chore: move out system roles
Signed-off-by: Matej Focko <me@mfocko.xyz>
This commit is contained in:
parent
6a732703f7
commit
281b95d824
19 changed files with 27 additions and 27 deletions
|
@ -7,11 +7,11 @@ desktops:
|
||||||
ohm:
|
ohm:
|
||||||
|
|
||||||
vars:
|
vars:
|
||||||
system_sshd_port: 22
|
sshd_port: 22
|
||||||
system_sshd_sign_host_keys: false
|
sshd_sign_host_keys: false
|
||||||
system_sshd_auth_password_authentication: "yes"
|
sshd_auth_password_authentication: "yes"
|
||||||
|
|
||||||
system_flatpak_apps:
|
flatpak_apps:
|
||||||
- "com.chatterino.chatterino/{{ ansible_architecture }}/stable"
|
- "com.chatterino.chatterino/{{ ansible_architecture }}/stable"
|
||||||
- com.discordapp.Discord
|
- com.discordapp.Discord
|
||||||
- com.spotify.Client
|
- com.spotify.Client
|
||||||
|
|
|
@ -17,22 +17,22 @@
|
||||||
become: true
|
become: true
|
||||||
|
|
||||||
# Enable Cockpit
|
# Enable Cockpit
|
||||||
- role: system/cockpit
|
- role: cockpit
|
||||||
become: true
|
become: true
|
||||||
tags: cockpit
|
tags: cockpit
|
||||||
|
|
||||||
# Enable Flathub repository and install configured flatpaks
|
# Enable Flathub repository and install configured flatpaks
|
||||||
- role: system/flatpak
|
- role: flatpak
|
||||||
when: ansible_distribution != "Ubuntu"
|
when: ansible_distribution != "Ubuntu"
|
||||||
tags: flatpak
|
tags: flatpak
|
||||||
|
|
||||||
# Install Podman and configure UIDs/GIDs for rootless usage
|
# Install Podman and configure UIDs/GIDs for rootless usage
|
||||||
- role: system/podman
|
- role: podman
|
||||||
become: true
|
become: true
|
||||||
tags: podman
|
tags: podman
|
||||||
|
|
||||||
# Install and configure SSH server
|
# Install and configure SSH server
|
||||||
- role: system/sshd
|
- role: sshd
|
||||||
become: true
|
become: true
|
||||||
tags: sshd
|
tags: sshd
|
||||||
|
|
||||||
|
|
|
@ -2,4 +2,4 @@
|
||||||
# Boolean variable that adjust the Cockpit config when it's being served via
|
# Boolean variable that adjust the Cockpit config when it's being served via
|
||||||
# reverse proxy (adjusts the origin, so that the Cockpit doesn't drop sessions,
|
# reverse proxy (adjusts the origin, so that the Cockpit doesn't drop sessions,
|
||||||
# and checks for SSL/TLS connections)
|
# and checks for SSL/TLS connections)
|
||||||
system_cockpit_has_reverse_proxy: false
|
cockpit_has_reverse_proxy: false
|
|
@ -10,7 +10,7 @@
|
||||||
mode: 0644
|
mode: 0644
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
when: system_cockpit_has_reverse_proxy
|
when: cockpit_has_reverse_proxy
|
||||||
|
|
||||||
- name: Enable cockpit
|
- name: Enable cockpit
|
||||||
ansible.builtin.service:
|
ansible.builtin.service:
|
|
@ -1,3 +1,3 @@
|
||||||
---
|
---
|
||||||
# List of the flatpak apps to be installed
|
# List of the flatpak apps to be installed
|
||||||
system_flatpak_apps: []
|
flatpak_apps: []
|
|
@ -11,6 +11,6 @@
|
||||||
community.general.flatpak:
|
community.general.flatpak:
|
||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
