hogweed1/ansible-repo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3ceebabb4afe71e5944798aa188065ccf17b6bf5
ansible-repo/playbooks/ssh-certs/deploy-user-certs.yml
hogweed1 3ceebabb4a
All checks were successful
Gitea Actions Demo / Explore-Gitea-Actions (push) Successful in 0s
Details
ssh-certs hosts.
2026-05-21 03:27:52 +10:00

104 lines
3.7 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

- hosts: all
become: yes
vars:
# Путь к ПУБЛИЧНОМУ ключу User CA на вашей Ansible-машине
local_ssh_user_ca_pub_path: "/etc/step-ca/ssh_user_ca_key.pub"
pre_tasks:
- name: Динамический сбор и мерж пользователей изо всех групп хоста
set_fact:
# Ищем переменные вида *_users (alpha_users, beta_users) для групп текущего хоста
project_users: >-
{{
group_names
| map('extract', hostvars[inventory_hostname])
| map('dict2items') | flatten
| selectattr('key', 'match', '.*_users$')
| map(attribute='value') | flatten
| unique
}}
# Ищем переменные вида *_projects (alpha_projects, beta_projects) и склеиваем в один список принципалов
allowed_projects: >-
{{
group_names
| map('extract', hostvars[inventory_hostname])
| map('dict2items') | flatten
| selectattr('key', 'match', '.*_projects$')
| map(attribute='value') | flatten
| unique
}}
- name: Дебаг получившейся матрицы доступов (Опционально)
debug:
msg: "Хост {{ inventory_hostname }} получит юзеров {{ project_users }} и принципалы {{ allowed_projects }}"
tasks:
- name: Создание системной директории для принципалов
file:
path: /etc/ssh/auth_principals
state: directory
owner: root
group: root
mode: '0755'
- name: Создание локальных пользователей из списка проекта
user:
name: "{{ item.name }}"
shell: /bin/bash
create_home: yes
state: present
loop: "{{ project_users }}"
- name: Генерация файлов auth_principals с маппингом проектов
copy:
dest: "/etc/ssh/auth_principals/{{ item.name }}"
content: "{{ allowed_projects | join('\n') }}\n"
owner: root
group: root
mode: '0644'
loop: "{{ project_users }}"
- name: Настройка беспарольного sudo для администраторов проекта
copy:
dest: "/etc/sudoers.d/project-ssh-{{ item.name }}"
content: "{{ item.name }} ALL=(ALL) NOPASSWD:ALL"
validate: /usr/sbin/visudo -cf %s
mode: '0440'
loop: "{{ project_users }}"
when: item.sudo | bool
- name: Копирование публичного ключа User CA на хост
copy:
src: "{{ local_ssh_user_ca_pub_path }}"
dest: /etc/ssh/ca.pub
owner: root
group: root
mode: '0644'
- name: Сбор имен всех разрешенных пользователей для AllowUsers
set_fact:
allow_users_list: "{{ project_users | map(attribute='name') | join(' ') }}"
- name: Настройка sshd_config для авторизации пользователей по сертификатам
blockinfile:
path: /etc/ssh/sshd_config
block: |
TrustedUserCAKeys /etc/ssh/ca.pub
AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u
AllowUsers {{ allow_users_list }} hogweed1
PasswordAuthentication no
PubkeyAuthentication yes
marker: "# {mark} ANSIBLE MANAGED USER CERTIFICATE BLOCK #"
notify: Restart SSH
handlers:
- name: Restart SSH
service:
name: sshd
state: restarted
Reference in New Issue View Git Blame Copy Permalink