Move sshd conf to .d/, split variables into host, add correct sftp folder permissions
This commit is contained in:
parent
6d67b3e15a
commit
f183e4cd51
@ -1,3 +1,6 @@
|
||||
---
|
||||
sftp_root: "/var/sftp" # no trailing /
|
||||
|
||||
# temporary fix for https://github.com/ansible/ansible/issues/8603
|
||||
_lizmap_version: 3.7.6
|
||||
|
||||
@ -15,7 +18,7 @@ postgresql_server:
|
||||
password: # TODO: link to vault?
|
||||
|
||||
qgis_server:
|
||||
path: "/var/www/qgis-server"
|
||||
path: "/var/www/qgis-server" # no trailing /
|
||||
user: "www-data"
|
||||
group: "www-data"
|
||||
port: 3030
|
||||
@ -30,7 +33,7 @@ lizmap:
|
||||
password: # TODO: link to vault?
|
||||
version: "{{ _lizmap_version }}"
|
||||
path: "/var/www/"
|
||||
root_repositories: "/var/sftp/qgis-projects"
|
||||
root_repositories: "{{ sftp_root }}/qgis-projects" # no trailing /
|
||||
url: "https://github.com/3liz/lizmap-web-client/releases/download/{{ _lizmap_version }}/lizmap-web-client-{{ _lizmap_version }}.zip"
|
||||
hash: "sha512:38e388a0e3c8e2f592c2d2ec0bbb4a591c9abccb8632e6fba080cbd099b693da0c849b19e2148ee2ad8c3d5a38983381d1796063047828c0889e6ee8b4002b33"
|
||||
dependencies:
|
7
host_vars/secrets.yaml.template
Normal file
7
host_vars/secrets.yaml.template
Normal file
@ -0,0 +1,7 @@
|
||||
---
|
||||
# use long, complex, securely generated passwords (preferably A-z0-9 ) and do not quote
|
||||
ansible_become_pass:
|
||||
os_postgresql_user_pass:
|
||||
os_publisher_user_pass:
|
||||
lizmap_admin_pass:
|
||||
postgresql_lizmap_pass:
|
3
host_vars/variables.yaml.template
Normal file
3
host_vars/variables.yaml.template
Normal file
@ -0,0 +1,3 @@
|
||||
---
|
||||
# you have to generate the SSH-keys yourself
|
||||
publisher_ssh_keys: ["~/.ssh/id_publisher@{{ ansible_hostname }}.pub"]
|
@ -3,10 +3,4 @@ testing:
|
||||
hosts:
|
||||
debian-gis:
|
||||
ansible_host: debian-gis
|
||||
ansible_become_pass: "{{ testing['hosts']['debian-gis']['ansible_become_pass'] }}"
|
||||
os_postgresql_user_pass: "{{ testing['hosts']['debian-gis']['os_postgresql_user_pass'] }}"
|
||||
os_publisher_user_pass: "{{ testing['hosts']['debian-gis']['os_publisher_user_pass'] }}"
|
||||
lizmap_admin_pass: "{{ testing['hosts']['debian-gis']['lizmap_admin_pass'] }}"
|
||||
postgresql_lizmap_pass: "{{ testing['hosts']['debian-gis']['postgresql_lizmap_pass'] }}"
|
||||
publisher_ssh_keys: ["~/.ssh/id_publisher@debian-gis.pub"]
|
||||
|
||||
|
@ -22,6 +22,13 @@
|
||||
name: "php{{ php['version'] }}-fpm"
|
||||
state: restarted
|
||||
|
||||
- name: Ensure incron is restarted and enabled
|
||||
become: true
|
||||
ansible.builtin.systemd:
|
||||
name: incron
|
||||
state: restarted
|
||||
enabled: true
|
||||
|
||||
tasks:
|
||||
- name: Ensure valid apt cache and required tools are present
|
||||
become: true
|
||||
@ -36,6 +43,7 @@
