algo/roles/ssh_tunneling/tasks/main.yml

---
- name: Ensure that the sshd_config file has desired options
  blockinfile:
    dest: /etc/ssh/sshd_config
    marker: "# {mark} ANSIBLE MANAGED BLOCK ssh_tunneling_role"
    block: |
      Match Group algo
          AllowTcpForwarding local
          AllowAgentForwarding no
          AllowStreamLocalForwarding no
          PermitTunnel no
          X11Forwarding no
  notify:
    - restart ssh

- name: Ensure that the algo group exist
  group:
    name: algo
    state: present
    gid: 15000

- name: Ensure that the jail directory exist
  file:
    path: /var/jail/
    state: directory
    mode: 0755
    owner: root
    group: "{{ root_group|default('root') }}"

- block:
    - name: Ensure that the SSH users exist
      user:
        name: "{{ item }}"
        group: algo
        home: /var/jail/{{ item }}
        createhome: true
        generate_ssh_key: false
        shell: /bin/false
        state: present
        append: true
      with_items: "{{ users }}"

    - block:
        - name: Clean up the ssh-tunnel directory
          file:
            dest: "{{ ssh_tunnels_config_path }}"
            state: absent
          when: keys_clean_all|bool

        - name: Ensure the config directories exist
          file:
            dest: "{{ ssh_tunnels_config_path }}"
            state: directory
            recurse: true
            mode: "0700"

        - name: Check if the private keys exist
          stat:
            path: "{{ ssh_tunnels_config_path }}/{{ item }}.pem"
          register: privatekey
          with_items: "{{ users }}"

        - name: Build ssh private keys
          openssl_privatekey:
            path: "{{ ssh_tunnels_config_path }}/{{ item.item }}.pem"
            passphrase: "{{ p12_export_password }}"
            cipher: auto
            force: false
          no_log: "{{ no_log|bool }}"
          when: not item.stat.exists
          with_items: "{{ privatekey.results }}"
          register: openssl_privatekey

        - name: Build ssh public keys
          openssl_publickey:
            path: "{{ ssh_tunnels_config_path }}/{{ item.item.item }}.pub"
            privatekey_path: "{{ ssh_tunnels_config_path }}/{{ item.item.item }}.pem"
            privatekey_passphrase: "{{ p12_export_password }}"
            format: OpenSSH
            force: true
          no_log: "{{ no_log|bool }}"
          when: item.changed
          with_items: "{{ openssl_privatekey.results }}"

        - name: Build the client ssh config
          template:
            src: ssh_config.j2
            dest: "{{ ssh_tunnels_config_path }}/{{ item }}.ssh_config"
            mode: 0700
          with_items: "{{ users }}"
      delegate_to: localhost
      become: false

    - name: The authorized keys file created
      authorized_key:
        user: "{{ item }}"
        key: "{{ lookup('file', ssh_tunnels_config_path + '/' + item + '.pub') }}"
        state: present
        manage_dir: true
        exclusive: true
      with_items: "{{ users }}"

    - name: Get active users
      getent:
        database: group
        key: algo
        split: ":"

