chore: move out system roles
Signed-off-by: Matej Focko <me@mfocko.xyz>
This commit is contained in:
parent
6a732703f7
commit
281b95d824
19 changed files with 27 additions and 27 deletions
|
@ -7,11 +7,11 @@ desktops:
|
|||
ohm:
|
||||
|
||||
vars:
|
||||
system_sshd_port: 22
|
||||
system_sshd_sign_host_keys: false
|
||||
system_sshd_auth_password_authentication: "yes"
|
||||
sshd_port: 22
|
||||
sshd_sign_host_keys: false
|
||||
sshd_auth_password_authentication: "yes"
|
||||
|
||||
system_flatpak_apps:
|
||||
flatpak_apps:
|
||||
- "com.chatterino.chatterino/{{ ansible_architecture }}/stable"
|
||||
- com.discordapp.Discord
|
||||
- com.spotify.Client
|
||||
|
|
|
@ -17,22 +17,22 @@
|
|||
become: true
|
||||
|
||||
# Enable Cockpit
|
||||
- role: system/cockpit
|
||||
- role: cockpit
|
||||
become: true
|
||||
tags: cockpit
|
||||
|
||||
# Enable Flathub repository and install configured flatpaks
|
||||
- role: system/flatpak
|
||||
- role: flatpak
|
||||
when: ansible_distribution != "Ubuntu"
|
||||
tags: flatpak
|
||||
|
||||
# Install Podman and configure UIDs/GIDs for rootless usage
|
||||
- role: system/podman
|
||||
- role: podman
|
||||
become: true
|
||||
tags: podman
|
||||
|
||||
# Install and configure SSH server
|
||||
- role: system/sshd
|
||||
- role: sshd
|
||||
become: true
|
||||
tags: sshd
|
||||
|
||||
|
|
|
@ -2,4 +2,4 @@
|
|||
# Boolean variable that adjust the Cockpit config when it's being served via
|
||||
# reverse proxy (adjusts the origin, so that the Cockpit doesn't drop sessions,
|
||||
# and checks for SSL/TLS connections)
|
||||
system_cockpit_has_reverse_proxy: false
|
||||
cockpit_has_reverse_proxy: false
|
|
@ -10,7 +10,7 @@
|
|||
mode: 0644
|
||||
owner: root
|
||||
group: root
|
||||
when: system_cockpit_has_reverse_proxy
|
||||
when: cockpit_has_reverse_proxy
|
||||
|
||||
- name: Enable cockpit
|
||||
ansible.builtin.service:
|
|
@ -1,3 +1,3 @@
|
|||
---
|
||||
# List of the flatpak apps to be installed
|
||||
system_flatpak_apps: []
|
||||
flatpak_apps: []
|
|
@ -11,6 +11,6 @@
|
|||
community.general.flatpak:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
loop: "{{ system_flatpak_apps }}"
|
||||
loop: "{{ flatpak_apps }}"
|
||||
become: true
|
||||
when: system_flatpak_apps
|
||||
when: flatpak_apps
|
|
@ -1,15 +1,15 @@
|
|||
---
|
||||
# Whether to accept password auth; ‹yes› or ‹no›
|
||||
system_sshd_auth_password_authentication: "no"
|
||||
sshd_auth_password_authentication: "no"
|
||||
|
||||
# Whether to allow ‹root› login; ‹yes› or ‹no›
|
||||
system_sshd_auth_permit_root_login: "no"
|
||||
sshd_auth_permit_root_login: "no"
|
||||
|
||||
# Whether to setup trusted CA (against the HashiCorp Vault instance)
|
||||
system_sshd_auth_trusted_ca: true
|
||||
sshd_auth_trusted_ca: true
|
||||
|
||||
# Default port where the SSH daemon runs; also adjusts the SELinux policy
|
||||
system_sshd_port: 10022
|
||||
sshd_port: 10022
|
||||
|
||||
# [TODO]: Whether to sign the host keys (against the HashiCorp Vault instance)
|
||||
system_sshd_sign_host_keys: true
|
||||
sshd_sign_host_keys: true
|
|
@ -29,7 +29,7 @@
|
|||
|
||||
- name: Notify SELinux about new port
|
||||
community.general.seport:
|
||||
ports: "{{ system_sshd_port }}"
|
||||
ports: "{{ sshd_port }}"
|
||||
proto: "tcp"
|
||||
setype: "ssh_port_t"
|
||||
state: "present"
|
||||
|
@ -37,7 +37,7 @@
|
|||
|
||||
- name: Enable the new SSH port on firewall
|
||||
ansible.posix.firewalld:
|
||||
port: "{{ system_sshd_port }}/tcp"
|
||||
port: "{{ sshd_port }}/tcp"
|
||||
immediate: true
|
||||
permanent: true
|
||||
state: enabled
|
||||
|
@ -53,4 +53,4 @@
|
|||
|
||||
- name: Set trusted CA
|
||||
ansible.builtin.include_tasks: trusted_ca.yml
|
||||
when: system_sshd_auth_trusted_ca
|
||||
when: sshd_auth_trusted_ca
|
6
roles/sshd/templates/10-harden.conf
Normal file
6
roles/sshd/templates/10-harden.conf
Normal file
|
@ -0,0 +1,6 @@
|
|||
# Port
|
||||
Port {{ sshd_port }}
|
||||
|
||||
# Auth
|
||||
PermitRootLogin {{ sshd_auth_permit_root_login }}
|
||||
PasswordAuthentication {{ sshd_auth_password_authentication }}
|
|
@ -1,6 +0,0 @@
|
|||
# Port
|
||||
Port {{ system_sshd_port }}
|
||||
|
||||
# Auth
|
||||
PermitRootLogin {{ system_sshd_auth_permit_root_login }}
|
||||
PasswordAuthentication {{ system_sshd_auth_password_authentication }}
|
Loading…
Reference in a new issue