Move sshd conf to .d/, split variables into host, add correct sftp folder permissions

group_vars/all.yaml

@@ -1,3 +1,6 @@
+---
+sftp_root: "/var/sftp" # no trailing /
+
 # temporary fix for https://github.com/ansible/ansible/issues/8603
 _lizmap_version: 3.7.6
 
@@ -15,7 +18,7 @@ postgresql_server:
   password: # TODO: link to vault?
 
 qgis_server:
-  path: "/var/www/qgis-server"
+  path: "/var/www/qgis-server" # no trailing /
   user: "www-data"
   group: "www-data"
   port: 3030
@@ -30,7 +33,7 @@ lizmap:
     password:  # TODO: link to vault?
   version: "{{ _lizmap_version }}"
   path: "/var/www/"
-  root_repositories: "/var/sftp/qgis-projects"
+  root_repositories: "{{ sftp_root }}/qgis-projects" # no trailing /
   url: "https://github.com/3liz/lizmap-web-client/releases/download/{{ _lizmap_version }}/lizmap-web-client-{{ _lizmap_version }}.zip"
   hash: "sha512:38e388a0e3c8e2f592c2d2ec0bbb4a591c9abccb8632e6fba080cbd099b693da0c849b19e2148ee2ad8c3d5a38983381d1796063047828c0889e6ee8b4002b33"
   dependencies:

host_vars/secrets.yaml.template

@@ -0,0 +1,7 @@
+---
+# use long, complex, securely generated passwords (preferably A-z0-9 ) and do not quote
+ansible_become_pass: 
+os_postgresql_user_pass: 
+os_publisher_user_pass: 
+lizmap_admin_pass: 
+postgresql_lizmap_pass: 

host_vars/variables.yaml.template

@@ -0,0 +1,3 @@
+---
+# you have to generate the SSH-keys yourself
+publisher_ssh_keys: ["~/.ssh/id_publisher@{{ ansible_hostname }}.pub"]

inventory.yaml

@@ -3,10 +3,4 @@ testing:
   hosts:
     debian-gis:
       ansible_host: debian-gis
-      ansible_become_pass: "{{ testing['hosts']['debian-gis']['ansible_become_pass'] }}"
-      os_postgresql_user_pass: "{{ testing['hosts']['debian-gis']['os_postgresql_user_pass'] }}"
-      os_publisher_user_pass: "{{ testing['hosts']['debian-gis']['os_publisher_user_pass'] }}"
-      lizmap_admin_pass: "{{ testing['hosts']['debian-gis']['lizmap_admin_pass'] }}"
-      postgresql_lizmap_pass: "{{ testing['hosts']['debian-gis']['postgresql_lizmap_pass'] }}"
-      publisher_ssh_keys: ["~/.ssh/id_publisher@debian-gis.pub"]
 

playbook.yaml

@@ -22,6 +22,13 @@
         name: "php{{ php['version'] }}-fpm"
         state: restarted
 
+    - name: Ensure incron is restarted and enabled
+      become: true
+      ansible.builtin.systemd:
+        name: incron
+        state: restarted
+        enabled: true
+
   tasks:
     - name: Ensure valid apt cache and required tools are present
       become: true
@@ -36,6 +43,7 @@
           - software-properties-common
           - postgresql
           - acl # bug: https://github.com/ansible/ansible/issues/74830
+          - incron
         state: present
 
     - name: Ensure qgis-server is valid
@@ -402,6 +410,8 @@
         user: "publisher"
         password: "{{ os_publisher_user_pass | password_hash('sha512') }}"
         update_password: on_create
+        umask: u=rwX,g=rwX,o=
+        append: true
         groups:
           - sftp
 
@@ -409,9 +419,20 @@
       become: true
       ansible.builtin.user:
         user: "www-data"
+        append: true
         groups:
           - sftp
 
+    - name: Ensure lizmap root repositories has correct rights
+      become: true
+      ansible.builtin.file:
+        dest: "{{ sftp_root }}"
+        state: directory
+        owner: root
+        group: root
+        mode: u=rwX,g=rX,o=rX
+        recurse: true
+
     - name: Ensure lizmap root repositories exists
       become: true
       ansible.builtin.file:
@@ -419,15 +440,39 @@
         state: directory
         owner: "publisher"
         group: sftp
-        mode: u=rwX,g=rwX,o=r
+        mode: u=rwX,g=rwXs,o=
+
+    - name: Ensure incron is latest
+      notify:
+        - Ensure incron is restarted and enabled
+      become: true
+      block:
+        - name: Ensure incron for root is enabled
+          ansible.builtin.blockinfile:
+            path: /etc/incron.allow
+            block: "root"
+            create: true
+            owner: root
+            group: incron
+            mode: u=rw,g=r,o=
+            backup: true
+
+        - name: Ensure incron task for root is latest
+          ansible.builtin.blockinfile:
+            path: /var/spool/incron/root
+            block: "{{ lizmap['root_repositories'] }}  IN_ATTRIB,IN_CREATE,IN_MOVED_TO chmod g+rw $@/$#"
+            create: true
+            owner: root
+            group: incron
+            mode: u=rw,g=,o=
 
     - name: Ensure sshd config is latest
       notify:
         - "Ensure OpenSSH is restarted"
       become: true
       ansible.builtin.template:
-        src: ./templates/sshd_config.j2
+        src: ./templates/sshd_hardened.conf.j2
-        dest: /etc/ssh/sshd_config
+        dest: /etc/ssh/sshd_config.d/sshd_hardened.conf
         backup: true
         owner: root
         mode: u=rw,g=r,o=r

templates/sshd_hardened.conf.j2

@@ -1,13 +1,14 @@
-# @path: /etc/ssh/sshd_config
+# @path: /etc/ssh/sshd_config.d/sshd_hardened.conf
 # @permission: -rw-r--r-- 1 root root
 
 # Disallow passwords
 PasswordAuthentication no
+PubkeyAuthentication yes
 
 # Restrict user to sftp server (no shell)
 Match User publisher
     ForceCommand internal-sftp
-    ChrootDirectory "{{ lizmap['root_repositories'] }}"
+    ChrootDirectory {{ sftp_root }}
     PermitTunnel no
     AllowAgentForwarding no
     AllowTcpForwarding no