca3 100644 --- a/roles/ynh_config/defaults/main.yml +++ b/roles/ynh_config/defaults/main.yml @@ -38,3 +38,5 @@ ynh_autoupdate: # apps: True # system: True # dest_script: "/usr/local/bin/" + +# ynh_ssh_port: "22" diff --git a/roles/ynh_config/tasks/main.yml b/roles/ynh_config/tasks/main.yml index e9d1561..7f5af93 100644 --- a/roles/ynh_config/tasks/main.yml +++ b/roles/ynh_config/tasks/main.yml @@ -26,9 +26,16 @@ - yunohost - smtp -- name: Configures Yunohost autoupdate +- name: Configure Yunohost autoupdate ansible.builtin.include_tasks: autoupdate.yml when: ynh_autoupdate.scheduled tags: - yunohost - update + +- name: Configure Yunohost SSH port + ansible.builtin.include_tasks: sshd_configuration.yml + when: ynh_ssh_port + tags: + - yunohost + - ssh diff --git a/roles/ynh_config/tasks/sshd_configuration.yml b/roles/ynh_config/tasks/sshd_configuration.yml new file mode 100644 index 0000000..3b7970d --- /dev/null +++ b/roles/ynh_config/tasks/sshd_configuration.yml @@ -0,0 +1,26 @@ +--- +#-----------------------------------------------------------------------------# +# ansible-yunohost allows to deploy Yunohost using Ansible # +# Copyright 2021-present Lydra https://www.lydra.fr/ # +# # +# this program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# this program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +#-----------------------------------------------------------------------------# + +- name: Change SSH port + ansible.builtin.command: + "yunohost settings set security.ssh.port -v {{ ynh_ssh_port }}" + tags: + - yunohost + - ssh