Created a task for creating public FTP directory, created MOTD script transfer tasks

2025-11-16 13:51:47 -05:00
parent ea2346c41b
commit 4fad50c9dc
1 changed files with 32 additions and 6 deletions
--- a/roles/bootstrap/tasks/configure_ssh@linux.yml
+++ b/roles/bootstrap/tasks/configure_ssh@linux.yml
@@ -1,6 +1,24 @@
 #SPDX-License-Identifier: MIT-0
 ---
 # tasks file for bootstrap
+- name: Create directory for MOTD update scripts
+  ansible.builtin.file:
+    force: true
+    group: root
+    owner: root
+    path: /etc/update-motd.d
+    state: directory
+- name: Create MOTD update scripts
+  ansible.builtin.copy:
+    force: true
+    backup: true
+    group: root
+    mode: "0744"
+    owner: root
+    dest: "/etc/update-motd.d/{{ item }}"
+    src: "update-motd.d/{{ item }}"
+    state: present
+  loop: "{{ hostvars[inventory_hostname].vps_service.ssh_motd_script_basenames }}"
 - name: Create hidden SSH directories under users' home directories
  when: hostvars[inventory_hostname].groups.remote.group_name in item.value.groups
  ansible.builtin.file:
@@ -17,7 +35,7 @@
  when: hostvars[inventory_hostname].groups.remote.group_name in item.value.groups and item.value.ssh_authorized_keys is not None and len(item.value.ssh_authorized_keys) > 0
  ansible.builtin.copy:
    backup: true
-    content: "{{ item.value.ssh_authorized_keys.join('\n') }}"
+    content: "{{ '\n'.join(item.value.ssh_authorized_keys) }}"
    dest: "{{ item.value.home | default('/home/' ~ item.value.username) }}/.ssh/authorized_keys"
    # follow: true
    force: true
@@ -29,21 +47,29 @@
    - ensure_files
 - name: Harden SSH security
  block:
+    - name: Create public subdirectory for SSH's SFTP-exclusive user's chroot
+      when: "'sftp' in item.value.services"
+      ansible.builtin.file:
+        group: "{{ item.value.group | default(item.value.username) }}"
+        owner: "{{ item.value.username }}"
+        path: "{{ item.value.home | default('/home/' ~ item.value.username) }}/public"
+        state: directory
+      loop: "{{ lookup('ansible.builtin.dict', hostvars[inventory_hostname].users) }}"
    - name: Set users in group ftp to only be usable with SSH's SFTP service 
      when: "'sftp' in item.value.services"
      ansible.builtin.blockinfile:
        backup: true
-        block: |
+        block: |2
+          Match User {{ item.value.username }}
+              ForceCommand internal-sftp -d /public
+              AuthorizedKeysFile {{ item.value.home | default('/home/' ~ item.value.username) }}/.ssh/authorized_keys
+
          Match Group {{ item.value.group | default(item.value.username) }}
              ForceCommand internal-sftp -d /%u
              ChrootDirectory {{ item.value.home | default('/home/' ~ item.value.username) }}
              AllowAgentForwarding no
              AllowTcpForwarding no
              X11Forwarding no
-
-          Match User {{ item.value.username }}
-              ForceCommand internal-sftp -d /public
-              AuthorizedKeysFile {{ item.value.home | default('/home/' ~ item.value.username) }}/.ssh/authorized_keys
        create: true
        group: root
        insertafter: EOF