Update to 2020-05-15 16:00

4 years ago · 03a1243aca
parent 6fe3c86a23
commit 03a1243aca
2 changed files with 24 additions and 4 deletions
--- a/roles/iptables/tasks/main.yml
+++ b/roles/iptables/tasks/main.yml
@ -19,7 +19,7 @@
    keep_unmanaged: "{{ iptables_keep_unmanaged }}"
    state: present
    rules: "{{ iptables_default_head }}"
-  tags: firewall
+  tags: firewall,ssh

 - name: Set default iptables tail rules
  iptables_raw:
--- a/roles/ssh/tasks/main.yml
+++ b/roles/ssh/tasks/main.yml
@ -6,6 +6,7 @@
      - openssh-server
      - openssh-clients
  when: ansible_os_family == 'RedHat'
+  tags: ssh

 - name: Install ssh components
  apt:
@ -13,28 +14,34 @@
      - openssh-server
      - openssh-client
  when: ansible_os_family == 'Debian'
+  tags: ssh

 - name: Allow ssh port in SELinux
  seport: ports={{ sshd_ports|join(',') }} proto=tcp setype=ssh_port_t state=present
  when: ansible_selinux.status == 'enabled'
+  tags: ssh

 - name: Combine SSH users
  set_fact:
    ssh_users: "{{ ssh_users + ssh_extra_users | default([]) }}"
+  tags: ssh

 - name: Deploy sshd configuration
  template: src=sshd_config.j2 dest=/etc/ssh/sshd_config backup=yes
  notify: restart sshd
+  tags: ssh

 - name: Set SSH rate limit
  iptables_raw:
    name: sshd_limit
-    rules: "-A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --set\n
-            -A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --rcheck --seconds 60 --hitcount {{ sshd_max_conn_per_minute }} -j LOG --log-prefix \"Firewall (ssh limit): \"\n
-            -A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --rcheck --seconds 60 --hitcount {{ sshd_max_conn_per_minute }} -j REJECT"
+    rules: |
+      -A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --set
+      -A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --rcheck --seconds 60 --hitcount {{ sshd_max_conn_per_minute }} -j LOG --log-prefix "Firewall (ssh limit): "
+      -A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --rcheck --seconds 60 --hitcount {{ sshd_max_conn_per_minute }} -j REJECT
    state: "{{ (sshd_max_conn_per_minute > 0) | ternary('present','absent') }}"
    weight: 10
  when: iptables_manage | default(True)
+  tags: ssh,firewall

 - name: Handle ssh ports
  iptables_raw:
@ -42,15 +49,18 @@
    state: "{{ (sshd_src_ip is defined and sshd_src_ip | length > 0) | ternary('present','absent') }}"
    rules: "-A INPUT -m state --state new -p tcp -m multiport --dports {{ sshd_ports | join(',') }} -s {{ sshd_src_ip | join(',') }} -j ACCEPT"
  when: iptables_manage | default(True)
+  tags: ssh,firewall

 - name: Create top level authorized keys directory
  file: path=/etc/ssh/authorized_keys/ state=directory mode=755 owner=root group=root
+  tags: ssh

 - name: Create an SSH key pair for root
  user:
    name: root
    generate_ssh_key: yes
    ssh_key_file: .ssh/id_rsa
+  tags: ssh

  # Do this in two times, to prevent hitting a bug in ansible
  # where usermod could be called before useradd
@ -61,15 +71,18 @@
  with_items: "{{ ssh_users }}"
  register: ssh_create_user
  when: item.create_user | default(False)
+  tags: ssh

 - name: Check if sssd is installed
  stat: path=/usr/sbin/sss_cache
  register: ssh_sss_cache
+  tags: ssh

  # Flush sss cache so we can modify freshly created users
 - name: Reset sss cache
  command: sss_cache -E
  when: ssh_sss_cache.stat.exists and ssh_create_user.results | selectattr('changed','equalto',True) | list | length > 0
+  tags: ssh

 - name: Set ssh user attributes
  user:
@ -78,11 +91,13 @@
    shell: "{{ item.shell | default(omit) }}"
  with_items: "{{ ssh_users }}"
  when: item.create_user | default(False)
+  tags: ssh

 - name: Create private dir for Authorized keys
  file: path=/etc/ssh/authorized_keys/{{ item.name }} state=directory mode=700 owner={{ item.name }}
  ignore_errors: True # Needed eg, if LDAP isn't available on first run
  with_items: "{{ ssh_users }}"
+  tags: ssh

 - name: Deploy ssh user keys
  authorized_key:
@ -95,6 +110,7 @@
  ignore_errors: True # Needed eg, if LDAP isn't available on first run
  #when: item.ssh_keys is defined
  with_items: "{{ ssh_users }}"
+  tags: ssh

 - name: Ensure permissions and ownership on authorized_keys files
  file:
@ -104,16 +120,20 @@
  when: item.ssh_keys is defined
  ignore_errors: True
  with_items: "{{ ssh_users }}"
+  tags: ssh

 - name: List all authorized keys directories
  shell: ls -1 /etc/ssh/authorized_keys | xargs -n1 basename
  register: existing_ssh_keys
  changed_when: False
+  tags: ssh

 - name: Remove unmanaged ssh keys
  file: path=/etc/ssh/authorized_keys/{{ item }} state=absent
  with_items: "{{ existing_ssh_keys.stdout_lines | default([]) }}"
  when: item not in ssh_users | map(attribute='name')
+  tags: ssh

 - name: Deploy sudo fragment
  template: src=sudo.j2 dest=/etc/sudoers.d/ssh_users mode=600
+  tags: ssh