    - name: Delete non-existing users
      user:
        name: "{{ item }}"
        state: absent
        remove: true
        force: true
      when: item not in users
      with_items: "{{ getent_group['algo'][2].split(',') }}"
  tags: update-users
SSH tunneling role #77 8 years ago			`---`
Refactoring to support roles inclusion (#1365) 5 years ago			`- name: Ensure that the sshd_config file has desired options`
			`blockinfile:`
			`dest: /etc/ssh/sshd_config`
Ansible upgrade 6.1 (#14500) * linting * update ansible * linters 2 years ago			`marker: "# {mark} ANSIBLE MANAGED BLOCK ssh_tunneling_role"`
Refactoring to support roles inclusion (#1365) 5 years ago			`block: \|`
			`Match Group algo`
			`AllowTcpForwarding local`
			`AllowAgentForwarding no`
			`AllowStreamLocalForwarding no`
			`PermitTunnel no`
			`X11Forwarding no`
			`notify:`
			`- restart ssh`
SSH tunneling role #77 8 years ago
Refactoring to support roles inclusion (#1365) 5 years ago			`- name: Ensure that the algo group exist`
Block link-local networks. Block traffic from SSH tunnels to VPN clients (#1458) 5 years ago			`group:`
			`name: algo`
			`state: present`
			`gid: 15000`
security role and SSH fixes #77 8 years ago
Refactoring to support roles inclusion (#1365) 5 years ago			`- name: Ensure that the jail directory exist`
			`file:`
			`path: /var/jail/`
			`state: directory`
			`mode: 0755`
			`owner: root`
			`group: "{{ root_group\|default('root') }}"`
linting 8 years ago
Refactoring to support roles inclusion (#1365) 5 years ago			`- block:`
Ansible upgrade 6.1 (#14500) * linting * update ansible * linters 2 years ago			`- name: Ensure that the SSH users exist`
			`user:`
			`name: "{{ item }}"`
			`group: algo`
			`home: /var/jail/{{ item }}`
			`createhome: true`
			`generate_ssh_key: false`
			`shell: /bin/false`
			`state: present`
			`append: true`
			`with_items: "{{ users }}"`
linting 8 years ago
Ansible upgrade 6.1 (#14500) * linting * update ansible * linters 2 years ago			`- block:`
			`- name: Clean up the ssh-tunnel directory`
			`file:`
			`dest: "{{ ssh_tunnels_config_path }}"`
			`state: absent`
			`when: keys_clean_all\|bool`
linting 8 years ago
Ansible upgrade 6.1 (#14500) * linting * update ansible * linters 2 years ago			`- name: Ensure the config directories exist`
			`file:`
			`dest: "{{ ssh_tunnels_config_path }}"`
			`state: directory`
			`recurse: true`
			`mode: "0700"`
linting 8 years ago
Ansible upgrade 6.1 (#14500) * linting * update ansible * linters 2 years ago			`- name: Check if the private keys exist`
			`stat:`
			`path: "{{ ssh_tunnels_config_path }}/{{ item }}.pem"`
			`register: privatekey`
			`with_items: "{{ users }}"`
Fix SSH keys permissions 8 years ago
Ansible upgrade 6.1 (#14500) * linting * update ansible * linters 2 years ago			`- name: Build ssh private keys`
			`openssl_privatekey:`
			`path: "{{ ssh_tunnels_config_path }}/{{ item.item }}.pem"`
			`passphrase: "{{ p12_export_password }}"`
			`cipher: auto`
			`force: false`
			`no_log: "{{ no_log\|bool }}"`
			`when: not item.stat.exists`
			`with_items: "{{ privatekey.results }}"`
			`register: openssl_privatekey`
Change the P12 and SSH passwords only for new users (#550) 7 years ago
Ansible upgrade 6.1 (#14500) * linting * update ansible * linters 2 years ago			`- name: Build ssh public keys`
			`openssl_publickey:`
			`path: "{{ ssh_tunnels_config_path }}/{{ item.item.item }}.pub"`
			`privatekey_path: "{{ ssh_tunnels_config_path }}/{{ item.item.item }}.pem"`
			`privatekey_passphrase: "{{ p12_export_password }}"`
			`format: OpenSSH`
			`force: true`
			`no_log: "{{ no_log\|bool }}"`
			`when: item.changed`
			`with_items: "{{ openssl_privatekey.results }}"`
