add ssh and fix apache

2023-05-25 00:19:09 +02:00 · 2023-05-25 00:19:09 +02:00 · cacbca313b
parent 85e0323844
commit cacbca313b
17 changed files with 284 additions and 47 deletions
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@ -6,8 +6,11 @@ maverik_password_hashed: "{{ vault_user_password_hashed }}"
 charlie_password_hashed: "{{ vault_user_password_hashed }}"
 goose_password_hashed: "{{ vault_user_password_hashed }}"
 user_ssh_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDl05rLhOKK4M2pqp7xRbKzIYlnkLRvp61NLrP2E0fiU l01@L01"
+maverik_ssh_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDl05rLhOKK4M2pqp7xRbKzIYlnkLRvp61NLrP2E0fiU l01@L01"
+charlie_ssh_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDl05rLhOKK4M2pqp7xRbKzIYlnkLRvp61NLrP2E0fiU l01@L01"
+goose_ssh_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDl05rLhOKK4M2pqp7xRbKzIYlnkLRvp61NLrP2E0fiU l01@L01"

-ansible_become_password: "toto" #FIXME
+ansible_become_password: "{{ vault_become_password }}"
 ansible_become_user: "root"
 ansible_become_method: "sudo"

@ -16,4 +19,5 @@ nginx_key_position: "/etc/ssl/dmz.key.pem"

 mysql_db_name: "wordpress_db"
 mysql_user_name: "wordpress_user"
-mysql_user_pass: "ApacheCestPasTerribleQuandMeme"
+mysql_user_pass: "{{ vault_mysql_user_pass }}"
+wordpress_secret: "{{ vault_wordpress_secret }}"
--- a/group_vars/all/vault.yml
+++ b/group_vars/all/vault.yml
@ -1,19 +1,47 @@
 $ANSIBLE_VAULT;1.1;AES256
-36346637303464633032623363643762663630363863323565623263343931393834306138666463
-3934336362316235323039616435653764323936613338340a616434656434303138646637663962
-34363762333634393863653634316638303865373632396231623734303239356365626661363832
-3039613031346637630a626464396530326237326338376166393663356538313731653639373661
-38373061313337323938656165343965633732626335653739656464343431343364326362333038
-39323834633434343062303962366531643734363235326564303538613161373161383364343539
-64646336316538613535613464623631653730316365323539396533343731356263323632383233
-62393262653637616239643834316166316432383230373232386131313866326237663265383130
-61623736393261656437346236666664393365666637366531636563303933663832396163326366
-39656164396462666634303732396439636462626366313663663766303632353266633139343939
-61336236366334336536626161353330646533663265353161643538336434623834663064323565
-33376534323330616238376562623763346565303237366639663133656562623762303961333062
-30626630383232656636363131343135626432613638623664336232376266623936633436613735
-31373033616163313239656465356632343536356637623336393965376565356338323365323862
-35653362376537396636303337306663306235653661353831616337346562643963643935653735
-63663263326466626365393634373133313239303337633766386238613634633337666536663332
-38326438363361323830356632363863636332333039353865363032613133613062323763303565
-3630663937633964666135323666326530633266353232346337
+64306530623835653465626537616236356663306637356635373939313234366338626562313237
+6464623863343531363461623533323064303539626533300a303034373739333464636631623463
+34326235343530353861386363353437633562353736666438326536396462613363396132613134
+6663363665363733660a356461616462343263343038303164326133373031323933326230346336
+39303335306234663838363234623764333437336132346338646634346161613964333962633935
+63633430636635306630353831366138623832393462653230313065323765653436353635383835
+33323132323434303635666166666165316636633531373134333065346634653639376538636632
+62386337383264333032376331346361343161616630326233376463636637396564636539666231
+66626335316266303233346532646330313366316465663339646464316438616364346635393734
+33303338663133353463336166376630626266343166663639333433303534306363623331643765
+64346239633335626564353835346166663931623735303765356334333066613730393432663737
+32653766383336656537356461393664343030336536333534313437306336643132373836383537
+31623639326364633662396637653033633263666635623732313936313739663061303437303462
+30363731643332366535363632336461316362313662353863396663666664623932333866366264
+66326630393334373535353365636162393831386539623837353732663135636637333639323863
+66616431343331343963376630303239333362326265316264376361643634643133646130366434
+64306530393038363636366663613232333231623665363531653633353430656363653663623162
+34643066366237353265336564636132643565303866313236323462323838323436666562356237
+66316530653561323363363862343033316539633261653339376437633732353761636664653334
+33336232346133346138643062616535386631636462366262666363376639613637663464613430
+39373066386636643937656565313565646339613864626365666239663361396637646463623737
+61633566363865366135373933663832326434313965306237393164656634316232646665306435
+38396335343332613663386138363965326364653862306235383035386261306463373334333432
+39646261663639376366326338306564353530383264643031333161653933363430646361643136
+64663238633430313665386433646466623033613762383238383633306235363237316436306561
+63303934353438386635653933316536356361303132316530633732386365633031363065663063
+65336536653732393563393636326364616161616131613634323235313063313162613438633035
+38373031333532333334633361616466396461646365386264373362623233616334323734306638
+64356631663231306532356438623336303666636132646431666663396366663237666231643864
+39633364313132383630633031336234336133313234333866373935666630616231643135346134
+30306333316165623135316133633235353837613437646564393832393439653064346662653830
+32363566623138393235303935653264313836633061303031336561373066393665366132636435
+64383736306439613339356232386530333964386363623462393636623231303232346362643732
+30396234343066373836663130623530643262616133623964376634623439366130383866356364
+62663162356163656133626635323466383335366465323461333430373339336362346634393265
+65616632663362623834356363343465343964313165333530376130356366343138363637303566
+66353731383439383731373137353731376532373761333834626237393439346633376333396532
+62653362626461623966316634623339646234613462613134316231613837386163383135613038
+64366236396430316338613039363264323033636235373836653635633337623137613961313236
+39373637643134663163306434623062653665396231623238633862323664653236326563366632
+66383639323530663562336565616563326530376165356234613339646339646164383632303762
+65653762666165353166333636616136353366396236313338623638353136316131653466313166
+63383862626635373632303962623162343532666130323231343330383931303461356337396339
+34626361356465353561393437353036353631353166303331313634386133363965303266376636
+63363232663231333537363239633039313232306334303633306635343830306263343637313835
+6466326337393062613033356237373238353331383966626332
--- a/playbooks/apache.yml
+++ b/playbooks/apache.yml
@ -2,8 +2,6 @@

