diff --git a/roles/jitsi/templates/prosody.cfg.lua.j2 b/roles/jitsi/templates/prosody.cfg.lua.j2 index 9a02a92..a845997 100644 --- a/roles/jitsi/templates/prosody.cfg.lua.j2 +++ b/roles/jitsi/templates/prosody.cfg.lua.j2 @@ -16,8 +16,13 @@ external_services = { port = "{{ stun | regex_replace('(turns?|stun):.+:(\d+)?.*', '\\2') }}", {% endif %} {% if stun | urlsplit('query') is search('transport=') %} - transport = "{{ stun | urlsplit('query') | regex_replace('.*transport=(udp|tcp).*', '\\1') }}" + transport = "{{ stun | urlsplit('query') | regex_replace('.*transport=(udp|tcp).*', '\\1') }}", {% endif %} + secret = {{ jitsi_turn_secret is defined | ternary('true', 'false') }}, +{% if stun | urlsplit('scheme') == 'turn' or stun | urlsplit('scheme') == 'turns' %} + algorithm = "turn", +{% endif %} + ttl = 86400 }, {% endfor %} }; diff --git a/roles/squid/defaults/main.yml b/roles/squid/defaults/main.yml index debd780..647590e 100644 --- a/roles/squid/defaults/main.yml +++ b/roles/squid/defaults/main.yml @@ -92,6 +92,7 @@ squid_base_acl: items: - '"/etc/squid/acl/software_windows.domains"' - '"/etc/squid/acl/service_fws.domains"' + - '"/etc/squid/acl/service_dbd.domains"' - '"/etc/squid/acl/service_various.domains"' - '"/etc/squid/acl/software_epel.domains"' - '"/etc/squid/acl/software_centos.domains"' @@ -100,6 +101,7 @@ squid_base_acl: - '"/etc/squid/acl/software_various.domains"' - '"/etc/squid/acl/software_smeserver.domains"' - '"/etc/squid/acl/software_remi.domains"' + - '"/etc/squid/acl/software_dbd.domains"' - name: local_whitelist_domains type: dstdomain items: diff --git a/roles/squid/files/acl/service_dbd.domains b/roles/squid/files/acl/service_dbd.domains new file mode 100644 index 0000000..6d80985 --- /dev/null +++ b/roles/squid/files/acl/service_dbd.domains @@ -0,0 +1 @@ +.lapiole.org diff --git a/roles/squid/files/acl/software_dbd.domains b/roles/squid/files/acl/software_dbd.domains new file mode 100644 index 0000000..09468f1 --- /dev/null +++ b/roles/squid/files/acl/software_dbd.domains @@ -0,0 +1,2 @@ +rpms.lapiole.org +git.lapiole.org diff --git a/roles/squid/files/acl/software_various.domains b/roles/squid/files/acl/software_various.domains index 3357be3..baa2fcd 100644 --- a/roles/squid/files/acl/software_various.domains +++ b/roles/squid/files/acl/software_various.domains @@ -16,7 +16,6 @@ publicsuffix.org www.internic.net tzurl.org gitlab.com -.lapiole.org archive.apache.org ftp.gnu.org diff --git a/roles/ssh/defaults/main.yml b/roles/ssh/defaults/main.yml index b7af80c..a8b00dd 100644 --- a/roles/ssh/defaults/main.yml +++ b/roles/ssh/defaults/main.yml @@ -1,31 +1,35 @@ --- -# List of port sshd will bind to -sshd_ports: [ '22' ] +# List of port sshd will listen on +sshd_ports: + - 22 + +# Will restrict ssh access to the following IP/CIDR (only if iptables_manage == True) +sshd_src_ip: + - 0.0.0.0/0 -# Will restrict ssh access to the following IP -# -sshd_src_ip: [] # sshd_src_ip: # - 12.13.14.15 # - 192.168.17.0/24 -sshd_permit_root_login: no -sshd_password_auth: yes +# Allow the root user to login +sshd_permit_root_login: False +# Allow password authentication +sshd_password_auth: True # Control the AllowUsers, DenyUsers, AllowGroups and DenyGroups # sshd_allow_users: -# - fws -# - dani +# - xavier +# - dani@EXAMPLE.ORG # sshd_deny_users: # - dimitri # - flo # sshd_allow_groups: # - tech -# - support +# - support@EXAMPLE.ORG # sshd_deny_groups: # - sales -# - interim +# - interim@EXAMPLE.ORG # # @@ -52,7 +56,7 @@ sshd_password_auth: yes # run_as: root # nopasswd: False # -#ssh_extra_users (can be used as ssh_users) +#ssh_extra_users (can be used as ssh_users, both will be merged) # # # Max number of conn / minute. 