Begin with shell-config

authorized_keys/ak.keys

@@ -1 +1,3 @@
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZ0ryG8LT5ryjc3tZggVP0cxjXoKOPzUIwmB9Yez+u3nDHc3RdLR0V/BdcVPCJl9vOQwsFaTE34ZEZ3A6qkcSaz2Npxqq0eFtcEAKTy9w41C6jE586jkwkednSK9ObFFZnlSA3ielYeB5bRuELHyvazHWSUGn+/nzuujAYpEABRGAlt0IV2eMugsb1aEs5v8/Hw3REGz6IeNBwlVOzDznGK4N0b1es270k2fpkD0XMRnga7x2eduD74gRYJHo41sKz6kqHFfXjvrH6Efrn5sNtTF7pIkPfeiX4ukDQYG6Ynxgkdbi1pMg5zGjjjRZ0iExKqNi+jtZhVewqFvj66vLX arjan@koopen.net
+ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAhA2rt1rIpqWG5BzwTFCCRCEZViWNk3GGIVyIpKg0A0+btJxPu66AKcudP88nsdzp8rPVES1qLBpIt6QsHnoioF+MjUjrkodc0gNescE+7frlf0+wCwN7/OQjSTDURa0THwQQGuGJm4cWaMf7w/sfkU89KmuRPvxZGNn4ahSRkRVyKP09B3xI14CDpRSP4Xg9bCz7QYxLixXfk0zBMOgbrSzsNs2eO4YUUsHFX1x0nX6CK7fauO0l8UC1nYeFGNofbmpn0mnqSj0u1i+ikjiCv+8ruXuI0ufLjfcIQjsYmkrMEfwuf0nyOAha5U2z4U05J2Je4do0cYVoC4/kCoAod3nrX7fVur0RVdD7XEAzvtxZh87dOhM3TrYYVFs37jeDtt4ZO9XYRSrV2l/TgPdWoST/h69/10QhdS8lYQXTJWY8AgQs+MtIHj6z1lCsVbRZN/JKYulhXpGuHmNt/gBlMscFVDezmdGwuqPB8XdYHBVcDqgpynbvlaBXMX+hHIjPKC6ExLxmUtJYGetTKyEPWeIVjp6D1zs/aMVVEOxvKfjtGDLyByzUEnHt0YL2v+tAp1+oqmWr0i5RWgnWOtTuzzEkFaa99Y6SMbskWx4p/3Of5VTrgFcADMG7TFHAwQ4vnv6Ca5P0pBTFjWCR1tX4v7qNgx9lqax7bbWlNjxLODM= arjan@koopen.net SL
+

authorized_keys/foobar.keys

@@ -1,2 +1,4 @@
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUIAkaRsvb6cD1XIGF80JpMH1mYE9XhCgptOkt9AfloZQlO7Ds5XeCwJk5/TsoidTcb/0yFUov8SMwaIVtrFfkNUqqeAsfm3luJ4JwOXeCwrXD6W7c5Wqg/FGNH0eZr0kEnxpNS10L72+oNBQgnlSNjqWS29lEmXApKQ3IKy6aP9cMwEh25fsH/2G7mHsZX2UMPK0tZPC6MPxY5P9PWLIulUpsX96c6OcAvGYIvsCnecsVsTdhK36w4Z/t7XoLFz5X6k3eXT7gG4SMGuBixjroTUhumWzgJJ6T1Nn/eESe7Im8krlzO/0hG/F8uBy3s04TAJuXFmygvtC4YLyq91U5 Sig-I/O Beheer key
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyKprIcR81+RFSBxU3iyW4vd0ctr0q1Pqifzxbro+0C mark@x240-ed25519
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGc3py/K9wUSF86SIMv2AWtVAxEb1ZEy7BEz7VrGeZp/ sigio@t14
+

group_vars/all.yaml

@@ -10,16 +10,16 @@ trusted_ranges:
   - { v: ipv4, cidr: "172.16.0.0/12", comment: "rfc1918" }
   - { v: ipv4, cidr: "192.168.0.0/16", comment: "rfc1918" }
   - { v: ipv4, cidr: "45.88.49.140", comment: "vihamij" }
-  - { v: ipv4, cidr: "204.2.64.0/20", comment: "eventinfra" }
+  - { v: ipv4, cidr: "204.2.64.0/20", comment: "eventinfra / bitlair" }
   - { v: ipv4, cidr: "100.64.0.0/10", comment: "bitlair" }
-  - { v: ipv4, cidr: "185.205.52.194/32", comment: "bitlair" }
-  - { v: ipv4, cidr: "31.187.251.213/32", comment: "foobar" }
+  - { v: ipv4, cidr: "185.205.52.194/32", comment: "bitlair A2B" } # kan weg ??
+  - { v: ipv4, cidr: "31.187.251.213/32", comment: "foobar thuis" }
 #  - { v: ipv6, cidr: "::/0", comment: "ipv6 localhost" }
 #  - { v: ipv6, cidr: "fe80::/10", comment: "ipv6 link-local" }
 #  - { v: ipv6, cidr: "2a02:166b:92::/48", comment: "bitlair" } # /48's kunnen niet in de ipset
   - { v: ipv6, cidr: "2001:678:814:68::/64", comment: "bitlair wifi" }
   - { v: ipv6, cidr: "2a05:2d01:0:4042::/64", comment: "bitlair servers" }
-  - { v: ipv6, cidr: "2a0e:5700:4:2::/64", comment: "foobar" }
+  - { v: ipv6, cidr: "2a0e:5700:4:2::/64", comment: "foobar ipv6" }
 
 root_access:
   - ak

group_vars/kvm.yaml

@@ -1,4 +1,2 @@
 ---
 
-# FIXME: nog niet kunnen testen, en mogelijk non-default config nodig ;)
-nft: false

group_vars/shell.yaml

@@ -0,0 +1,3 @@
+---
+
+manage_sshd_config: false

inventory

@@ -39,6 +39,9 @@ service.bitlair.nl
 [wiki]
 wiki.bitlair.nl
 
+[shell]
+shell.bitlair.nl
+
 [debian:children]
 bank
 fotos
@@ -51,4 +54,4 @@ monitoring
 music
 services
 wiki
-
+shell

roles/common/tasks/main.yaml

@@ -117,6 +117,7 @@
       line: 'PasswordAuthentication no'
     - regexp: '^#?DebianBanner'
       line: 'DebianBanner no'
+  when: manage_sshd_config | default(true)
   notify: reload sshd
 
 - name: Allow SSH