 - name: Apache
  hosts: all
-  vars_files:
-    - ../group_vars/all/vault.yml
  roles:
    - apache
  tags:
--- a/playbooks/nginx.yml
+++ b/playbooks/nginx.yml
@ -2,8 +2,6 @@

 - name: Nginx
  hosts: all
-  vars_files:
-    - ../group_vars/all/vault.yml
  roles:
    - nginx
  tags:
--- a/playbooks/ssh.yml
+++ b/playbooks/ssh.yml
@ -0,0 +1,8 @@
+---
+
+- name: SSH
+  hosts: all
+  roles:
+    - ssh
+  tags:
+    - ssh
--- a/playbooks/wordpress.yml
+++ b/playbooks/wordpress.yml
@ -2,8 +2,6 @@

 - name: Wordpress
  hosts: all
-  vars_files:
-    - ../group_vars/all/vault.yml
  roles:
    - wordpress
  tags:
--- a/requirements.yml.bak
+++ b/requirements.yml.bak
--- a/roles/apache/tasks/webserver.yml
+++ b/roles/apache/tasks/webserver.yml
@ -11,6 +11,12 @@
      - libapache2-mod-auth-gssapi
      - krb5-user

+- name: activer module ssl apache
+  become: yes
+  shell: /usr/sbin/a2enmod ssl
+  notify:
+    - apache_reload
+

 - name: Check Wordpress default site status
  stat:
--- a/roles/apache/templates/wordpress-site.conf.j2
+++ b/roles/apache/templates/wordpress-site.conf.j2
@ -1,4 +1,4 @@
-<VirtualHost *:8000>
+<VirtualHost  localhost:8000>
 	DocumentRoot /var/www/html/wordpress

