admin/skato-ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 3 Releases Wiki Activity

Created a task for creating public FTP directory, created MOTD script transfer tasks

Browse Source
This commit is contained in:
xenobyte
2025-11-16 13:51:47 -05:00
parent ea2346c41b
commit 4fad50c9dc
1 changed files with 32 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
roles/bootstrap/tasks/configure_ssh@linux.yml
View File

@@ -1,6 +1,24 @@
#SPDX-License-Identifier: MIT-0 #SPDX-License-Identifier: MIT-0
--- ---
# tasks file for bootstrap # tasks file for bootstrap
- name: Create directory for MOTD update scripts
ansible.builtin.file:
force: true
group: root
owner: root
path: /etc/update-motd.d
state: directory
- name: Create MOTD update scripts
ansible.builtin.copy:
force: true
backup: true
group: root
mode: "0744"
owner: root
dest: "/etc/update-motd.d/{{ item }}"
src: "update-motd.d/{{ item }}"
state: present
loop: "{{ hostvars[inventory_hostname].vps_service.ssh_motd_script_basenames }}"
- name: Create hidden SSH directories under users' home directories - name: Create hidden SSH directories under users' home directories
when: hostvars[inventory_hostname].groups.remote.group_name in item.value.groups when: hostvars[inventory_hostname].groups.remote.group_name in item.value.groups
ansible.builtin.file: ansible.builtin.file:
@@ -17,7 +35,7 @@
when: hostvars[inventory_hostname].groups.remote.group_name in item.value.groups and item.value.ssh_authorized_keys is not None and len(item.value.ssh_authorized_keys) > 0 when: hostvars[inventory_hostname].groups.remote.group_name in item.value.groups and item.value.ssh_authorized_keys is not None and len(item.value.ssh_authorized_keys) > 0
ansible.builtin.copy: ansible.builtin.copy:
backup: true backup: true
content: "{{ item.value.ssh_authorized_keys.join('\n') }}" content: "{{ '\n'.join(item.value.ssh_authorized_keys) }}"
dest: "{{ item.value.home | default('/home/' ~ item.value.username) }}/.ssh/authorized_keys" dest: "{{ item.value.home | default('/home/' ~ item.value.username) }}/.ssh/authorized_keys"
# follow: true # follow: true
force: true force: true
@@ -29,21 +47,29 @@
- ensure_files - ensure_files
- name: Harden SSH security - name: Harden SSH security
block: block:
- name: Create public subdirectory for SSH's SFTP-exclusive user's chroot
when: "'sftp' in item.value.services"
ansible.builtin.file:
group: "{{ item.value.group | default(item.value.username) }}"
owner: "{{ item.value.username }}"
path: "{{ item.value.home | default('/home/' ~ item.value.username) }}/public"
state: directory
loop: "{{ lookup('ansible.builtin.dict', hostvars[inventory_hostname].users) }}"
- name: Set users in group ftp to only be usable with SSH's SFTP service - name: Set users in group ftp to only be usable with SSH's SFTP service
when: "'sftp' in item.value.services" when: "'sftp' in item.value.services"
ansible.builtin.blockinfile: ansible.builtin.blockinfile:
backup: true backup: true
block: | block: |2
Match User {{ item.value.username }}
ForceCommand internal-sftp -d /public
AuthorizedKeysFile {{ item.value.home | default('/home/' ~ item.value.username) }}/.ssh/authorized_keys
Match Group {{ item.value.group | default(item.value.username) }} Match Group {{ item.value.group | default(item.value.username) }}
ForceCommand internal-sftp -d /%u ForceCommand internal-sftp -d /%u
ChrootDirectory {{ item.value.home | default('/home/' ~ item.value.username) }} ChrootDirectory {{ item.value.home | default('/home/' ~ item.value.username) }}
AllowAgentForwarding no AllowAgentForwarding no
AllowTcpForwarding no AllowTcpForwarding no
X11Forwarding no X11Forwarding no
Match User {{ item.value.username }}
ForceCommand internal-sftp -d /public
AuthorizedKeysFile {{ item.value.home | default('/home/' ~ item.value.username) }}/.ssh/authorized_keys
create: true create: true
group: root group: root
insertafter: EOF insertafter: EOF