Refactoring (#1334) <!--- Provide a general summary of your changes in the Title above --> ## Description Renames the vpn role to strongswan, and split up the variables to support 2 separate VPNs. Closes #1330 and closes #1162 Configures Ansible to use python3 on the server side. Closes #1024 Removes unneeded playbooks, reorganises a lot of variables Reorganises the `config` folder. Closes #1330 <details><summary>Here is how the config directory looks like now</summary> <p> ``` configs/X.X.X.X/ \|-- ipsec \| \|-- apple \| \| \|-- desktop.mobileconfig \| \| \|-- laptop.mobileconfig \| \| `-- phone.mobileconfig \| \|-- manual \| \| \|-- cacert.pem \| \| \|-- desktop.p12 \| \| \|-- desktop.ssh.pem \| \| \|-- ipsec_desktop.conf \| \| \|-- ipsec_desktop.secrets \| \| \|-- ipsec_laptop.conf \| \| \|-- ipsec_laptop.secrets \| \| \|-- ipsec_phone.conf \| \| \|-- ipsec_phone.secrets \| \| \|-- laptop.p12 \| \| \|-- laptop.ssh.pem \| \| \|-- phone.p12 \| \| `-- phone.ssh.pem \| `-- windows \| \|-- desktop.ps1 \| \|-- laptop.ps1 \| `-- phone.ps1 \|-- ssh-tunnel \| \|-- desktop.pem \| \|-- desktop.pub \| \|-- laptop.pem \| \|-- laptop.pub \| \|-- phone.pem \| \|-- phone.pub \| `-- ssh_config `-- wireguard \|-- desktop.conf \|-- desktop.png \|-- laptop.conf \|-- laptop.png \|-- phone.conf `-- phone.png ``` ![finder](https://i.imgur.com/FtOmKO0.png) </p> </details> ## Motivation and Context This refactoring is focused to aim to the 1.0 release ## How Has This Been Tested? Deployed to several cloud providers with various options enabled and disabled ## Types of changes <!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: --> - [x] Refactoring ## Checklist: <!--- Go over all the following points, and put an `x` in all the boxes that apply. --> <!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] I have read the CONTRIBUTING document. - [x] My code follows the code style of this project. - [x] My change requires a change to the documentation. - [x] I have updated the documentation accordingly. - [x] All new and existing tests passed. 5 years ago
Ansible upgrade 6.1 (#14500) * linting * update ansible * linters 2 years ago			`- name: Build the client ssh config`
			`template:`
			`src: ssh_config.j2`
			`dest: "{{ ssh_tunnels_config_path }}/{{ item }}.ssh_config"`
			`mode: 0700`
			`with_items: "{{ users }}"`
			`delegate_to: localhost`
			`become: false`
Refactoring (#1334) <!--- Provide a general summary of your changes in the Title above --> ## Description Renames the vpn role to strongswan, and split up the variables to support 2 separate VPNs. Closes #1330 and closes #1162 Configures Ansible to use python3 on the server side. Closes #1024 Removes unneeded playbooks, reorganises a lot of variables Reorganises the `config` folder. Closes #1330 <details><summary>Here is how the config directory looks like now</summary> <p> ``` configs/X.X.X.X/ \|-- ipsec \| \|-- apple \| \| \|-- desktop.mobileconfig \| \| \|-- laptop.mobileconfig \| \| `-- phone.mobileconfig \| \|-- manual \| \| \|-- cacert.pem \| \| \|-- desktop.p12 \| \| \|-- desktop.ssh.pem \| \| \|-- ipsec_desktop.conf \| \| \|-- ipsec_desktop.secrets \| \| \|-- ipsec_laptop.conf \| \| \|-- ipsec_laptop.secrets \| \| \|-- ipsec_phone.conf \| \| \|-- ipsec_phone.secrets \| \| \|-- laptop.p12 \| \| \|-- laptop.ssh.pem \| \| \|-- phone.p12 \| \| `-- phone.ssh.pem \| `-- windows \| \|-- desktop.ps1 \| \|-- laptop.ps1 \| `-- phone.ps1 \|-- ssh-tunnel \| \|-- desktop.pem \| \|-- desktop.pub \| \|-- laptop.pem \| \|-- laptop.pub \| \|-- phone.pem \| \|-- phone.pub \| `-- ssh_config `-- wireguard \|-- desktop.conf \|-- desktop.png \|-- laptop.conf \|-- laptop.png \|-- phone.conf `-- phone.png ``` ![finder](https://i.imgur.com/FtOmKO0.png) </p> </details> ## Motivation and Context This refactoring is focused to aim to the 1.0 release ## How Has This Been Tested? Deployed to several cloud providers with various options enabled and disabled ## Types of changes <!