state: present
|
state: present
|
||||||
loop: "{{ system_flatpak_apps }}"
|
loop: "{{ flatpak_apps }}"
|
||||||
become: true
|
become: true
|
||||||
when: system_flatpak_apps
|
when: flatpak_apps
|
|
@ -1,15 +1,15 @@
|
||||||
---
|
---
|
||||||
# Whether to accept password auth; ‹yes› or ‹no›
|
# Whether to accept password auth; ‹yes› or ‹no›
|
||||||
system_sshd_auth_password_authentication: "no"
|
sshd_auth_password_authentication: "no"
|
||||||
|
|
||||||
# Whether to allow ‹root› login; ‹yes› or ‹no›
|
# Whether to allow ‹root› login; ‹yes› or ‹no›
|
||||||
system_sshd_auth_permit_root_login: "no"
|
sshd_auth_permit_root_login: "no"
|
||||||
|
|
||||||
# Whether to setup trusted CA (against the HashiCorp Vault instance)
|
# Whether to setup trusted CA (against the HashiCorp Vault instance)
|
||||||
system_sshd_auth_trusted_ca: true
|
sshd_auth_trusted_ca: true
|
||||||
|
|
||||||
# Default port where the SSH daemon runs; also adjusts the SELinux policy
|
# Default port where the SSH daemon runs; also adjusts the SELinux policy
|
||||||
system_sshd_port: 10022
|
sshd_port: 10022
|
||||||
|
|
||||||
# [TODO]: Whether to sign the host keys (against the HashiCorp Vault instance)
|
# [TODO]: Whether to sign the host keys (against the HashiCorp Vault instance)
|
||||||
system_sshd_sign_host_keys: true
|
sshd_sign_host_keys: true
|
|
@ -29,7 +29,7 @@
|
||||||
|
|
||||||
- name: Notify SELinux about new port
|
- name: Notify SELinux about new port
|
||||||
community.general.seport:
|
community.general.seport:
|
||||||
ports: "{{ system_sshd_port }}"
|
ports: "{{ sshd_port }}"
|
||||||
proto: "tcp"
|
proto: "tcp"
|
||||||
setype: "ssh_port_t"
|
setype: "ssh_port_t"
|
||||||
state: "present"
|
state: "present"
|
||||||
|
@ -37,7 +37,7 @@
|
||||||
|
|
||||||
- name: Enable the new SSH port on firewall
|
- name: Enable the new SSH port on firewall
|
||||||
ansible.posix.firewalld:
|
ansible.posix.firewalld:
|
||||||
port: "{{ system_sshd_port }}/tcp"
|
port: "{{ sshd_port }}/tcp"
|
||||||
immediate: true
|
immediate: true
|
||||||
permanent: true
|
permanent: true
|
||||||
state: enabled
|
state: enabled
|
||||||
|
@ -53,4 +53,4 @@
|
||||||
|
|
||||||
- name: Set trusted CA
|
- name: Set trusted CA
|
||||||
ansible.builtin.include_tasks: trusted_ca.yml
|
ansible.builtin.include_tasks: trusted_ca.yml
|
||||||
when: system_sshd_auth_trusted_ca
|
when: sshd_auth_trusted_ca
|
6
roles/sshd/templates/10-harden.conf
Normal file
6
roles/sshd/templates/10-harden.conf
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
# Port
|
||||||
|
Port {{ sshd_port }}
|
||||||
|
|
||||||
|
# Auth
|
||||||
|
PermitRootLogin {{ sshd_auth_permit_root_login }}
|
||||||
|
PasswordAuthentication {{ sshd_auth_password_authentication }}
|
|
@ -1,6 +0,0 @@
|
||||||
# Port
|
|
||||||
Port {{ system_sshd_port }}
|
|
||||||
|
|
||||||
# Auth
|
|
||||||
PermitRootLogin {{ system_sshd_auth_permit_root_login }}
|
|
||||||
PasswordAuthentication {{ system_sshd_auth_password_authentication }}
|
|
Loading…
Reference in a new issue