 	LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
--- a/roles/ssh/defaults/main.yml
+++ b/roles/ssh/defaults/main.yml
@ -24,10 +24,31 @@ ssh_config:
  - option: ListenAddress
    value: "0.0.0.0"
  - option: PermitRootLogin
-    value: no
+    value: "no"
  - option: LogLevel
    value: VERBOSE
  - option: ChallengeResponseAuthentication
-    value: yes
+    value: "yes"
  - option: UsePAM
-    value: yes
+    value: "yes"
+  - option: AllowUsers
+    value: maverik charlie goose ansible
+
+ssh_raw_config: |
+  Match User ansible
+    AuthenticationMethods publickey
+
+  Match User maverik
+    PubkeyAuthentication no
+    PasswordAuthentication no
+    AuthenticationMethods keyboard-interactive:pam
+
+  Match User charlie
+    PasswordAuthentification no
+    AuthenticationMethods publickey,keyboard-interactive:pam
+
+  Match User goose
+    PubkeyAuthentication no
+    PasswordAuthentication yes
+
+
--- a/roles/ssh/handlers/main.yml
+++ b/roles/ssh/handlers/main.yml
@ -0,0 +1,7 @@
+---
+
+- name: restart_ssh
+  become: True
+  service:
+    name: "ssh"
+    state: reloaded
--- a/roles/ssh/tasks/gauth.yml
+++ b/roles/ssh/tasks/gauth.yml
@ -0,0 +1,49 @@
+---
+
+- name: Install gauth OTP
+  ansible.builtin.apt:
+    install_recommends: false
+    update_cache: true
+    state: present
+    name:
+      - libpam-google-authenticator
+      - libpam0g-dev
+
+- name: Generate a time-based code for maverik
+  command:
+    cmd: '/usr/bin/google-authenticator -t -f -d --label="maverik@INFRA01" --qr-mode=ANSI -r 3 -R 120 -w 1 --secret=/home/maverik/.google_authenticator'
+  ignore_errors: True
+
+- name: Generate a time-based code for charlie
+  ansible.builtin.command:
+    cmd: '/usr/bin/google-authenticator -t -f -d --label="charlie@INFRA01" --qr-mode=ANSI -r 3 -R 120 -w 1 --secret=/home/charlie/.google_authenticator'
+  ignore_errors: True
+
+- name: Generate a time-based code for goose
+  ansible.builtin.command:
+    cmd: '/usr/bin/google-authenticator -t -f -d --label="goose@INFRA01" --qr-mode=ANSI -r 3 -R 120 -w 1 --secret=/home/goose/.google_authenticator'
+  ignore_errors: True
+
+- name: Add Google auth PAM
+  ansible.builtin.lineinfile:
+    dest: "/etc/pam.d/sshd"
+    line: "auth required pam_google_authenticator.so"
+    insertbefore: BOF
+    state: present
+
+- name: Add Google PAM
+  ansible.builtin.lineinfile:
+    dest: "/etc/pam.d/sshd"
+    line: "auth required pam_google_authenticator.so"
+    insertbefore: BOF
+    state: present
+
+- name: Delete Old authentication
+  ansible.builtin.lineinfile:
+    path: "/etc/pam.d/sshd"
+    regexp: "^@include common-auth"
+    line: "#@include common-auth"
+    owner: root
+    group: root
+    mode: '0644'
+
--- a/roles/ssh/tasks/main.yml
+++ b/roles/ssh/tasks/main.yml
@ -14,3 +14,9 @@
  remote_user: ansible
  become: True
  ansible.builtin.import_tasks: ssh.yml
+
+- name: SSH Auth
+  remote_user: ansible
+  become: True
+  ansible.builtin.import_tasks: gauth.yml
+
--- a/roles/ssh/tasks/permissions.yml
+++ b/roles/ssh/tasks/permissions.yml
@ -9,11 +9,9 @@
    mode: '0440'

 - name: Permissions for user "{{ user.name }}"
-  ansible.builtin.lineinfile:
-    path: /etc/sudoers
-    state: present
-    insertafter: "^# User privilege specification$"
-    line: "{{ user.config  }}"
-  loop: "{{ users }}"
-  loop_control:
-    loop_var: user
+  ansible.builtin.template:
+    src: "sudoers.j2"
+    dest: /etc/sudoers
+    owner: root
+    group: root
+    mode: '0440'
--- a/roles/ssh/tasks/ssh.yml
+++ b/roles/ssh/tasks/ssh.yml
@ -1,8 +1,13 @@
 ---