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: --> - [x] Refactoring ## Checklist: <!--- Go over all the following points, and put an `x` in all the boxes that apply. --> <!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] I have read the CONTRIBUTING document. - [x] My code follows the code style of this project. - [x] My change requires a change to the documentation. - [x] I have updated the documentation accordingly. - [x] All new and existing tests passed. 5 years ago
Ansible upgrade 6.1 (#14500) * linting * update ansible * linters 2 years ago			`- name: The authorized keys file created`
			`authorized_key:`
			`user: "{{ item }}"`
			`key: "{{ lookup('file', ssh_tunnels_config_path + '/' + item + '.pub') }}"`
			`state: present`
			`manage_dir: true`
			`exclusive: true`
			`with_items: "{{ users }}"`
Refactoring (#1334) <!--- Provide a general summary of your changes in the Title above --> ## Description Renames the vpn role to strongswan, and split up the variables to support 2 separate VPNs. Closes #1330 and closes #1162 Configures Ansible to use python3 on the server side. Closes #1024 Removes unneeded playbooks, reorganises a lot of variables Reorganises the `config` folder. Closes #1330 <details><summary>Here is how the config directory looks like now</summary> <p> ``` configs/X.X.X.X/ \|-- ipsec \| \|-- apple \| \| \|-- desktop.mobileconfig \| \| \|-- laptop.mobileconfig \| \| `-- phone.mobileconfig \| \|-- manual \| \| \|-- cacert.pem \| \| \|-- desktop.p12 \| \| \|-- desktop.ssh.pem \| \| \|-- ipsec_desktop.conf \| \| \|-- ipsec_desktop.secrets \| \| \|-- ipsec_laptop.conf \| \| \|-- ipsec_laptop.secrets \| \| \|-- ipsec_phone.conf \| \| \|-- ipsec_phone.secrets \| \| \|-- laptop.p12 \| \| \|-- laptop.ssh.pem \| \| \|-- phone.p12 \| \| `-- phone.ssh.pem \| `-- windows \| \|-- desktop.ps1 \| \|-- laptop.ps1 \| `-- phone.ps1 \|-- ssh-tunnel \| \|-- desktop.pem \| \|-- desktop.pub \| \|-- laptop.pem \| \|-- laptop.pub \| \|-- phone.pem \| \|-- phone.pub \| `-- ssh_config `-- wireguard \|-- desktop.conf \|-- desktop.png \|-- laptop.conf \|-- laptop.png \|-- phone.conf `-- phone.png ``` ![finder](https://i.imgur.com/FtOmKO0.png) </p> </details> ## Motivation and Context This refactoring is focused to aim to the 1.0 release ## How Has This Been Tested? Deployed to several cloud providers with various options enabled and disabled ## Types of changes <!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: --> - [x] Refactoring ## Checklist: <!--- Go over all the following points, and put an `x` in all the boxes that apply. --> <!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] I have read the CONTRIBUTING document. - [x] My code follows the code style of this project. - [x] My change requires a change to the documentation. - [x] I have updated the documentation accordingly. - [x] All new and existing tests passed. 5 years ago
Ansible upgrade 6.1 (#14500) * linting * update ansible * linters 2 years ago			`- name: Get active users`
			`getent:`
			`database: group`
			`key: algo`
			`split: ":"`
delete tasks and move to roles (#519) 7 years ago
Ansible upgrade 6.1 (#14500) * linting * update ansible * linters 2 years ago			`- name: Delete non-existing users`
			`user:`
			`name: "{{ item }}"`
			`state: absent`
			`remove: true`
			`force: true`
			`when: item not in users`
			`with_items: "{{ getent_group['algo'][2].split(',') }}"`
Refactoring to support roles inclusion (#1365) 5 years ago			`tags: update-users`