0 to disable rate limit diff --git a/roles/ssh/tasks/cleanup.yml b/roles/ssh/tasks/cleanup.yml new file mode 100644 index 0000000..89ce3e2 --- /dev/null +++ b/roles/ssh/tasks/cleanup.yml @@ -0,0 +1,13 @@ +--- + +- name: List all authorized keys directories + shell: ls -1 /etc/ssh/authorized_keys | xargs -n1 basename + register: existing_ssh_keys + changed_when: False + tags: ssh + +- name: Remove unmanaged ssh keys + file: path=/etc/ssh/authorized_keys/{{ item }} state=absent + loop: "{{ existing_ssh_keys.stdout_lines | default([]) }}" + when: item not in ssh_users | rejectattr('keys_file', 'defined') | map(attribute='name') + tags: ssh diff --git a/roles/ssh/tasks/conf.yml b/roles/ssh/tasks/conf.yml new file mode 100644 index 0000000..bb2592a --- /dev/null +++ b/roles/ssh/tasks/conf.yml @@ -0,0 +1,81 @@ +--- + +- name: Deploy sshd configuration + template: src=sshd_config.j2 dest=/etc/ssh/sshd_config + notify: restart sshd + tags: ssh + +- name: Create top level authorized keys directory + file: path=/etc/ssh/authorized_keys/ state=directory mode=755 owner=root group=root + tags: ssh + +- name: Create an SSH key pair for root + user: + name: root + generate_ssh_key: yes + ssh_key_file: .ssh/id_rsa + tags: ssh + +- name: Create ssh users + user: + name: "{{ item.name }}" + loop: "{{ ssh_users }}" + register: ssh_create_user + when: item.create_user | default(False) + tags: ssh + +- name: Check if sssd is installed + stat: path=/usr/sbin/sss_cache + register: ssh_sss_cache + tags: ssh + + # Flush sss cache so we can modify newly available users +- name: Reset sss cache + command: sss_cache -E + when: ssh_sss_cache.stat.exists and ssh_create_user.results | selectattr('changed','equalto',True) | list | length > 0 + tags: ssh + + # We do this in two times (first create, then set shell and comment) + # to prevent hitting a bug in ansible where usermod could be called before useradd + # See https://github.com/ansible/ansible/issues/22576 +- name: Set ssh user attributes + user: + name: "{{ item.name }}" + comment: "{{ item.full_name | default(omit) }}" + shell: "{{ item.shell | default(omit) }}" + loop: "{{ ssh_users }}" + when: item.create_user | default(False) + tags: ssh + +- name: Create private dir for Authorized keys + file: path=/etc/ssh/authorized_keys/{{ item.name }} state=directory mode=700 owner={{ item.name }} + ignore_errors: True # Needed eg, if LDAP isn't available on first run + loop: "{{ ssh_users }}" + tags: ssh + +- name: Deploy ssh user keys + authorized_key: + user: "{{ item.name }}" + key: "{{ item.ssh_keys| default([]) | join(\"\n\") }}" + key_options: "{{ item.key_options | default([]) | join(',') }}" + path: "{{ item.keys_file | default('/etc/ssh/authorized_keys/' ~ item.name ~ '/authorized_keys') }}" + manage_dir: False + exclusive: True + ignore_errors: True # Needed eg, if LDAP isn't available on first run + #when: item.ssh_keys is defined + loop: "{{ ssh_users }}" + tags: ssh + +- name: Ensure permissions and ownership on authorized_keys files + file: + path: /etc/ssh/authorized_keys/{{ item.name }}/authorized_keys + mode: 0600 + owner: "{{ item.name }}" + when: item.ssh_keys is defined + ignore_errors: True + loop: "{{ ssh_users }}" + tags: ssh + +- name: Deploy sudo fragment + template: src=sudo.j2 dest=/etc/sudoers.d/ssh_users mode=600 + tags: ssh diff --git a/roles/ssh/tasks/facts.yml b/roles/ssh/tasks/facts.yml