c1c221cda8
All checks were successful
Gitea Actions Demo / Explore-Gitea-Actions (push) Successful in 0s
70 lines
2.4 KiB
YAML
70 lines
2.4 KiB
YAML
- hosts: all
|
||
become: yes
|
||
vars:
|
||
# Путь к ПУБЛИЧНОМУ ключу User CA на вашей Ansible-машине
|
||
local_ssh_user_ca_pub_path: "/etc/step-ca/ssh_user_ca_key.pub"
|
||
|
||
tasks:
|
||
- name: Создание системной директории для принципалов
|
||
file:
|
||
path: /etc/ssh/auth_principals
|
||
state: directory
|
||
owner: root
|
||
group: root
|
||
mode: '0755'
|
||
|
||
- name: Создание локальных пользователей из списка проекта
|
||
user:
|
||
name: "{{ item.name }}"
|
||
shell: /bin/bash
|
||
create_home: yes
|
||
state: present
|
||
loop: "{{ project_users }}"
|
||
|
||
- name: Генерация файлов auth_principals с маппингом проектов
|
||
copy:
|
||
dest: "/etc/ssh/auth_principals/{{ item.name }}"
|
||
content: "{{ allowed_projects | join('\n') }}\n"
|
||
owner: root
|
||
group: root
|
||
mode: '0644'
|
||
loop: "{{ project_users }}"
|
||
|
||
- name: Настройка беспарольного sudo для администраторов проекта
|
||
copy:
|
||
dest: "/etc/sudoers.d/project-ssh-{{ item.name }}"
|
||
content: "{{ item.name }} ALL=(ALL) NOPASSWD:ALL"
|
||
validate: /usr/sbin/visudo -cf %s
|
||
mode: '0440'
|
||
loop: "{{ project_users }}"
|
||
when: item.sudo | bool
|
||
|
||
- name: Копирование публичного ключа User CA на хост
|
||
copy:
|
||
src: "{{ local_ssh_user_ca_pub_path }}"
|
||
dest: /etc/ssh/ca.pub
|
||
owner: root
|
||
group: root
|
||
mode: '0644'
|
||
|
||
- name: Сбор имен всех разрешенных пользователей для AllowUsers
|
||
set_fact:
|
||
allow_users_list: "{{ project_users | map(attribute='name') | join(' ') }}"
|
||
|
||
- name: Настройка sshd_config для авторизации пользователей по сертификатам
|
||
blockinfile:
|
||
path: /etc/ssh/sshd_config
|
||
block: |
|
||
TrustedUserCAKeys /etc/ssh/ca.pub
|
||
AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u
|
||
AllowUsers {{ allow_users_list }} hogweed1
|
||
PasswordAuthentication no
|
||
PubkeyAuthentication yes
|
||
marker: "# {mark} ANSIBLE MANAGED USER CERTIFICATE BLOCK #"
|
||
notify: Restart SSH
|
||
|
||
handlers:
|
||
- name: Restart SSH
|
||
service:
|
||
name: sshd
|
||
state: restarted |