Add ansible files

ansible/group_vars/all/vars.yml

@@ -1,2 +1,7 @@
 ---
-sshwifty_shared_key: admin
+
+sshwifty_internal_port: 8080
+sshwifty_configuration_directory: "/etc/sshwifty"
+sshwifty_work_directory: "/var/lib/sshwifty"
+
+#

ansible/group_vars/stage_development/vars.yml

@@ -0,0 +1,8 @@
+---
+sshwifty_hostname: "0.0.0.0"
+sshwifty_public_port: "80"
+sshwifty_shared_key: "demo"
+
+sshwifty_authentication: "password"
+sshwifty_ssh_password: "demo"
+sshwifty_ssh_user: "demo"

ansible/group_vars/stage_production/vars.yml

@@ -0,0 +1,5 @@
+---
+sshwifty_hostname: "443"
+sshwifty_public_port: "443"
+
+sshwifty_authentication: "password"

ansible/group_vars/stage_production/vault.yml

@@ -0,0 +1,11 @@
+$ANSIBLE_VAULT;1.1;AES256
+63313862626430363534363861306666346637323564353264396264326265303938383339313533
+3437623534323965643935333536366365366530336264310a336133363237326238653834303534
+65303830666634666130353432623632346532656266333761613566613663643330353835343336
+3836333166336530350a666634356437666436336437343765643931353164653039633232313637
+63666338313362323866633765303831613162386662343534643064633731393362396261616130
+61643364663535613965643364346565643064636134346464353166313030613032346633306364
+65396637363934303338643233373065383738656531316534363864323435323835336661396137
+38613637333663333665313437646362383862636536343761666435363663393164663463636463
+61346461653030356236313764363737653431666463663261636262656562353531333366616564
+3965313964343535303432663835346364643537316461656133

ansible/host_vars/prod-gateway0/vars.yml

@@ -0,0 +1,3 @@
+---
+sshwifty_hostname: "gateway0.teaching.glenux.net"
+mongo_group_id: 0

ansible/host_vars/prod-gateway1/vars.yml

@@ -0,0 +1,3 @@
+---
+sshwifty_hostname: "gateway1.teaching.glenux.net"
+mongo_group_id: 1

ansible/host_vars/prod-gateway2/vars.yml

@@ -0,0 +1,3 @@
+---
+sshwifty_hostname: "gateway2.teaching.glenux.net"
+mongo_group_id: 2

ansible/host_vars/prod-gateway3/vars.yml

@@ -0,0 +1,4 @@
+---
+sshwifty_hostname: "gateway3.teaching.glenux.net"
+
+mongo_group_id: 3

ansible/playbook.yml

@@ -1,5 +1,11 @@
 ---
-- hosts: app_sshwifty
+# Collect tasks about role_mongo
+- hosts: role_mongo
+  become: true
+  tasks: []
+
+# Then deploy gateways
+- hosts: role_gateway
   become: true
   tasks:
     - include_tasks: tasks/setup_base.yml
@@ -15,7 +21,8 @@
       caddy_systemd_capabilities_enabled: true
       caddy_config: "{{ lookup('template', 'templates/Caddyfile.j2') }}"
 
-- hosts: app_mongo
+# And deploy mongos
+- hosts: role_mongo
   become: true
   tasks:
     - include_tasks: tasks/setup_base.yml

ansible/tasks/setup_base.yml

@@ -1,9 +1,10 @@
 ---
 
-- name: Sync time
+- name: "Sync time - first try (needed by apt)"
   ansible.builtin.shell:
-    cmd: ntpdate 0.debian.pool.ntp.org
-  ignore_errors: yes
+    cmd: hash ntpdate 2>/dev/null && ntpdate 0.debian.pool.ntp.org
+  ignore_errors: 'yes'
+  no_log: 'yes'
 
 - name: Install required system packages
   ansible.builtin.apt:
@@ -13,7 +14,7 @@
     state: latest
     update_cache: true
 
