feat(ansible): secure sshd in bootstrap playbook

JesusMtnez · Dec 27, 2023 · 73fb675 · 73fb675
1 parent 9cfbcf9
commit 73fb675
Show file tree

Hide file tree

Showing 4 changed files with 54 additions and 2 deletions.
diff --git a/.taskfiles/ansible.yml b/.taskfiles/ansible.yml
@@ -21,6 +21,11 @@ tasks:
     cmds:
       - "ansible-playbook {{.ANSIBLE_PLAYBOOK_DIR}}/dietpi-txt-gen.yml"
 
+  playbook:bootstrap:
+    dir: "{{.ANSIBLE_DIR}}"
+    cmds:
+      - "ansible-playbook {{.ANSIBLE_PLAYBOOK_DIR}}/bootstrap.yml"
+
   playbook:k3s-install:
     desc: Install Kubernetes on the nodes
     dir: "{{.ANSIBLE_DIR}}"

diff --git a/ansible/inventory/hosts.yml b/ansible/inventory/hosts.yml
@@ -4,7 +4,8 @@ kubernetes:
     ansible_connection: ssh
     ansible_user: dietpi
     dns: 192.168.1.250
-    ssh_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGgjymAtk9hHNEGyWBgpWtMf5Jn2JfRcnZJFR4Fix040 jesus@albus"
+    ssh_keys:
+      - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGgjymAtk9hHNEGyWBgpWtMf5Jn2JfRcnZJFR4Fix040 jesus@albus"
   children:
     servers:
       hosts:

diff --git a/ansible/playbooks/bootstrap.yml b/ansible/playbooks/bootstrap.yml
@@ -0,0 +1,46 @@
+---
+- name: Secure OpenSSH Server # tag:dietpi
+  hosts: kubernetes
+  gather_facts: true
+  become: true
+  vars:
+    sshd_config: "/etc/ssh/sshd_config"
+
+  tasks:
+    - name: Add identity key to authorized keys on host
+      ansible.posix.authorized_key:
+        user: "{{ ansible_user }}"
+        key: "{{ item }}"
+      loop: "{{ ssh_keys }}"
+      register: bootstrap_add_identity_keys
+      when: ssh_keys is defined and ansible_user is defined
+
+    - name: Disable empty password login
+      ansible.builtin.lineinfile:
+        dest: "{{ sshd_config }}"
+        regexp: '^#?PermitEmptyPasswords'
+        line: 'PermitEmptyPasswords no'
+      notify: Restart sshd
+
+    - name: Disable remote root login
+      ansible.builtin.lineinfile:
+        dest: "{{ sshd_config }}"
+        regexp: '^#?PermitRootLogin'
+        line: 'PermitRootLogin no'
+      notify: Restart sshd
+
+    - name: Disable password login
+      ansible.builtin.lineinfile:
+        dest: "{{ sshd_config }}"
+        regexp: '^(#\s*)?PasswordAuthentication '
+        line: 'PasswordAuthentication no'
+      when:
+        - bootstrap_add_identity_keys is succeeded
+        - not bootstrap_add_identity_keys is skipped
+      notify: Restart sshd
+
+  handlers:
+    - name: Restart sshd
+      ansible.builtin.service:
+        name: sshd
+        state: restarted
diff --git a/ansible/playbooks/templates/dietpi.txt.j2 b/ansible/playbooks/templates/dietpi.txt.j2
@@ -39,7 +39,7 @@ AUTO_SETUP_CUSTOM_SCRIPT_EXEC=0
 AUTO_SETUP_BACKUP_RESTORE=0
 
 AUTO_SETUP_SSH_SERVER_INDEX=-2
-AUTO_SETUP_SSH_PUBKEY={{ hostvars[item].ssh_key }}
+AUTO_SETUP_SSH_PUBKEY={{ hostvars[item].ssh_keys.0 }}
 
 AUTO_SETUP_LOGGING_INDEX=-1
 AUTO_SETUP_RAMLOG_MAXSIZE=100