diff --git a/ansible/group_vars/all/vars.yml b/ansible/group_vars/all/vars.yml index 4880604..841e0eb 100644 --- a/ansible/group_vars/all/vars.yml +++ b/ansible/group_vars/all/vars.yml @@ -1,2 +1,7 @@ --- -sshwifty_shared_key: admin + +sshwifty_internal_port: 8080 +sshwifty_configuration_directory: "/etc/sshwifty" +sshwifty_work_directory: "/var/lib/sshwifty" + +# diff --git a/ansible/group_vars/stage_development/vars.yml b/ansible/group_vars/stage_development/vars.yml new file mode 100644 index 0000000..63e75f4 --- /dev/null +++ b/ansible/group_vars/stage_development/vars.yml @@ -0,0 +1,8 @@ +--- +sshwifty_hostname: "0.0.0.0" +sshwifty_public_port: "80" +sshwifty_shared_key: "demo" + +sshwifty_authentication: "password" +sshwifty_ssh_password: "demo" +sshwifty_ssh_user: "demo" diff --git a/ansible/group_vars/stage_production/vars.yml b/ansible/group_vars/stage_production/vars.yml new file mode 100644 index 0000000..6aa3aee --- /dev/null +++ b/ansible/group_vars/stage_production/vars.yml @@ -0,0 +1,5 @@ +--- +sshwifty_hostname: "443" +sshwifty_public_port: "443" + +sshwifty_authentication: "password" diff --git a/ansible/group_vars/stage_production/vault.yml b/ansible/group_vars/stage_production/vault.yml new file mode 100644 index 0000000..90efe6b --- /dev/null +++ b/ansible/group_vars/stage_production/vault.yml @@ -0,0 +1,11 @@ +$ANSIBLE_VAULT;1.1;AES256 +63313862626430363534363861306666346637323564353264396264326265303938383339313533 +3437623534323965643935333536366365366530336264310a336133363237326238653834303534 +65303830666634666130353432623632346532656266333761613566613663643330353835343336 +3836333166336530350a666634356437666436336437343765643931353164653039633232313637 +63666338313362323866633765303831613162386662343534643064633731393362396261616130 +61643364663535613965643364346565643064636134346464353166313030613032346633306364 +65396637363934303338643233373065383738656531316534363864323435323835336661396137 +38613637333663333665313437646362383862636536343761666435363663393164663463636463 +61346461653030356236313764363737653431666463663261636262656562353531333366616564 +3965313964343535303432663835346364643537316461656133 diff --git a/ansible/host_vars/prod-gateway0/vars.yml b/ansible/host_vars/prod-gateway0/vars.yml new file mode 100644 index 0000000..96a046a --- /dev/null +++ b/ansible/host_vars/prod-gateway0/vars.yml @@ -0,0 +1,3 @@ +--- +sshwifty_hostname: "gateway0.teaching.glenux.net" +mongo_group_id: 0 diff --git a/ansible/host_vars/prod-gateway1/vars.yml b/ansible/host_vars/prod-gateway1/vars.yml new file mode 100644 index 0000000..566d1ec --- /dev/null +++ b/ansible/host_vars/prod-gateway1/vars.yml @@ -0,0 +1,3 @@ +--- +sshwifty_hostname: "gateway1.teaching.glenux.net" +mongo_group_id: 1 diff --git a/ansible/host_vars/prod-gateway2/vars.yml b/ansible/host_vars/prod-gateway2/vars.yml new file mode 100644 index 0000000..68c2469 --- /dev/null +++ b/ansible/host_vars/prod-gateway2/vars.yml @@ -0,0 +1,3 @@ +--- +sshwifty_hostname: "gateway2.teaching.glenux.net" +mongo_group_id: 2 diff --git a/ansible/host_vars/prod-gateway3/vars.yml b/ansible/host_vars/prod-gateway3/vars.yml new file mode 100644 index 0000000..93e1fe6 --- /dev/null +++ b/ansible/host_vars/prod-gateway3/vars.yml @@ -0,0 +1,4 @@ +--- +sshwifty_hostname: "gateway3.teaching.glenux.net" + +mongo_group_id: 3 diff --git a/ansible/playbook.yml b/ansible/playbook.yml index e392d4a..a74a70a 100644 --- a/ansible/playbook.yml +++ b/ansible/playbook.yml @@ -1,5 +1,11 @@ --- -- hosts: app_sshwifty +# Collect tasks about role_mongo +- hosts: role_mongo + become: true + tasks: [] + +# Then deploy gateways +- hosts: role_gateway become: true tasks: - include_tasks: tasks/setup_base.yml @@ -15,7 +21,8 @@ caddy_systemd_capabilities_enabled: true caddy_config: "{{ lookup('template', 'templates/Caddyfile.j2') }}" -- hosts: app_mongo +# And deploy mongos +- hosts: role_mongo become: true tasks: - include_tasks: tasks/setup_base.yml diff --git a/ansible/tasks/setup_base.yml b/ansible/tasks/setup_base.yml index d9a4d0f..d6248d2 100644 --- a/ansible/tasks/setup_base.yml +++ b/ansible/tasks/setup_base.yml @@ -1,9 +1,10 @@ --- -- name: Sync time +- name: "Sync time - first try (needed by apt)" ansible.builtin.shell: - cmd: ntpdate 0.debian.pool.ntp.org - ignore_errors: yes + cmd: hash ntpdate 2>/dev/null && ntpdate 0.debian.pool.ntp.org + ignore_errors: 'yes' + no_log: 'yes' - name: Install required system packages ansible.builtin.apt: @@ -13,7 +14,7 @@ state: latest update_cache: true -- name: Sync time +- name: "Sync time - for real (needed by sshwifty)" ansible.builtin.command: cmd: ntpdate 0.debian.pool.ntp.org diff --git a/ansible/tasks/setup_docker.yml b/ansible/tasks/setup_docker.yml index d78036b..bfa466f 100644 --- a/ansible/tasks/setup_docker.yml +++ b/ansible/tasks/setup_docker.yml @@ -56,4 +56,10 @@ pip: name: docker +- name: adding existing user vagrant to group docker + user: + name: vagrant + groups: docker + append: 'yes' + # diff --git a/ansible/tasks/setup_sshaccess.yml b/ansible/tasks/setup_sshaccess.yml index 5963e3b..c60b498 100644 --- a/ansible/tasks/setup_sshaccess.yml +++ b/ansible/tasks/setup_sshaccess.yml @@ -3,10 +3,36 @@ # python3 -c 'import crypt,getpass;pw=getpass.getpass();print(crypt.crypt(pw) if (pw==getpass.getpass("Confirm: ")) else exit())' - name: Add the user 'debian' ansible.builtin.user: - name: debian - password: '$6$7SKND.wc64QSchcm$eGS36vIXypLHSd.PQM0gIq6ILx9QiRQxWNej3Gb32sKk2MuLrRlceXCJmidYATNZeJTbBXNf3c5qTmm7BB.EA1' + name: "{{ sshwifty_ssh_user }}" + password: "{{ sshwifty_ssh_password | password_hash('sha512') }}" shell: /bin/bash state: present update_password: always +- name: Change SSH config to allow connections with password + ansible.builtin.copy: + dest: /etc/ssh/sshd_config.d/sshwifty_with_password.conf + content: | + PasswordAuthentication yes + register: ssh_service_conf + +- name: Restart SSH service to take in account new changes + ansible.builtin.service: + name: ssh + state: restarted + when: ssh_service_conf.changed + +- name: "adding existing user {{ sshwifty_ssh_user }} to group docker" + user: + name: "{{ sshwifty_ssh_user }}" + groups: + - docker + - sudo + append: 'yes' + +- name: Change SUDO config to allow sudo without password to %sudo group + ansible.builtin.copy: + dest: /etc/sudoers.d/sudo_no_pass + content: | + %sudo ALL=(ALL) NOPASSWD: ALL # diff --git a/ansible/tasks/setup_sshwifty.yml b/ansible/tasks/setup_sshwifty.yml index 1a5bc2f..ff1de58 100644 --- a/ansible/tasks/setup_sshwifty.yml +++ b/ansible/tasks/setup_sshwifty.yml @@ -6,24 +6,35 @@ state: latest update_cache: true +- name: Create SSHwifty configuration directory + file: + path: "{{ sshwifty_configuration_directory }}" + state: directory + +- name: Scan SSH keys + command: "ssh-keyscan {{item}}" + register: "host_keys" + changed_when: false + with_items: groups["role_mongos"] + - name: Deploy SSHwifty configuration template: src: templates/sshwifty.conf.j2 - dest: /etc/sshwifty.conf + dest: "{{ sshwifty_configuration_directory }}/sshwifty.conf" - name: Create SSHwifty directory file: - path: /var/lib/sshwifty + path: "{{ sshwifty_work_directory }}" state: directory - name: Deploy SSHwifty configuration template: src: templates/docker-compose.yml.j2 - dest: /var/lib/sshwifty/docker-compose.yml + dest: "{{ sshwifty_work_directory }}/docker-compose.yml" - name: Run SSHwifty community.docker.docker_compose: - project_src: /var/lib/sshwifty + project_src: "{{ sshwifty_work_directory }}" recreate: smart state: present diff --git a/ansible/templates/Caddyfile.j2 b/ansible/templates/Caddyfile.j2 index 9b9b685..80c1be1 100644 --- a/ansible/templates/Caddyfile.j2 +++ b/ansible/templates/Caddyfile.j2 @@ -1,7 +1,7 @@ -http://0.0.0.0:80 { +{{ sshwifty_hostname }}:{{ sshwifty_public_port }} { log - reverse_proxy http://localhost:8080 { + reverse_proxy localhost:{{ sshwifty_internal_port }} { header_up Host {http.request.host} header_up X-Real-IP {http.request.remote.host} header_up X-Forwarded-For {http.request.remote.host} diff --git a/ansible/templates/docker-compose.yml.j2 b/ansible/templates/docker-compose.yml.j2 index e0c5597..e951a73 100644 --- a/ansible/templates/docker-compose.yml.j2 +++ b/ansible/templates/docker-compose.yml.j2 @@ -7,12 +7,12 @@ services: image: niruix/sshwifty:latest restart: always ports: - - 8080:8182 + - "{{sshwifty_internal_port}}:8182" environment: - SSHWIFTY_SHAREDKEY: admin + SSHWIFTY_SHAREDKEY: "{{sshwifty_shared_key}}" SSHWIFTY_CONFIG: /etc/sshwifty.conf volumes: - - /etc/sshwifty.conf:/etc/sshwifty.conf + - "{{sshwifty_configuration_directory}}/sshwifty.conf:/etc/sshwifty.conf" volumes: {} diff --git a/ansible/templates/sshwifty.conf.j2 b/ansible/templates/sshwifty.conf.j2 index 084c4e6..32e43e7 100644 --- a/ansible/templates/sshwifty.conf.j2 +++ b/ansible/templates/sshwifty.conf.j2 @@ -1,3 +1,4 @@ +{# vim: set ts=2 sw=2 et ft=jinja2,json : #} { {# "HostName": "localhost", #} "SharedKey": "{{ sshwifty_shared_key }}", @@ -17,30 +18,45 @@ } ], "Presets": [ + {% for host in groups['role_mongo'] %} + {% set server_group_id = loop.index0 // mongo_replicas_count %} + {% set server_index = loop.index0 % mongo_replicas_count %} + {% set server_ip_addr = hostvars[host]['ansible_facts']['default_ipv4']['address'] %} + {% if server_group_id == mongo_group_id %} + { + "Title": "Group {{ server_group_id }} - Server {{ server_index }} ({{ host }})", + "Type": "SSH", + "Host": "{{ server_ip_addr }}:22", + "Meta": { + "User": "{{ sshwifty_ssh_user }}", + {% if "password" == sshwifty_authentication | lower %} + "Authentication": "Password", + "Password": "{{ sshwifty_ssh_password }}", + {% else %} + "Authentication": "Private Key", + "Private Key": "file://{{ sshwifty_ssh_private_key }}", + {% endif %} + {# "Fingerprint": home"SHA256:bgO...." #} + "Encoding": "utf-8" + } + }, + {% endif %} + {% endfor %} { - "Title": "Gateway", + "Title": "Group {{ mongo_group_id }} - Gateway ({{ ansible_facts['hostname'] }})", "Type": "SSH", - "Host": "{{ansible_facts.all_ipv4_addresses | ansible.netcommon.ipaddr('192.168.50.0/24') | first }}:22", + "Host": "{{ ansible_ssh_host }}:22", "Meta": { - "User": "debian", - "Encoding": "utf-8", - "Password": "debian", - "Authentication": "Password" {# , #} - {# "Private Key": "file:///home/user/.ssh/private_key", #} - {# "Fingerprint": "SHA256:bgO...." #} - } - }, - { - "Title": "SDF.org Unix Shell", - "Type": "SSH", - "Host": "sdf.org:22", - "Meta": { - "User": "debian", - "Encoding": "utf-8", - "Password": "debian", - "Authentication": "Password" {# , #} - {# "Private Key": "file:///home/user/.ssh/private_key", #} + "User": "{{ sshwifty_ssh_user }}", + {% if "password" == sshwifty_authentication | lower %} + "Authentication": "Password", + "Password": "{{ sshwifty_ssh_password }}", + {% else %} + "Authentication": "Private Key", + "Private Key": "file://{{ sshwifty_ssh_private_key }}", + {% endif %} {# "Fingerprint": "SHA256:bgO...." #} + "Encoding": "utf-8" } } ],