|
||||
- software-properties-common
|
||||
- postgresql
|
||||
- acl # bug: https://github.com/ansible/ansible/issues/74830
|
||||
- incron
|
||||
state: present
|
||||
|
||||
- name: Ensure qgis-server is valid
|
||||
@ -402,6 +410,8 @@
|
||||
user: "publisher"
|
||||
password: "{{ os_publisher_user_pass | password_hash('sha512') }}"
|
||||
update_password: on_create
|
||||
umask: u=rwX,g=rwX,o=
|
||||
append: true
|
||||
groups:
|
||||
- sftp
|
||||
|
||||
@ -409,9 +419,20 @@
|
||||
become: true
|
||||
ansible.builtin.user:
|
||||
user: "www-data"
|
||||
append: true
|
||||
groups:
|
||||
- sftp
|
||||
|
||||
- name: Ensure lizmap root repositories has correct rights
|
||||
become: true
|
||||
ansible.builtin.file:
|
||||
dest: "{{ sftp_root }}"
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: u=rwX,g=rX,o=rX
|
||||
recurse: true
|
||||
|
||||
- name: Ensure lizmap root repositories exists
|
||||
become: true
|
||||
ansible.builtin.file:
|
||||
@ -419,15 +440,39 @@
|
||||
state: directory
|
||||
owner: "publisher"
|
||||
group: sftp
|
||||
mode: u=rwX,g=rwX,o=r
|
||||
mode: u=rwX,g=rwXs,o=
|
||||
|
||||
- name: Ensure incron is latest
|
||||
notify:
|
||||
- Ensure incron is restarted and enabled
|
||||
become: true
|
||||
block:
|
||||
- name: Ensure incron for root is enabled
|
||||
ansible.builtin.blockinfile:
|
||||
path: /etc/incron.allow
|
||||
block: "root"
|
||||
create: true
|
||||
owner: root
|
||||
group: incron
|
||||
mode: u=rw,g=r,o=
|
||||
backup: true
|
||||
|
||||
- name: Ensure incron task for root is latest
|
||||
ansible.builtin.blockinfile:
|
||||
path: /var/spool/incron/root
|
||||
block: "{{ lizmap['root_repositories'] }} IN_ATTRIB,IN_CREATE,IN_MOVED_TO chmod g+rw $@/$#"
|
||||
create: true
|
||||
owner: root
|
||||
group: incron
|
||||
mode: u=rw,g=,o=
|
||||
|
||||
- name: Ensure sshd config is latest
|
||||
notify:
|
||||
- "Ensure OpenSSH is restarted"
|
||||
become: true
|
||||
ansible.builtin.template:
|
||||
src: ./templates/sshd_config.j2
|
||||
dest: /etc/ssh/sshd_config
|
||||
src: ./templates/sshd_hardened.conf.j2
|
||||
dest: /etc/ssh/sshd_config.d/sshd_hardened.conf
|
||||
backup: true
|
||||
owner: root
|
||||
mode: u=rw,g=r,o=r
|
||||
|
@ -1,13 +1,14 @@
|
||||
# @path: /etc/ssh/sshd_config
|
||||
# @path: /etc/ssh/sshd_config.d/sshd_hardened.conf
|
||||
# @permission: -rw-r--r-- 1 root root
|
||||
|
||||
# Disallow passwords
|
||||
PasswordAuthentication no
|
||||
PubkeyAuthentication yes
|
||||
|
||||
# Restrict user to sftp server (no shell)
|
||||
Match User publisher
|
||||
ForceCommand internal-sftp
|
||||
ChrootDirectory "{{ lizmap['root_repositories'] }}"
|
||||
ChrootDirectory {{ sftp_root }}
|
||||
PermitTunnel no
|
||||
AllowAgentForwarding no
|
||||
AllowTcpForwarding no
|
Loading…
Reference in New Issue
Block a user