Browse Source

rework

main
Markus Bergholz 8 months ago
parent
commit
6d9da38abc
  1. 5
      localhost.yml
  2. 17
      osuv.yml
  3. 1
      roles/ssh/files/id_ecdsa_sk.pub
  4. 38
      roles/ssh/tasks/main.yml
  5. 0
      roles/systemd_timers/files/nextcloud_cron.sh
  6. 13
      roles/systemd_timers/tasks/backup.sh
  7. 57
      roles/systemd_timers/tasks/backup.yml
  8. 1
      roles/systemd_timers/tasks/main.yml

5
localhost.yml

@ -0,0 +1,5 @@
---
- hosts: local
roles:
- ssh

17
osuv.yml

@ -1,17 +0,0 @@
---
- hosts: all
# vars_prompt:
# - name: USER
# prompt: "user?"
# private: no
# - name: SECRET
# prompt: "your 2F secrets?"
# private: yes
# - name: TRUSTED_CA_KEY
# prompt: "which trusted ca key?"
# private: no
# default: osuv.pub
roles:
- ssh

1
roles/ssh/files/id_ecdsa_sk.pub

@ -0,0 +1 @@
sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBGh2rclhwbyMMGVsERVKAgbYMlVmF7r7AYSddt6cZsTnG4V6XA2/mbKZlohsMRRJvURrUb0FR+izCIK9FY52cJwAAAAEc3NoOg== solo

38
roles/ssh/tasks/main.yml

@ -5,30 +5,6 @@
block:
- name: install liboath
apt:
name: "{{ packages }}"
vars:
packages:
- libpam-oath
- name: create users.oath
lineinfile:
path: /etc/users.oath
line: 'HOTP {{ USER }} - {{ SECRET }}'
create: yes
owner: root
group: root
mode: 0600
- name: update pam.d/sshd
lineinfile:
dest: /etc/pam.d/sshd
insertafter: 'account required pam_nologin.so'
line: 'auth required pam_oath.so usersfile=/etc/users.oath window=10 digits=8 '
state: present
backup: yes
- name: delete sshd_config file
file:
state: absent
@ -42,26 +18,22 @@
- name: copy trusted user ca key to server
copy:
content: "{{ TRUSTED_CA_KEY }}"
dest: "/etc/ssh/osuv.pub"
src: id_ecdsa_sk.pub
dest: "/etc/ssh/id_ecdsa_sk.pub"
mode: 0600
- name: create new sshd_config
blockinfile:
path: /etc/ssh/sshd_config
block: |
StrictModes yes
MaxAuthTries 5
PermitRootLogin no
PermitEmptyPasswords no
PasswordAuthentication no
ChallengeResponseAuthentication yes
TrustedUserCAKeys /etc/ssh/osuv.pub
TrustedUserCAKeys /etc/ssh/id_ecdsa_sk.pub
PubkeyAuthentication yes
RhostsRSAAuthentication no
UsePAM yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
AllowUsers {{ USER }}
AllowUsers m
- name: limit ssh access
ufw:

0
roles/systemd_timers/tasks/nextcloud_cron.sh → roles/systemd_timers/files/nextcloud_cron.sh

13
roles/systemd_timers/tasks/backup.sh

@ -1,13 +0,0 @@
#!/bin/bash
echo "mount rw"
sudo mount -o remount,rw /mnt/backup/
echo "dump nextcloud"
mysqldump --single-transaction nextcloud | zstd > /home/m/nextcloud.sql.zst
echo "dump gitea"
mysqldump --single-transaction gitea | zstd > /home/m/gitea.sql.zst
echo "rsnapshot"
sudo rsnapshot daily
echo "mount ro"
sudo mount -o remount,ro /mnt/backup/

57
roles/systemd_timers/tasks/backup.yml

@ -1,57 +0,0 @@
- name: file nextcloud_cron.sh
copy:
src: backup.sh
dest: /home/m/backup.sh
owner: m
group: m
mode: a+x
- name: delete unit file if exists
file:
state: absent
path: /etc/systemd/system/backup.service
- name: delete timer file if exists
file:
state: absent
path: /etc/systemd/system/backup.timer
- name: backup cron unit file
blockinfile:
create: yes
path: /etc/systemd/system/backup.service
block: |
[Unit]
Description=run daily backup
After=network.target
Requires=docker.service
[Service]
Type=oneshot
User=m
ExecStart=/home/m/backup.sh
- name: backup cron timer file
blockinfile:
create: yes
path: /etc/systemd/system/backup.timer
block: |
[Unit]
Description=run daily backup
After=network.target
Requires=docker.service
[Timer]
OnCalendar=*-*-* 4:00:00
Persistent=true
[Install]
WantedBy=basic.target
- name: enable backup cron job
systemd:
name: backup.timer
state: started
enabled: yes

1
roles/systemd_timers/tasks/main.yml

@ -5,6 +5,5 @@
block:
- include_tasks: nextcloud_cron.yml
- include_tasks: backup.yml
...
Loading…
Cancel
Save