Move sshd conf to .d/, split variables into host, add correct sftp folder permissions

2024-05-31 16:52:50 +02:00 · 2024-05-31 16:52:50 +02:00 · f183e4cd51
parent 6d67b3e15a
commit f183e4cd51
6 changed files with 66 additions and 13 deletions
--- a/variables/public.yaml
+++ b/variables/public.yaml
@ -1,3 +1,6 @@
+---
+sftp_root: "/var/sftp" # no trailing /
+
 # temporary fix for https://github.com/ansible/ansible/issues/8603
 _lizmap_version: 3.7.6

@ -15,7 +18,7 @@ postgresql_server:
  password: # TODO: link to vault?

 qgis_server:
-  path: "/var/www/qgis-server"
+  path: "/var/www/qgis-server" # no trailing /
  user: "www-data"
  group: "www-data"
  port: 3030
@ -30,7 +33,7 @@ lizmap:
    password:  # TODO: link to vault?
  version: "{{ _lizmap_version }}"
  path: "/var/www/"
-  root_repositories: "/var/sftp/qgis-projects"
+  root_repositories: "{{ sftp_root }}/qgis-projects" # no trailing /
  url: "https://github.com/3liz/lizmap-web-client/releases/download/{{ _lizmap_version }}/lizmap-web-client-{{ _lizmap_version }}.zip"
  hash: "sha512:38e388a0e3c8e2f592c2d2ec0bbb4a591c9abccb8632e6fba080cbd099b693da0c849b19e2148ee2ad8c3d5a38983381d1796063047828c0889e6ee8b4002b33"
  dependencies:
--- a/host_vars/secrets.yaml.template
+++ b/host_vars/secrets.yaml.template
@ -0,0 +1,7 @@
+---
+# use long, complex, securely generated passwords (preferably A-z0-9 ) and do not quote
+ansible_become_pass: 
+os_postgresql_user_pass: 
+os_publisher_user_pass: 
+lizmap_admin_pass: 
+postgresql_lizmap_pass: 
--- a/host_vars/variables.yaml.template
+++ b/host_vars/variables.yaml.template
@ -0,0 +1,3 @@
+---
+# you have to generate the SSH-keys yourself
+publisher_ssh_keys: ["~/.ssh/id_publisher@{{ ansible_hostname }}.pub"]
--- a/inventory.yaml
+++ b/inventory.yaml
@ -3,10 +3,4 @@ testing:
  hosts:
    debian-gis:
      ansible_host: debian-gis
-      ansible_become_pass: "{{ testing['hosts']['debian-gis']['ansible_become_pass'] }}"
-      os_postgresql_user_pass: "{{ testing['hosts']['debian-gis']['os_postgresql_user_pass'] }}"
-      os_publisher_user_pass: "{{ testing['hosts']['debian-gis']['os_publisher_user_pass'] }}"
-      lizmap_admin_pass: "{{ testing['hosts']['debian-gis']['lizmap_admin_pass'] }}"
-      postgresql_lizmap_pass: "{{ testing['hosts']['debian-gis']['postgresql_lizmap_pass'] }}"
-      publisher_ssh_keys: ["~/.ssh/id_publisher@debian-gis.pub"]

--- a/playbook.yaml
+++ b/playbook.yaml
@ -22,6 +22,13 @@
        name: "php{{ php['version'] }}-fpm"
        state: restarted

+    - name: Ensure incron is restarted and enabled
+      become: true
+      ansible.builtin.systemd:
+        name: incron
+        state: restarted
+        enabled: true
+
  tasks:
    - name: Ensure valid apt cache and required tools are present
      become: true
@ -36,6 +43,7 @@
          - software-properties-common
          - postgresql
          - acl # bug: https://github.com/ansible/ansible/issues/74830
+          - incron
        state: present

    - name: Ensure qgis-server is valid
@ -402,6 +410,8 @@
        user: "publisher"
        password: "{{ os_publisher_user_pass | password_hash('sha512') }}"
        update_password: on_create
+        umask: u=rwX,g=rwX,o=
+        append: true
        groups:
          - sftp

@ -409,9 +419,20 @@
      become: true
      ansible.builtin.user:
        user: "www-data"
+        append: true
        groups:
          - sftp

+    - name: Ensure lizmap root repositories has correct rights
+      become: true
+      ansible.builtin.file:
+        dest: "{{ sftp_root }}"
+        state: directory
+        owner: root
+        group: root
+        mode: u=rwX,g=rX,o=rX
+        recurse: true
+
    - name: Ensure lizmap root repositories exists
      become: true
      ansible.builtin.file:
@ -419,15 +440,39 @@
        state: directory
        owner: "publisher"
        group: sftp
-        mode: u=rwX,g=rwX,o=r
+        mode: u=rwX,g=rwXs,o=
+
+    - name: Ensure incron is latest
+      notify:
+        - Ensure incron is restarted and enabled
+      become: true
+      block:
+        - name: Ensure incron for root is enabled
+          ansible.builtin.blockinfile:
+            path: /etc/incron.allow
+            block: "root"
+            create: true
+            owner: root
+            group: incron
+            mode: u=rw,g=r,o=
+            backup: true
+
+        - name: Ensure incron task for root is latest
+          ansible.builtin.blockinfile:
+            path: /var/spool/incron/root
+            block: "{{ lizmap['root_repositories'] }}  IN_ATTRIB,IN_CREATE,IN_MOVED_TO chmod g+rw $@/$#"
+            create: true
+            owner: root
+            group: incron
+            mode: u=rw,g=,o=

    - name: Ensure sshd config is latest
      notify:
        - "Ensure OpenSSH is restarted"
      become: true
      ansible.builtin.template:
-        src: ./templates/sshd_config.j2
-        dest: /etc/ssh/sshd_config
+        src: ./templates/sshd_hardened.conf.j2
+        dest: /etc/ssh/sshd_config.d/sshd_hardened.conf
        backup: true
        owner: root
        mode: u=rw,g=r,o=r
--- a/templates/sshd_hardened.conf.j2
+++ b/templates/sshd_hardened.conf.j2
@ -1,13 +1,14 @@
-# @path: /etc/ssh/sshd_config
+# @path: /etc/ssh/sshd_config.d/sshd_hardened.conf
 # @permission: -rw-r--r-- 1 root root

 # Disallow passwords
 PasswordAuthentication no
+PubkeyAuthentication yes

 # Restrict user to sftp server (no shell)
 Match User publisher
    ForceCommand internal-sftp
-    ChrootDirectory "{{ lizmap['root_repositories'] }}"
+    ChrootDirectory {{ sftp_root }}
    PermitTunnel no
    AllowAgentForwarding no
    AllowTcpForwarding no