-- name: Sync time
+- name: "Sync time - for real (needed by sshwifty)"
   ansible.builtin.command:
     cmd: ntpdate 0.debian.pool.ntp.org
 

ansible/tasks/setup_docker.yml

@@ -56,4 +56,10 @@
   pip:
     name: docker
 
+- name: adding existing user vagrant to group docker
+  user:
+    name: vagrant
+    groups: docker
+    append: 'yes'
+
 #

ansible/tasks/setup_sshaccess.yml

@@ -3,10 +3,36 @@
 # python3 -c 'import crypt,getpass;pw=getpass.getpass();print(crypt.crypt(pw) if (pw==getpass.getpass("Confirm: ")) else exit())'
 - name: Add the user 'debian'
   ansible.builtin.user:
-    name: debian
-    password: '$6$7SKND.wc64QSchcm$eGS36vIXypLHSd.PQM0gIq6ILx9QiRQxWNej3Gb32sKk2MuLrRlceXCJmidYATNZeJTbBXNf3c5qTmm7BB.EA1'
+    name: "{{ sshwifty_ssh_user }}"
+    password: "{{ sshwifty_ssh_password | password_hash('sha512') }}"
     shell: /bin/bash
     state: present
     update_password: always
 
+- name: Change SSH config to allow connections with password
+  ansible.builtin.copy:
+    dest: /etc/ssh/sshd_config.d/sshwifty_with_password.conf
+    content: |
+      PasswordAuthentication yes
+  register: ssh_service_conf
+
+- name: Restart SSH service to take in account new changes
+  ansible.builtin.service:
+    name: ssh
+    state: restarted
+  when: ssh_service_conf.changed
+
+- name: "adding existing user {{ sshwifty_ssh_user }} to group docker"
+  user:
+    name: "{{ sshwifty_ssh_user }}"
+    groups:
+      - docker
+      - sudo
+    append: 'yes'
+
+- name: Change SUDO config to allow sudo without password to %sudo group
+  ansible.builtin.copy:
+    dest: /etc/sudoers.d/sudo_no_pass
+    content: |
+      %sudo  ALL=(ALL) NOPASSWD: ALL
 #

ansible/tasks/setup_sshwifty.yml

@@ -6,24 +6,35 @@
     state: latest
     update_cache: true
 
+- name: Create SSHwifty configuration directory
+  file:
+    path: "{{ sshwifty_configuration_directory }}"
+    state: directory
+
+- name: Scan SSH keys
+  command: "ssh-keyscan {{item}}"
+  register: "host_keys"
+  changed_when: false
+  with_items: groups["role_mongos"]
+
 - name: Deploy SSHwifty configuration
   template:
     src: templates/sshwifty.conf.j2
-    dest: /etc/sshwifty.conf
+    dest: "{{ sshwifty_configuration_directory }}/sshwifty.conf"
 
 - name: Create SSHwifty directory
   file:
-    path: /var/lib/sshwifty
+    path: "{{ sshwifty_work_directory }}"
     state: directory
 
 - name: Deploy SSHwifty configuration
   template:
     src: templates/docker-compose.yml.j2
-    dest: /var/lib/sshwifty/docker-compose.yml
+    dest: "{{ sshwifty_work_directory }}/docker-compose.yml"
 
 - name: Run SSHwifty
   community.docker.docker_compose:
-    project_src: /var/lib/sshwifty
+    project_src: "{{ sshwifty_work_directory }}"
     recreate: smart
     state: present
 

ansible/templates/Caddyfile.j2

@@ -1,7 +1,7 @@
-http://0.0.0.0:80 {
+{{ sshwifty_hostname }}:{{ sshwifty_public_port }} {
   log
 
