From ff95d9308deb004b3ea4e6e51d20edc75921bfcd Mon Sep 17 00:00:00 2001 From: GROUPE 6 Date: Tue, 23 May 2023 03:47:37 +0200 Subject: [PATCH] first --- .gitignore | 1 + group_vars/all/main.yml | 3 + playbooks/ssh.yml | 0 requirements.yml => requirements.yml.bak | 0 roles/apache/templates/wordpress-site.conf.j2 | 2 +- roles/ssh/defaults/main.yml | 33 +++++ roles/ssh/files/sudoers | 26 ++++ roles/ssh/tasks/main.yml | 16 +++ roles/ssh/tasks/permissions.yml | 19 +++ roles/ssh/tasks/ssh.yml | 8 ++ roles/ssh/tasks/users.yml | 39 ++++++ simple-ansible-inventory.py | 3 + sshd_config | 123 ++++++++++++++++++ 13 files changed, 272 insertions(+), 1 deletion(-) create mode 100644 .gitignore create mode 100644 playbooks/ssh.yml rename requirements.yml => requirements.yml.bak (100%) create mode 100644 roles/ssh/defaults/main.yml create mode 100644 roles/ssh/files/sudoers create mode 100644 roles/ssh/tasks/main.yml create mode 100644 roles/ssh/tasks/permissions.yml create mode 100644 roles/ssh/tasks/ssh.yml create mode 100644 roles/ssh/tasks/users.yml create mode 100644 sshd_config diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1377554 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +*.swp diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 9c1cebe..d5f0e6c 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -2,6 +2,9 @@ root_password_hashed: "{{ vault_root_password_hashed }}" user_password_hashed: "{{ vault_user_password_hashed }}" +maverik_password_hashed: "{{ vault_user_password_hashed }}" +charlie_password_hashed: "{{ vault_user_password_hashed }}" +goose_password_hashed: "{{ vault_user_password_hashed }}" user_ssh_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDl05rLhOKK4M2pqp7xRbKzIYlnkLRvp61NLrP2E0fiU l01@L01" ansible_become_password: "toto" #FIXME diff --git a/playbooks/ssh.yml b/playbooks/ssh.yml new file mode 100644 index 0000000..e69de29 diff --git a/requirements.yml b/requirements.yml.bak similarity index 100% rename from requirements.yml rename to requirements.yml.bak diff --git a/roles/apache/templates/wordpress-site.conf.j2 b/roles/apache/templates/wordpress-site.conf.j2 index 5c92ff2..bc6df90 100644 --- a/roles/apache/templates/wordpress-site.conf.j2 +++ b/roles/apache/templates/wordpress-site.conf.j2 @@ -1,6 +1,6 @@ Listen 8000 - + DocumentRoot /usr/share/wordpress Alias /wp-content /var/lib/wordpress/wp-content diff --git a/roles/ssh/defaults/main.yml b/roles/ssh/defaults/main.yml new file mode 100644 index 0000000..a759e1b --- /dev/null +++ b/roles/ssh/defaults/main.yml @@ -0,0 +1,33 @@ +--- + +users: + - name: maverik + groups: + - TOPGUN + - sudo + config: "maverik ALL = (maverik) /usr/sbin/reboot,/usr/bin/apt" + - name: charlie + groups: + - TOPGUN + - sudo + config: | + Defaults:charlie timestamp_timeout=15 + charlie ALL=(ALL:ALL) ALL + - name: goose + groups: + - TOPGUN + config: "" + +ssh_config: + - option: Port + value: 22 + - option: ListenAddress + value: "0.0.0.0" + - option: PermitRootLogin + value: no + - option: LogLevel + value: VERBOSE + - option: ChallengeResponseAuthentication + value: yes + - option: UsePAM + value: yes diff --git a/roles/ssh/files/sudoers b/roles/ssh/files/sudoers new file mode 100644 index 0000000..1ab5c22 --- /dev/null +++ b/roles/ssh/files/sudoers @@ -0,0 +1,26 @@ +# +# This file MUST be edited with the 'visudo' command as root. +# +# Please consider adding local content in /etc/sudoers.d/ instead of +# directly modifying this file. +# +# See the man page for details on how to write a sudoers file. +# +Defaults env_reset +Defaults mail_badpass +Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + +# Host alias specification + +# User alias specification + +# Cmnd alias specification + +# User privilege specification +root ALL=(ALL:ALL) ALL + +# group privilege specification + +# See sudoers(5) for more information on "@include" directives: + +@includedir /etc/sudoers.d diff --git a/roles/ssh/tasks/main.yml b/roles/ssh/tasks/main.yml new file mode 100644 index 0000000..996a64a --- /dev/null +++ b/roles/ssh/tasks/main.yml @@ -0,0 +1,16 @@ +--- + +- name: Users + remote_user: ansible + become: True + ansible.builtin.import_tasks: users.yml + +- name: Users permissions + remote_user: ansible + become: True + ansible.builtin.import_tasks: permissions.yml + +- name: SSH config + remote_user: ansible + become: True + ansible.builtin.import_tasks: ssh.yml diff --git a/roles/ssh/tasks/permissions.yml b/roles/ssh/tasks/permissions.yml new file mode 100644 index 0000000..e0cb4a4 --- /dev/null +++ b/roles/ssh/tasks/permissions.yml @@ -0,0 +1,19 @@ +--- + +- name: Default sudo config + ansible.builtin.copy: + src: sudoers + dest: /etc/sudoers.conf + owner: root + group: root + mode: '0440' + +- name: Permissions for user "{{ user.name }}" + ansible.builtin.lineinfile: + path: /etc/sudoers + state: present + insertafter: "^# User privilege specification$" + line: "{{ user.config }}" + loop: "{{ users }}" + loop_control: + loop_var: user diff --git a/roles/ssh/tasks/ssh.yml b/roles/ssh/tasks/ssh.yml new file mode 100644 index 0000000..f3061c8 --- /dev/null +++ b/roles/ssh/tasks/ssh.yml @@ -0,0 +1,8 @@ +--- + +- name: SSHD configuration + ansible.builtin.linefile: + path: "/etc/ssh/sshd_config" + regex: "^(# *)?{{ item.option }}" + line: "{{ item.option }} {{ item.value }}" + loop: "{{ ssh_config }}" diff --git a/roles/ssh/tasks/users.yml b/roles/ssh/tasks/users.yml new file mode 100644 index 0000000..26c2a54 --- /dev/null +++ b/roles/ssh/tasks/users.yml @@ -0,0 +1,39 @@ +--- + +- name: Add TOPGUN group + ansible.builtin.group: + name: TOPGUN + state: present + +- name: Add maverik account + ansible.builtin.user: + name: maverik + state: present + shell: /bin/bash + groups: + - TOPGUN + - sudo + append: yes + password: "{{ maverik_password_hashed }}" + +- name: Add charlie account + ansible.builtin.user: + name: charlie + state: present + shell: /bin/bash + groups: + - TOPGUN + - sudo + append: yes + password: "{{ charlie_password_hashed }}" + +- name: Add goose account + ansible.builtin.user: + name: goose + state: present + shell: /bin/bash + groups: + - TOPGUN + - sudo + append: yes + password: "{{ goose_password_hashed }}" diff --git a/simple-ansible-inventory.py b/simple-ansible-inventory.py index a516bf8..779a4fc 100755 --- a/simple-ansible-inventory.py +++ b/simple-ansible-inventory.py @@ -325,3 +325,6 @@ if __name__ == "__main__": elif parsed_arguments.host: LOGGER.debug("host flag found") print(json.dumps(dict())) + else: + LOGGER.debug("no flag found, listing") + print(json.dumps(list_all_hosts())) diff --git a/sshd_config b/sshd_config new file mode 100644 index 0000000..80fd33a --- /dev/null +++ b/sshd_config @@ -0,0 +1,123 @@ +# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +Include /etc/ssh/sshd_config.d/*.conf + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +SyslogFacility AUTH +LogLevel DEBUG3 + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin prohibit-password +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# Expect .ssh/authorized_keys2 to be disregarded by default in future. +#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication yes +PermitEmptyPasswords yes + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server