From 43406c49fc8c3e8b3e94b57ef3fab7c273cecb47 Mon Sep 17 00:00:00 2001 From: Mark Janssen Date: Wed, 24 Jul 2024 22:39:05 +0200 Subject: [PATCH 1/2] Add shell / enable nft on kvm --- group_vars/all.yaml | 8 ++++---- group_vars/kvm.yaml | 2 -- inventory | 5 ++++- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/group_vars/all.yaml b/group_vars/all.yaml index b9f854d..928e710 100644 --- a/group_vars/all.yaml +++ b/group_vars/all.yaml @@ -10,16 +10,16 @@ trusted_ranges: - { v: ipv4, cidr: "172.16.0.0/12", comment: "rfc1918" } - { v: ipv4, cidr: "192.168.0.0/16", comment: "rfc1918" } - { v: ipv4, cidr: "45.88.49.140", comment: "vihamij" } - - { v: ipv4, cidr: "204.2.64.0/20", comment: "eventinfra" } + - { v: ipv4, cidr: "204.2.64.0/20", comment: "eventinfra / bitlair" } - { v: ipv4, cidr: "100.64.0.0/10", comment: "bitlair" } - - { v: ipv4, cidr: "185.205.52.194/32", comment: "bitlair" } - - { v: ipv4, cidr: "31.187.251.213/32", comment: "foobar" } + - { v: ipv4, cidr: "185.205.52.194/32", comment: "bitlair A2B" } # kan weg ?? + - { v: ipv4, cidr: "31.187.251.213/32", comment: "foobar thuis" } # - { v: ipv6, cidr: "::/0", comment: "ipv6 localhost" } # - { v: ipv6, cidr: "fe80::/10", comment: "ipv6 link-local" } # - { v: ipv6, cidr: "2a02:166b:92::/48", comment: "bitlair" } # /48's kunnen niet in de ipset - { v: ipv6, cidr: "2001:678:814:68::/64", comment: "bitlair wifi" } - { v: ipv6, cidr: "2a05:2d01:0:4042::/64", comment: "bitlair servers" } - - { v: ipv6, cidr: "2a0e:5700:4:2::/64", comment: "foobar" } + - { v: ipv6, cidr: "2a0e:5700:4:2::/64", comment: "foobar ipv6" } root_access: - ak diff --git a/group_vars/kvm.yaml b/group_vars/kvm.yaml index 9eed925..cd21505 100644 --- a/group_vars/kvm.yaml +++ b/group_vars/kvm.yaml @@ -1,4 +1,2 @@ --- -# FIXME: nog niet kunnen testen, en mogelijk non-default config nodig ;) -nft: false diff --git a/inventory b/inventory index 7e430e1..5a50449 100644 --- a/inventory +++ b/inventory @@ -39,6 +39,9 @@ service.bitlair.nl [wiki] wiki.bitlair.nl +[shell] +shell.bitlair.nl + [debian:children] bank fotos @@ -51,4 +54,4 @@ monitoring music services wiki - +shell From cce26a439577ac6701a36e04bdaa04750ac62874 Mon Sep 17 00:00:00 2001 From: Mark Janssen Date: Thu, 25 Jul 2024 00:22:18 +0200 Subject: [PATCH 2/2] Begin with shell-config --- authorized_keys/ak.keys | 2 ++ authorized_keys/foobar.keys | 2 ++ group_vars/shell.yaml | 3 +++ roles/common/tasks/main.yaml | 1 + 4 files changed, 8 insertions(+) create mode 100644 group_vars/shell.yaml diff --git a/authorized_keys/ak.keys b/authorized_keys/ak.keys index 75593c5..a257da2 100644 --- a/authorized_keys/ak.keys +++ b/authorized_keys/ak.keys @@ -1 +1,3 @@ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZ0ryG8LT5ryjc3tZggVP0cxjXoKOPzUIwmB9Yez+u3nDHc3RdLR0V/BdcVPCJl9vOQwsFaTE34ZEZ3A6qkcSaz2Npxqq0eFtcEAKTy9w41C6jE586jkwkednSK9ObFFZnlSA3ielYeB5bRuELHyvazHWSUGn+/nzuujAYpEABRGAlt0IV2eMugsb1aEs5v8/Hw3REGz6IeNBwlVOzDznGK4N0b1es270k2fpkD0XMRnga7x2eduD74gRYJHo41sKz6kqHFfXjvrH6Efrn5sNtTF7pIkPfeiX4ukDQYG6Ynxgkdbi1pMg5zGjjjRZ0iExKqNi+jtZhVewqFvj66vLX arjan@koopen.net +ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAhA2rt1rIpqWG5BzwTFCCRCEZViWNk3GGIVyIpKg0A0+btJxPu66AKcudP88nsdzp8rPVES1qLBpIt6QsHnoioF+MjUjrkodc0gNescE+7frlf0+wCwN7/OQjSTDURa0THwQQGuGJm4cWaMf7w/sfkU89KmuRPvxZGNn4ahSRkRVyKP09B3xI14CDpRSP4Xg9bCz7QYxLixXfk0zBMOgbrSzsNs2eO4YUUsHFX1x0nX6CK7fauO0l8UC1nYeFGNofbmpn0mnqSj0u1i+ikjiCv+8ruXuI0ufLjfcIQjsYmkrMEfwuf0nyOAha5U2z4U05J2Je4do0cYVoC4/kCoAod3nrX7fVur0RVdD7XEAzvtxZh87dOhM3TrYYVFs37jeDtt4ZO9XYRSrV2l/TgPdWoST/h69/10QhdS8lYQXTJWY8AgQs+MtIHj6z1lCsVbRZN/JKYulhXpGuHmNt/gBlMscFVDezmdGwuqPB8XdYHBVcDqgpynbvlaBXMX+hHIjPKC6ExLxmUtJYGetTKyEPWeIVjp6D1zs/aMVVEOxvKfjtGDLyByzUEnHt0YL2v+tAp1+oqmWr0i5RWgnWOtTuzzEkFaa99Y6SMbskWx4p/3Of5VTrgFcADMG7TFHAwQ4vnv6Ca5P0pBTFjWCR1tX4v7qNgx9lqax7bbWlNjxLODM= arjan@koopen.net SL + diff --git a/authorized_keys/foobar.keys b/authorized_keys/foobar.keys index f7fac20..057bbbf 100644 --- a/authorized_keys/foobar.keys +++ b/authorized_keys/foobar.keys @@ -1,2 +1,4 @@ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUIAkaRsvb6cD1XIGF80JpMH1mYE9XhCgptOkt9AfloZQlO7Ds5XeCwJk5/TsoidTcb/0yFUov8SMwaIVtrFfkNUqqeAsfm3luJ4JwOXeCwrXD6W7c5Wqg/FGNH0eZr0kEnxpNS10L72+oNBQgnlSNjqWS29lEmXApKQ3IKy6aP9cMwEh25fsH/2G7mHsZX2UMPK0tZPC6MPxY5P9PWLIulUpsX96c6OcAvGYIvsCnecsVsTdhK36w4Z/t7XoLFz5X6k3eXT7gG4SMGuBixjroTUhumWzgJJ6T1Nn/eESe7Im8krlzO/0hG/F8uBy3s04TAJuXFmygvtC4YLyq91U5 Sig-I/O Beheer key ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyKprIcR81+RFSBxU3iyW4vd0ctr0q1Pqifzxbro+0C mark@x240-ed25519 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGc3py/K9wUSF86SIMv2AWtVAxEb1ZEy7BEz7VrGeZp/ sigio@t14 + diff --git a/group_vars/shell.yaml b/group_vars/shell.yaml new file mode 100644 index 0000000..238e2cc --- /dev/null +++ b/group_vars/shell.yaml @@ -0,0 +1,3 @@ +--- + +manage_sshd_config: false diff --git a/roles/common/tasks/main.yaml b/roles/common/tasks/main.yaml index 41512a3..a02e163 100644 --- a/roles/common/tasks/main.yaml +++ b/roles/common/tasks/main.yaml @@ -117,6 +117,7 @@ line: 'PasswordAuthentication no' - regexp: '^#?DebianBanner' line: 'DebianBanner no' + when: manage_sshd_config | default(true) notify: reload sshd - name: Allow SSH