 - name: SSHD configuration 
-  ansible.builtin.linefile:
+  ansible.builtin.lineinfile:
    path: "/etc/ssh/sshd_config"
    regex: "^(# *)?{{ item.option }}"
    line: "{{ item.option }} {{ item.value }}"
  loop: "{{ ssh_config }}"
+
+- name: Insert/Update user configuration blocl
+  ansible.builtin.blockinfile:
+    path: "/etc/ssh/sshd_config"
+    block: "{{ ssh_raw_config }}"
--- a/roles/ssh/templates/sudoers.j2
+++ b/roles/ssh/templates/sudoers.j2
@ -0,0 +1,31 @@
+#
+# This file MUST be edited with the 'visudo' command as root.
+#
+# Please consider adding local content in /etc/sudoers.d/ instead of
+# directly modifying this file.
+#
+# See the man page for details on how to write a sudoers file.
+#
+Defaults	env_reset
+Defaults	mail_badpass
+Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+# Host alias specification
+
+# User alias specification
+
+# Cmnd alias specification
+
+# User privilege specification
+root	ALL=(ALL:ALL) ALL
+
+{% for user in users -%}
+{{ user.config }}
+{% endfor %}
+
+# Allow members of group sudo to execute any command
+%sudo	ALL=(ALL:ALL) ALL
+
+# See sudoers(5) for more information on "@include" directives:
+
+@includedir /etc/sudoers.d
--- a/roles/wordpress/templates/config-localhost.php.j2
+++ b/roles/wordpress/templates/config-localhost.php.j2
@ -1,4 +1,26 @@
 <?php
+/**
+ * The base configuration for WordPress
+ *
+ * The wp-config.php creation script uses this file during the installation.
+ * You don't have to use the web site, you can copy this file to "wp-config.php"
+ * and fill in the values.
+ *
+ * This file contains the following configurations:
+ *
+ * * Database settings
+ * * Secret keys
+ * * Database table prefix
+ * * ABSPATH
+ *
+ * @link https://wordpress.org/documentation/article/editing-wp-config-php/
+ *
+ * @package WordPress
+ */
+
+// ** Database settings - You can get this info from your web host ** //
+
+define( 'DB_COLLATE', '' );
 define('DB_NAME', '{{ mysql_db_name }}');
 define('DB_USER', '{{ mysql_user_name }}');
 define('DB_PASSWORD', '{{ mysql_user_pass }}');
@ -6,5 +28,63 @@
 define('WP_CONTENT_DIR', '/var/www/html/wordpress/wp-content');
 define('WP_HOME', 'https://192.168.3.2/blog/');
 define('WP_SITEURL', 'https://192.168.3.2/blog/');
-?>
+
+
+/**#@+
+ * Authentication unique keys and salts.
+ *
+ * Change these to different unique phrases! You can generate these using
+ * the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}.
+ *
+ * You can change these at any point in time to invalidate all existing cookies.
+ * This will force all users to have to log in again.
+ *
+ * @since 2.6.0
+ */
+define( 'AUTH_KEY',         '{{ wordpress_secret }}' );
+define( 'SECURE_AUTH_KEY',  '{{ wordpress_secret }}' );
+define( 'LOGGED_IN_KEY',    '{{ wordpress_secret }}' );
+define( 'NONCE_KEY',        '{{ wordpress_secret }}' );
+define( 'AUTH_SALT',        '{{ wordpress_secret }}' );
+define( 'SECURE_AUTH_SALT', '{{ wordpress_secret }}' );
+define( 'LOGGED_IN_SALT',   '{{ wordpress_secret }}' );
+define( 'NONCE_SALT',       '{{ wordpress_secret }}' );
+
+/**#@-*/
+
+/**
+ * WordPress database table prefix.
+ *
+ * You can have multiple installations in one database if you give each
+ * a unique prefix. Only numbers, letters, and underscores please!
+ */
+$table_prefix = 'wp_';
+
+/**
+ * For developers: WordPress debugging mode.
+ *
+ * Change this to true to enable the display of notices during development.
+ * It is strongly recommended that plugin and theme developers use WP_DEBUG
+ * in their development environments.
+ *
+ * For information on other constants that can be used for debugging,
+ * visit the documentation.
+ *
+ * @link https://wordpress.org/documentation/article/debugging-in-wordpress/
+ */
+define( 'WP_DEBUG', false );
+
+/* Add any custom values between this line and the "stop editing" line. */
+
+
+
+/* That's all, stop editing! Happy publishing. */
+
+/** Absolute path to the WordPress directory. */
+if ( ! defined( 'ABSPATH' ) ) {
+	define( 'ABSPATH', __DIR__ . '/' );
+}
+
+/** Sets up WordPress vars and included files. */
+require_once ABSPATH . 'wp-settings.php';