-  reverse_proxy http://localhost:8080 {
+  reverse_proxy localhost:{{ sshwifty_internal_port }} {
     header_up Host {http.request.host}
     header_up X-Real-IP {http.request.remote.host}
     header_up X-Forwarded-For {http.request.remote.host}

ansible/templates/docker-compose.yml.j2

@@ -7,12 +7,12 @@ services:
     image: niruix/sshwifty:latest
     restart: always
     ports:
-      - 8080:8182
+      - "{{sshwifty_internal_port}}:8182"
     environment:
-      SSHWIFTY_SHAREDKEY: admin
+      SSHWIFTY_SHAREDKEY: "{{sshwifty_shared_key}}"
       SSHWIFTY_CONFIG: /etc/sshwifty.conf
     volumes:
-      - /etc/sshwifty.conf:/etc/sshwifty.conf
+      - "{{sshwifty_configuration_directory}}/sshwifty.conf:/etc/sshwifty.conf"
 
 volumes: {}
 

ansible/templates/sshwifty.conf.j2

@@ -1,3 +1,4 @@
+{# vim: set ts=2 sw=2 et ft=jinja2,json : #}
 {
   {# "HostName": "localhost", #}
   "SharedKey": "{{ sshwifty_shared_key }}",
@@ -17,30 +18,45 @@
     }
   ],
   "Presets": [
+    {% for host in groups['role_mongo'] %}
+      {% set server_group_id = loop.index0 // mongo_replicas_count %}
+      {% set server_index = loop.index0 % mongo_replicas_count %}
+      {% set server_ip_addr = hostvars[host]['ansible_facts']['default_ipv4']['address'] %}
+      {% if server_group_id == mongo_group_id %}
+      {
+        "Title": "Group {{ server_group_id }} - Server {{ server_index }} ({{ host }})",
+        "Type": "SSH",
+        "Host": "{{ server_ip_addr }}:22",
+        "Meta": {
+        "User": "{{ sshwifty_ssh_user }}",
+        {% if "password" == sshwifty_authentication | lower %}
+        "Authentication": "Password",
+        "Password": "{{ sshwifty_ssh_password }}",
+        {% else %}
+        "Authentication": "Private Key",
+        "Private Key": "file://{{ sshwifty_ssh_private_key }}",
+        {% endif %}
+        {# "Fingerprint": home"SHA256:bgO...." #}
+        "Encoding": "utf-8"
+        }
+      },
+      {% endif %}
+    {% endfor %}
     {
-      "Title": "Gateway",
+      "Title": "Group {{ mongo_group_id }} - Gateway ({{ ansible_facts['hostname'] }})",
       "Type": "SSH",
-      "Host": "{{ansible_facts.all_ipv4_addresses | ansible.netcommon.ipaddr('192.168.50.0/24') | first }}:22",
+      "Host": "{{ ansible_ssh_host }}:22",
       "Meta": {
-        "User": "debian",
-        "Encoding": "utf-8",
-        "Password": "debian",
-        "Authentication": "Password" {# , #}
-        {# "Private Key": "file:///home/user/.ssh/private_key", #}
-        {# "Fingerprint": "SHA256:bgO...." #}
-      }
-    },
-    {
-      "Title": "SDF.org Unix Shell",
-      "Type": "SSH",
-      "Host": "sdf.org:22",
-      "Meta": {
-        "User": "debian",
-        "Encoding": "utf-8",
-        "Password": "debian",
-        "Authentication": "Password" {# , #}
-        {# "Private Key": "file:///home/user/.ssh/private_key", #}
+        "User": "{{ sshwifty_ssh_user }}",
+        {% if "password" == sshwifty_authentication | lower %}
+          "Authentication": "Password",
+          "Password": "{{ sshwifty_ssh_password }}",
+        {% else %}
+          "Authentication": "Private Key",
+          "Private Key": "file://{{ sshwifty_ssh_private_key }}",
+        {% endif %}
         {# "Fingerprint": "SHA256:bgO...." #}
+        "Encoding": "utf-8"
       }
     }
   ],