new file mode 100644 index 0000000..155e5ff --- /dev/null +++ b/roles/ssh/tasks/facts.yml @@ -0,0 +1,7 @@ +--- + +- name: Combine SSH users + set_fact: + ssh_users: "{{ ssh_users + ssh_extra_users | default([]) }}" + tags: ssh + diff --git a/roles/ssh/tasks/install.yml b/roles/ssh/tasks/install.yml new file mode 100644 index 0000000..373d845 --- /dev/null +++ b/roles/ssh/tasks/install.yml @@ -0,0 +1,17 @@ +--- + +- name: Install ssh components + yum: + name: + - openssh-server + - openssh-clients + when: ansible_os_family == 'RedHat' + tags: ssh + +- name: Install ssh components + apt: + name: + - openssh-server + - openssh-client + when: ansible_os_family == 'Debian' + tags: ssh diff --git a/roles/ssh/tasks/iptables.yml b/roles/ssh/tasks/iptables.yml new file mode 100644 index 0000000..66dd8f3 --- /dev/null +++ b/roles/ssh/tasks/iptables.yml @@ -0,0 +1,19 @@ +--- + +- name: Apply rate limits + iptables_raw: + name: sshd_limit + rules: | + -A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --set + -A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --rcheck --seconds 60 --hitcount {{ sshd_max_conn_per_minute }} -j LOG --log-prefix "Firewall (ssh limit): " + -A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --rcheck --seconds 60 --hitcount {{ sshd_max_conn_per_minute }} -j REJECT + state: "{{ (sshd_max_conn_per_minute > 0) | ternary('present','absent') }}" + weight: 10 + tags: ssh,firewall + +- name: Handle ssh ports + iptables_raw: + name: sshd_ports + state: "{{ (sshd_src_ip is defined and sshd_src_ip | length > 0) | ternary('present','absent') }}" + rules: "-A INPUT -m state --state new -p tcp -m multiport --dports {{ sshd_ports | join(',') }} -s {{ sshd_src_ip | flatten | join(',') }} -j ACCEPT" + tags: ssh,firewall diff --git a/roles/ssh/tasks/main.yml b/roles/ssh/tasks/main.yml index 595d689..31adfe2 100644 --- a/roles/ssh/tasks/main.yml +++ b/roles/ssh/tasks/main.yml @@ -1,139 +1,12 @@ --- -- name: Install ssh components - yum: - name: - - openssh-server - - openssh-clients - when: ansible_os_family == 'RedHat' - tags: ssh - -- name: Install ssh components - apt: - name: - - openssh-server - - openssh-client - when: ansible_os_family == 'Debian' - tags: ssh - -- name: Allow ssh port in SELinux - seport: ports={{ sshd_ports|join(',') }} proto=tcp setype=ssh_port_t state=present +- include: facts.yml +- include: install.yml +- include: conf.yml +- include: selinux.yml when: ansible_selinux.status == 'enabled' - tags: ssh - -- name: Combine SSH users - set_fact: - ssh_users: "{{ ssh_users + ssh_extra_users | default([]) }}" - tags: ssh - -- name: Deploy sshd configuration - template: src=sshd_config.j2 dest=/etc/ssh/sshd_config backup=yes - notify: restart sshd - tags: ssh - -- name: Set SSH rate limit - iptables_raw: - name: sshd_limit - rules: | - -A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --set - -A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --rcheck --seconds 60 --hitcount {{ sshd_max_conn_per_minute }} -j LOG --log-prefix "Firewall (ssh limit): " - -A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --rcheck --seconds 60 --hitcount {{ sshd_max_conn_per_minute }} -j REJECT - state: "{{ (sshd_max_conn_per_minute > 0) | ternary('present','absent') }}" - weight: 10 +- include: iptables.yml when: iptables_manage | default(True) - tags: ssh,firewall +- include: service.yml +- include: cleanup.yml -- name: Handle ssh ports - iptables_raw: - name: sshd_ports - state: "{{ (sshd_src_ip is defined and sshd_src_ip | length > 0) | ternary('present','absent') }}" - rules: "-A INPUT -m state --state new -p tcp -m multiport --dports {{ sshd_ports | join(',') }} -s {{ sshd_src_ip | flatten | join(',') }} -j ACCEPT" - when: iptables_manage | default(True) - tags: ssh,firewall - -- name: Create top level authorized keys directory - file: path=/etc/ssh/authorized_keys/ state=directory mode=755 owner=root group=root - tags: ssh - -- name: Create an SSH key pair for root - user: - name: root - generate_ssh_key: yes - ssh_key_file: .ssh/id_rsa - tags: ssh - - # Do this in two times, to prevent hitting a bug in ansible - # where usermod could be called before useradd - # See https://github.com/ansible/ansible/issues/22576 -- name: Create ssh users - user: - name: "{{ item.name }}" - with_items: "{{ ssh_users }}" - register: ssh_create_user - when: item.create_user | default(False) - tags: ssh - -- name: Check if sssd is installed - stat: path=/usr/sbin/sss_cache - register: ssh_sss_cache - tags: ssh - - # Flush sss cache so we can modify freshly created users -- name: Reset sss cache - command: sss_cache -E - when: ssh_sss_cache.stat.exists and ssh_create_user.results | selectattr('changed','equalto',True) | list | length > 0 - tags: ssh - -- name: Set ssh user attributes - user: - name: "{{ item.name }}" - comment: "{{ item.full_name | default(omit) }}" - shell: "{{ item.shell | default(omit) }}" - with_items: "{{ ssh_users }}" - when: item.create_user | default(False) - tags: ssh - -- name: Create private dir for Authorized keys - file: path=/etc/ssh/authorized_keys/{{ item.name }} state=directory mode=700 owner={{ item.name }} - ignore_errors: True # Needed eg, if LDAP isn't available on first run - with_items: "{{ ssh_users }}" - tags: ssh - -- name: Deploy ssh user keys - authorized_key: - user: "{{ item.name }}" - key: "{{ item.ssh_keys| default([]) | join(\"\n\") }}" - key_options: "{{ item.key_options | default([]) | join(',') }}" - path: "/etc/ssh/authorized_keys/{{ item.name }}/authorized_keys" - manage_dir: False - exclusive: True - ignore_errors: True # Needed eg, if LDAP isn't available on first run - #when: item.ssh_keys is defined - with_items: "{{ ssh_users }}" - tags: ssh - -- name: Ensure permissions and ownership on authorized_keys files - file: - path: /etc/ssh/authorized_keys/{{ item.name }}/authorized_keys - mode: 0600 - owner: "{{ item.name }}" - when: item.ssh_keys is defined - ignore_errors: True - with_items: "{{ ssh_users }}" - tags: ssh - -- name: List all authorized keys directories - shell: ls -1 /etc/ssh/authorized_keys | xargs -n1 basename - register: existing_ssh_keys - changed_when: False - tags: ssh - -- name: Remove unmanaged ssh keys - file: path=/etc/ssh/authorized_keys/{{ item }} state=absent - with_items: "{{ existing_ssh_keys.stdout_lines | default([]) }}" - when: item not in ssh_users | map(attribute='name') - tags: ssh - -- name: Deploy sudo fragment - template: src=sudo.j2 dest=/etc/sudoers.d/ssh_users mode=600 - tags: ssh diff --git a/roles/ssh/tasks/selinux.yml b/roles/ssh/tasks/selinux.yml new file mode 100644 index 0000000..459a4c2 --- /dev/null +++ b/roles/ssh/tasks/selinux.yml @@ -0,0 +1,9 @@ +--- + +- name: Allow ssh port in SELinux + seport: + ports: "{{ sshd_ports | join(',') }}" + proto: tcp + setype: ssh_port_t + tags: ssh + diff --git a/roles/ssh/tasks/service.yml b/roles/ssh/tasks/service.yml new file mode 100644 index 0000000..5a4fc5e --- /dev/null +++ b/roles/ssh/tasks/service.yml @@ -0,0 +1,5 @@ +--- + +- name: Start and enable sshd + service: name=sshd state=started enabled=True + tags: ssh