From 319ab064370cb1e65be115ffddf5c0cd519af2dd Mon Sep 17 00:00:00 2001 From: Patrick Spek Date: Wed, 4 May 2022 12:05:39 +0200 Subject: Add a playbook for sshd configuration --- playbooks.d/ssh/description.txt | 1 + playbooks.d/ssh/etc/defaults | 2 ++ playbooks.d/ssh/etc/os.d/freebsd | 1 + playbooks.d/ssh/etc/os.d/linux-gentoo | 1 + playbooks.d/ssh/playbook.bash | 28 ++++++++++++++++++++++++++++ playbooks.d/ssh/share/motd | 8 ++++++++ playbooks.d/ssh/share/sshd_config | 27 +++++++++++++++++++++++++++ registry.d/anoia.tyil.net | 1 + 8 files changed, 69 insertions(+) create mode 100644 playbooks.d/ssh/description.txt create mode 100644 playbooks.d/ssh/etc/defaults create mode 100644 playbooks.d/ssh/etc/os.d/freebsd create mode 100644 playbooks.d/ssh/etc/os.d/linux-gentoo create mode 100644 playbooks.d/ssh/playbook.bash create mode 100644 playbooks.d/ssh/share/motd create mode 100644 playbooks.d/ssh/share/sshd_config diff --git a/playbooks.d/ssh/description.txt b/playbooks.d/ssh/description.txt new file mode 100644 index 0000000..0e5210f --- /dev/null +++ b/playbooks.d/ssh/description.txt @@ -0,0 +1 @@ +OpenSSH configuration diff --git a/playbooks.d/ssh/etc/defaults b/playbooks.d/ssh/etc/defaults new file mode 100644 index 0000000..2140397 --- /dev/null +++ b/playbooks.d/ssh/etc/defaults @@ -0,0 +1,2 @@ +ssh.sftp=/usr/lib/openssh/sftp-server +svc.sshd=sshd diff --git a/playbooks.d/ssh/etc/os.d/freebsd b/playbooks.d/ssh/etc/os.d/freebsd new file mode 100644 index 0000000..47805db --- /dev/null +++ b/playbooks.d/ssh/etc/os.d/freebsd @@ -0,0 +1 @@ +ssh.sftp=/usr/lib64/misc/sftp-server diff --git a/playbooks.d/ssh/etc/os.d/linux-gentoo b/playbooks.d/ssh/etc/os.d/linux-gentoo new file mode 100644 index 0000000..47805db --- /dev/null +++ b/playbooks.d/ssh/etc/os.d/linux-gentoo @@ -0,0 +1 @@ +ssh.sftp=/usr/lib64/misc/sftp-server diff --git a/playbooks.d/ssh/playbook.bash b/playbooks.d/ssh/playbook.bash new file mode 100644 index 0000000..b391b9d --- /dev/null +++ b/playbooks.d/ssh/playbook.bash @@ -0,0 +1,28 @@ +#!/usr/bin/env bash + +playbook_add() { + svc enable "sshd" + svc start "sshd" + + playbook_sync +} + +playbook_sync() { + file_template sshd_config \ + "sftp=$(config "ssh.sftp")" \ + > /etc/ssh/sshd_config + + file_template "motd" \ + "fqdn=${BASHTARD_PLATFORM[fqdn]}" \ + "time=$(date -u "+%FT%T")" \ + > /etc/motd + + [[ $BASHTARD_COMMAND == "add" ]] && return + + svc reload "sshd" +} + +playbook_del() { + svc stop "sshd" + svc disable "sshd" +} diff --git a/playbooks.d/ssh/share/motd b/playbooks.d/ssh/share/motd new file mode 100644 index 0000000..7fc4e34 --- /dev/null +++ b/playbooks.d/ssh/share/motd @@ -0,0 +1,8 @@ + ████████╗██╗ ██╗██╗██╗ ███╗ ██╗███████╗████████╗ + ╚══██╔══╝╚██╗ ██╔╝██║██║ ████╗ ██║██╔════╝╚══██╔══╝ + ██║ ╚████╔╝ ██║██║ ██╔██╗ ██║█████╗ ██║ + ██║ ╚██╔╝ ██║██║ ██║╚██╗██║██╔══╝ ██║ + ██║ ██║ ██║███████╗██╗██║ ╚████║███████╗ ██║ + ╚═╝ ╚═╝ ╚═╝╚══════╝╚═╝╚═╝ ╚═══╝╚══════╝ ╚═╝ + +Welcome to ${fqdn}, last updated on ${time}. diff --git a/playbooks.d/ssh/share/sshd_config b/playbooks.d/ssh/share/sshd_config new file mode 100644 index 0000000..97bea2e --- /dev/null +++ b/playbooks.d/ssh/share/sshd_config @@ -0,0 +1,27 @@ +# Connectivity +Port 22 +AddressFamily any +ListenAddress 0.0.0.0 +ListenAddress :: + +# Fluff +PrintMotd yes + +# SFTP +Subsystem sftp ${sftp} + +# Authentication +AuthorizedKeysFile /etc/ssh/authorized_keys .ssh/authorized_keys +PermitRootLogin no +PasswordAuthentication no +ChallengeResponseAuthentication no +PubkeyAuthentication no + +# Allow tyil +Match User tyil + PubkeyAuthentication yes + +# Allow public key authentication over VPN +Match Address 10.57.0.0/16 + PubkeyAuthentication yes + PermitRootLogin prohibit-password diff --git a/registry.d/anoia.tyil.net b/registry.d/anoia.tyil.net index 98cfbf8..c1bd6f1 100644 --- a/registry.d/anoia.tyil.net +++ b/registry.d/anoia.tyil.net @@ -1 +1,2 @@ +ssh vpn-tinc -- cgit v1.1