move roles, files and templates dirs out of playbook dir into root dir

Because of how Ansible local relative search paths work, the global "files" and "templates" directories need to be next to the playbooks. However its not intuitive to look into the "playbooks" directory to find the files and templates for a host. Therefore move them out of the "playbooks" directory into the root directory and add symlinks so everything still works. Similarly for local roles, they also need to be next to the playbooks. So for a nicer structure, move the "roles" directory out into the root directory as well and add a symlink so everything still works. Also see: https://docs.ansible.com/ansible/latest/playbook_guide/playbook_pathing.html#resolving-local-relative-paths https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_reuse_roles.html#storing-and-finding-roles
2024-12-02 03:34:55 +01:00 · 2024-12-02 03:34:55 +01:00 · f16f8697c2
commit f16f8697c2
parent 2460c31e78
147 changed files with 3 additions and 0 deletions
--- a/roles/deploy_ssh_server_config/README.md
+++ b/roles/deploy_ssh_server_config/README.md
@ -0,0 +1,17 @@
+# Role `deploy_ssh_server_config`
+
+This role deploys an SSH server config on the specified hosts.
+
+## `hosts`
+
+The `hosts` for this role need to be the machines, for which you want to deploy an SSH server config.
+
+## Required Variables
+
+This role doesn't have nay required variables.
+
+## Links & Resources
+
+- <https://infosec.mozilla.org/guidelines/openssh>
+- Also see [Debian 11 cloud 2023-04-21 default /etc/ssh/sshd_config](docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config).
+- Also see [Debian 12 cloud 2023-07-25 default /etc/ssh/sshd_config](docs/Debian_12_cloud_2023-07-25_default_etc_ssh_sshd_config).
--- a/roles/deploy_ssh_server_config/docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config
+++ b/roles/deploy_ssh_server_config/docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config
@ -0,0 +1,124 @@
+#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin prohibit-password
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
+ClientAliveInterval 120
--- a/roles/deploy_ssh_server_config/docs/Debian_12_cloud_2023-07-25_default_etc_ssh_sshd_config
+++ b/roles/deploy_ssh_server_config/docs/Debian_12_cloud_2023-07-25_default_etc_ssh_sshd_config
@ -0,0 +1,123 @@
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin prohibit-password
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+KbdInteractiveAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the KbdInteractiveAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin prohibit-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and KbdInteractiveAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
+ClientAliveInterval 120
--- a/roles/deploy_ssh_server_config/handlers/main.yaml
+++ b/roles/deploy_ssh_server_config/handlers/main.yaml
@ -0,0 +1,3 @@
+- name: reboot the system
+  become: true
+  ansible.builtin.reboot:
--- a/roles/deploy_ssh_server_config/tasks/main.yaml
+++ b/roles/deploy_ssh_server_config/tasks/main.yaml
@ -0,0 +1,36 @@
+# Role and config created after: https://infosec.mozilla.org/guidelines/openssh
+- name: deploy SSH server config
+  become: true
+
+  block:
+    - name: deploy `sshd_config`
+      ansible.builtin.template:
+        force: true
+        dest: /etc/ssh/sshd_config
+        mode: "0644"
+        owner: root
+        group: root
+        src: sshd_config.j2
+      notify:
+        # Reboot instead of just restarting the ssh service, since I don't know how Ansible reacts, when it restarts the service it probably needs for the connection.
+        - reboot the system
+
+    - name: deactivate short moduli
+      ansible.builtin.shell:
+        executable: /bin/bash
+        cmd: |
+          set -eo pipefail
+
+          awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp
+          if diff /etc/ssh/moduli /etc/ssh/moduli.tmp; then
+            rm /etc/ssh/moduli.tmp
+          else
+            mv /etc/ssh/moduli.tmp /etc/ssh/moduli
+            echo "ansible-changed: changed /etc/ssh/moduli"
+          fi
+      register: result
+      changed_when:
+        - '"ansible-changed" in result.stdout'
+      notify:
+        # Reboot instead of just restarting the ssh service, since I don't know how Ansible reacts, when it restarts the service it probably needs for the connection.
+        - reboot the system
--- a/roles/deploy_ssh_server_config/templates/sshd_config.j2
+++ b/roles/deploy_ssh_server_config/templates/sshd_config.j2
@ -0,0 +1,97 @@
+# This is the sshd server system-wide configuration file deployed and managed by
+# Ansible.
+# See sshd_config(5) and the "deploy_ssh_server_config" Ansible role for more
+# information.
+
+# This config doesn't set all options and leaves some to the sshd defaults.
+# The sshd defaults should be alright, so this config is only really setting
+# options in cases where we want to intentionally have an option a certain way
+# for some reason or another. For example for hardening, improved loggin, etc.
+
+
+## Use the HostKey preference, Ciphers and algorithms from Mozillas Modern
+## guidelines.
+
+# Supported HostKey algorithms by order of preference.
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+
+KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+
+
+## Authentication Settings.
+
+# Require only "publickey" for authentication.
+# From Mozillas Modern guidelines.
+AuthenticationMethods publickey
+
+# Enable "PubkeyAuthentication" accordingly.
+PubkeyAuthentication yes
+# Don't do the other authentication types.
+PasswordAuthentication no
+{# If on Debian 12, use the new keyword (KbdInteractiveAuthentication instead of ChallengeResponseAuthentication). #}
+{% if ansible_facts["distribution"] == "Debian" and ansible_facts["distribution_major_version"] == "12" %}
+KbdInteractiveAuthentication no
+{% else %}
+ChallengeResponseAuthentication no
+{% endif %}
+KerberosAuthentication no
+GSSAPIAuthentication no
+
+# Don't allow root login.
+PermitRootLogin no
+
+{# If on Debian 12, use the new keyword (KbdInteractiveAuthentication instead of ChallengeResponseAuthentication). #}
+{% if ansible_facts["distribution"] == "Debian" and ansible_facts["distribution_major_version"] == "12" %}
+# Set this to "yes", but have "PasswordAuthentication" and
+# "KbdInteractiveAuthentication" set to "no", to have account and session checks
+# run.
+{% else %}
+# Set this to "yes", but have "PasswordAuthentication" and
+# "ChallengeResponseAuthentication" set to "no", to have account and session
+# checks run.
+{% endif %}
+# See "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config" for more
+# information.
+UsePAM yes
+
+
+## Miscellaneous Settings.
+
+# X11 forwarding shouldn't be needed.
+X11Forwarding no
+
+# Printing this isn't needed.
+PrintMotd no
+
+# Print time and date of last login, since that's nice.
+PrintLastLog yes
+
+# Disable general environment processing.
+PermitUserEnvironment no
+
+# Allow client to pass locale environment variables.
+# From "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config".
+AcceptEnv LANG LC_*
+
+# Request response from client after 120 seconds of no communication.
+# Taken from "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config".
+ClientAliveInterval 120
+
+
+## Logging
+
+# Set "LogLevel" to "VERBOSE" to log users key fingerprints on login.
+# This is needed for a clear audit track.
+# From Mozillas Modern guidelines.
+LogLevel VERBOSE
+
+# Enable the sftp subsystem and log properly.
+# From Mozillas Modern guidelines and
+# "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config".
+Subsystem sftp  /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO