Update to 2021-12-13 19:00

roles/jitsi/templates/prosody.cfg.lua.j2

@@ -16,8 +16,13 @@ external_services = {
     port = "{{ stun | regex_replace('(turns?|stun):.+:(\d+)?.*', '\\2') }}",
 {% endif %}
 {% if stun | urlsplit('query') is search('transport=') %}
-    transport = "{{ stun | urlsplit('query') | regex_replace('.*transport=(udp|tcp).*', '\\1') }}"
+    transport = "{{ stun | urlsplit('query') | regex_replace('.*transport=(udp|tcp).*', '\\1') }}",
 {% endif %}
+    secret = {{ jitsi_turn_secret is defined | ternary('true', 'false') }},
+{% if stun | urlsplit('scheme') == 'turn' or stun | urlsplit('scheme') == 'turns' %}
+    algorithm = "turn",
+{% endif %}
+    ttl = 86400
   },
 {% endfor %}
 };

roles/squid/defaults/main.yml

@@ -92,6 +92,7 @@ squid_base_acl:
     items:
       - '"/etc/squid/acl/software_windows.domains"'
       - '"/etc/squid/acl/service_fws.domains"'
+      - '"/etc/squid/acl/service_dbd.domains"'
       - '"/etc/squid/acl/service_various.domains"'
       - '"/etc/squid/acl/software_epel.domains"'
       - '"/etc/squid/acl/software_centos.domains"'
@@ -100,6 +101,7 @@ squid_base_acl:
       - '"/etc/squid/acl/software_various.domains"'
       - '"/etc/squid/acl/software_smeserver.domains"'
       - '"/etc/squid/acl/software_remi.domains"'
+      - '"/etc/squid/acl/software_dbd.domains"'
   - name: local_whitelist_domains
     type: dstdomain
     items:

roles/squid/files/acl/service_dbd.domains

@@ -0,0 +1 @@
+.lapiole.org

roles/squid/files/acl/software_dbd.domains

@@ -0,0 +1,2 @@
+rpms.lapiole.org
+git.lapiole.org

roles/squid/files/acl/software_various.domains

@@ -16,7 +16,6 @@ publicsuffix.org
 www.internic.net
 tzurl.org
 gitlab.com
-.lapiole.org
 archive.apache.org
 ftp.gnu.org
 

roles/ssh/defaults/main.yml

@@ -1,31 +1,35 @@
 ---
 
-# List of port sshd will bind to
-sshd_ports: [ '22' ]
+# List of port sshd will listen on
+sshd_ports:
+  - 22
+
+# Will restrict ssh access to the following IP/CIDR (only if iptables_manage == True)
+sshd_src_ip:
+  - 0.0.0.0/0
 
-# Will restrict ssh access to the following IP
-# 
-sshd_src_ip: []
 # sshd_src_ip:
 #  - 12.13.14.15
 #  - 192.168.17.0/24
 
-sshd_permit_root_login: no
-sshd_password_auth: yes
+# Allow the root user to login
+sshd_permit_root_login: False
+# Allow password authentication
+sshd_password_auth: True
 
 # Control the AllowUsers, DenyUsers, AllowGroups and DenyGroups
 # sshd_allow_users:
-#   - fws
-#   - dani
+#   - xavier
+#   - dani@EXAMPLE.ORG
 # sshd_deny_users:
 #   - dimitri
 #   - flo
 # sshd_allow_groups:
 #   - tech
-#   - support
+#   - support@EXAMPLE.ORG
 # sshd_deny_groups:
 #   - sales
-#   - interim
+#   - interim@EXAMPLE.ORG
 #
 #
 
@@ -52,7 +56,7 @@ sshd_password_auth: yes
 #        run_as: root
 #        nopasswd: False
 #
-#ssh_extra_users (can be used as ssh_users)
+#ssh_extra_users (can be used as ssh_users, both will be merged)
 #  
 #
 # Max number of conn / minute. 0 to disable rate limit

roles/ssh/tasks/cleanup.yml

@@ -0,0 +1,13 @@
+---
+
+- name: List all authorized keys directories
+  shell: ls -1 /etc/ssh/authorized_keys | xargs -n1 basename
+  register: existing_ssh_keys
+  changed_when: False
+  tags: ssh
+
+- name: Remove unmanaged ssh keys
+  file: path=/etc/ssh/authorized_keys/{{ item }} state=absent
+  loop: "{{ existing_ssh_keys.stdout_lines | default([]) }}"
+  when: item not in ssh_users | rejectattr('keys_file', 'defined') | map(attribute='name')
+  tags: ssh

roles/ssh/tasks/conf.yml

@@ -0,0 +1,81 @@
+---
+
+- name: Deploy sshd configuration
+  template: src=sshd_config.j2 dest=/etc/ssh/sshd_config
+  notify: restart sshd
+  tags: ssh
+
+- name: Create top level authorized keys directory
+  file: path=/etc/ssh/authorized_keys/ state=directory mode=755 owner=root group=root
+  tags: ssh
+
+- name: Create an SSH key pair for root
+  user:
+    name: root
+    generate_ssh_key: yes
+    ssh_key_file: .ssh/id_rsa
+  tags: ssh
+
+- name: Create ssh users
+  user:
+    name: "{{ item.name }}"
+  loop: "{{ ssh_users }}"
+  register: ssh_create_user
+  when: item.create_user | default(False)
+  tags: ssh
+
+- name: Check if sssd is installed
+  stat: path=/usr/sbin/sss_cache
+  register: ssh_sss_cache
+  tags: ssh
+
+  # Flush sss cache so we can modify newly available users
+- name: Reset sss cache
+  command: sss_cache -E
+  when: ssh_sss_cache.stat.exists and ssh_create_user.results | selectattr('changed','equalto',True) | list | length > 0
+  tags: ssh
+
+  # We do this in two times (first create, then set shell and comment)
+  # to prevent hitting a bug in ansible where usermod could be called before useradd
+  # See https://github.com/ansible/ansible/issues/22576
+- name: Set ssh user attributes
+  user:
+    name: "{{ item.name }}"
+    comment: "{{ item.full_name | default(omit) }}"
+    shell: "{{ item.shell | default(omit) }}"
+  loop: "{{ ssh_users }}"
+  when: item.create_user | default(False)
+  tags: ssh
+
+- name: Create private dir for Authorized keys
+  file: path=/etc/ssh/authorized_keys/{{ item.name }} state=directory mode=700 owner={{ item.name }}
+  ignore_errors: True # Needed eg, if LDAP isn't available on first run
+  loop: "{{ ssh_users }}"
+  tags: ssh
+
+- name: Deploy ssh user keys
+  authorized_key:
+    user: "{{ item.name }}"
+    key: "{{ item.ssh_keys| default([]) | join(\"\n\") }}"
+    key_options: "{{ item.key_options | default([]) | join(',') }}"
+    path: "{{ item.keys_file | default('/etc/ssh/authorized_keys/' ~ item.name ~ '/authorized_keys') }}"
+    manage_dir: False
+    exclusive: True
+  ignore_errors: True # Needed eg, if LDAP isn't available on first run
+  #when: item.ssh_keys is defined
+  loop: "{{ ssh_users }}"
+  tags: ssh
+
+- name: Ensure permissions and ownership on authorized_keys files
+  file:
+    path: /etc/ssh/authorized_keys/{{ item.name }}/authorized_keys
+    mode: 0600
+    owner: "{{ item.name }}"
+  when: item.ssh_keys is defined
+  ignore_errors: True
+  loop: "{{ ssh_users }}"
+  tags: ssh
+
+- name: Deploy sudo fragment
+  template: src=sudo.j2 dest=/etc/sudoers.d/ssh_users mode=600
+  tags: ssh

roles/ssh/tasks/facts.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Combine SSH users
+  set_fact:
+    ssh_users: "{{ ssh_users + ssh_extra_users | default([]) }}"
+  tags: ssh
+

roles/ssh/tasks/install.yml

@@ -0,0 +1,17 @@
+---
+
+- name: Install ssh components
+  yum:
+    name:
+      - openssh-server
+      - openssh-clients
+  when: ansible_os_family == 'RedHat'
+  tags: ssh
+
+- name: Install ssh components
+  apt:
+    name:
+      - openssh-server
+      - openssh-client
+  when: ansible_os_family == 'Debian'
+  tags: ssh

roles/ssh/tasks/iptables.yml

@@ -0,0 +1,19 @@
+---
+
+- name: Apply rate limits
+  iptables_raw:
+    name: sshd_limit
+    rules: |
+      -A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --set
+      -A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --rcheck --seconds 60 --hitcount {{ sshd_max_conn_per_minute }} -j LOG --log-prefix "Firewall (ssh limit): "
+      -A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --rcheck --seconds 60 --hitcount {{ sshd_max_conn_per_minute }} -j REJECT
+    state: "{{ (sshd_max_conn_per_minute > 0) | ternary('present','absent') }}"
+    weight: 10
+  tags: ssh,firewall
+
+- name: Handle ssh ports
+  iptables_raw:
+    name: sshd_ports
+    state: "{{ (sshd_src_ip is defined and sshd_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state new -p tcp -m multiport --dports {{ sshd_ports | join(',') }} -s {{ sshd_src_ip | flatten | join(',') }} -j ACCEPT"
+  tags: ssh,firewall

roles/ssh/tasks/main.yml

@@ -1,139 +1,12 @@
 ---
 
-- name: Install ssh components
-  yum:
-    name:
-      - openssh-server
-      - openssh-clients
-  when: ansible_os_family == 'RedHat'
-  tags: ssh
-
-- name: Install ssh components
-  apt:
-    name:
-      - openssh-server
-      - openssh-client
-  when: ansible_os_family == 'Debian'
-  tags: ssh
-
-- name: Allow ssh port in SELinux
-  seport: ports={{ sshd_ports|join(',') }} proto=tcp setype=ssh_port_t state=present
+- include: facts.yml
+- include: install.yml
+- include: conf.yml
+- include: selinux.yml
   when: ansible_selinux.status == 'enabled'
-  tags: ssh
-
-- name: Combine SSH users
-  set_fact:
-    ssh_users: "{{ ssh_users + ssh_extra_users | default([]) }}"
-  tags: ssh
-
-- name: Deploy sshd configuration
-  template: src=sshd_config.j2 dest=/etc/ssh/sshd_config backup=yes
-  notify: restart sshd
-  tags: ssh
-
-- name: Set SSH rate limit
-  iptables_raw:
-    name: sshd_limit
-    rules: |
-      -A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --set
-      -A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --rcheck --seconds 60 --hitcount {{ sshd_max_conn_per_minute }} -j LOG --log-prefix "Firewall (ssh limit): "
-      -A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --rcheck --seconds 60 --hitcount {{ sshd_max_conn_per_minute }} -j REJECT
-    state: "{{ (sshd_max_conn_per_minute > 0) | ternary('present','absent') }}"
-    weight: 10
+- include: iptables.yml
   when: iptables_manage | default(True)
-  tags: ssh,firewall
+- include: service.yml
+- include: cleanup.yml
 
-- name: Handle ssh ports
-  iptables_raw:
-    name: sshd_ports
-    state: "{{ (sshd_src_ip is defined and sshd_src_ip | length > 0) | ternary('present','absent') }}"
-    rules: "-A INPUT -m state --state new -p tcp -m multiport --dports {{ sshd_ports | join(',') }} -s {{ sshd_src_ip | flatten | join(',') }} -j ACCEPT"
-  when: iptables_manage | default(True)
-  tags: ssh,firewall
-
-- name: Create top level authorized keys directory
-  file: path=/etc/ssh/authorized_keys/ state=directory mode=755 owner=root group=root
-  tags: ssh
-
-- name: Create an SSH key pair for root
-  user:
-    name: root
-    generate_ssh_key: yes
-    ssh_key_file: .ssh/id_rsa
-  tags: ssh
-
-  # Do this in two times, to prevent hitting a bug in ansible
-  # where usermod could be called before useradd
-  # See https://github.com/ansible/ansible/issues/22576
-- name: Create ssh users
-  user:
-    name: "{{ item.name }}"
-  with_items: "{{ ssh_users }}"
-  register: ssh_create_user
-  when: item.create_user | default(False)
-  tags: ssh
-
-- name: Check if sssd is installed
-  stat: path=/usr/sbin/sss_cache
-  register: ssh_sss_cache
-  tags: ssh
-
-  # Flush sss cache so we can modify freshly created users
-- name: Reset sss cache
-  command: sss_cache -E
-  when: ssh_sss_cache.stat.exists and ssh_create_user.results | selectattr('changed','equalto',True) | list | length > 0
-  tags: ssh
-
-- name: Set ssh user attributes
-  user:
-    name: "{{ item.name }}"
-    comment: "{{ item.full_name | default(omit) }}"
-    shell: "{{ item.shell | default(omit) }}"
-  with_items: "{{ ssh_users }}"
-  when: item.create_user | default(False)
-  tags: ssh
-
-- name: Create private dir for Authorized keys
-  file: path=/etc/ssh/authorized_keys/{{ item.name }} state=directory mode=700 owner={{ item.name }}
-  ignore_errors: True # Needed eg, if LDAP isn't available on first run
-  with_items: "{{ ssh_users }}"
-  tags: ssh
-
-- name: Deploy ssh user keys
-  authorized_key:
-    user: "{{ item.name }}"
-    key: "{{ item.ssh_keys| default([]) | join(\"\n\") }}"
-    key_options: "{{ item.key_options | default([]) | join(',') }}"
-    path: "/etc/ssh/authorized_keys/{{ item.name }}/authorized_keys"
-    manage_dir: False
-    exclusive: True
-  ignore_errors: True # Needed eg, if LDAP isn't available on first run
-  #when: item.ssh_keys is defined
-  with_items: "{{ ssh_users }}"
-  tags: ssh
-
-- name: Ensure permissions and ownership on authorized_keys files
-  file:
-    path: /etc/ssh/authorized_keys/{{ item.name }}/authorized_keys
-    mode: 0600
-    owner: "{{ item.name }}"
-  when: item.ssh_keys is defined
-  ignore_errors: True
-  with_items: "{{ ssh_users }}"
-  tags: ssh
-
-- name: List all authorized keys directories
-  shell: ls -1 /etc/ssh/authorized_keys | xargs -n1 basename
-  register: existing_ssh_keys
-  changed_when: False
-  tags: ssh
-
-- name: Remove unmanaged ssh keys
-  file: path=/etc/ssh/authorized_keys/{{ item }} state=absent
-  with_items: "{{ existing_ssh_keys.stdout_lines | default([]) }}"
-  when: item not in ssh_users | map(attribute='name')
-  tags: ssh
-
-- name: Deploy sudo fragment
-  template: src=sudo.j2 dest=/etc/sudoers.d/ssh_users mode=600
-  tags: ssh

roles/ssh/tasks/selinux.yml

@@ -0,0 +1,9 @@
+---
+
+- name: Allow ssh port in SELinux
+  seport:
+    ports: "{{ sshd_ports | join(',') }}"
+    proto: tcp
+    setype: ssh_port_t
+  tags: ssh
+

roles/ssh/tasks/service.yml

@@ -0,0 +1,5 @@
+---
+
+- name: Start and enable sshd
+  service: name=sshd state=started enabled=True
+  tags: ssh