mirror of https://github.com/trailofbits/algo
Change default SSH port and introduce cloud-init support (#1636)
* Change default SSH port * Iptables to ansible_ssh_port * Add Scaleway * permissions and groups fixes * update firewall docs * SSH fixes * add missing cloudinit to cloud-azure * remove ansible_ssh_user from the tests * congrats message fixpull/1678/head
parent
b66c9f59aa
commit
d635c76b50
@ -0,0 +1,19 @@
|
||||
#!/bin/bash
|
||||
set -eux
|
||||
|
||||
apt-get update -y
|
||||
apt-get install sudo -y
|
||||
|
||||
getent passwd algo || useradd -m -d /home/algo -s /bin/bash -G adm,netdev -p '!' algo
|
||||
|
||||
(umask 337 && echo "algo ALL=(ALL) NOPASSWD:ALL" >/etc/sudoers.d/10-algo-user)
|
||||
|
||||
cat <<EOF >/etc/ssh/sshd_config
|
||||
{{ lookup('template', 'files/cloud-init/sshd_config') }}
|
||||
EOF
|
||||
|
||||
test -d /home/algo/.ssh || (umask 077 && sudo -u algo mkdir -p /home/algo/.ssh/)
|
||||
echo "{{ lookup('file', '{{ SSH_keys.public }}') }}" | (umask 177 && sudo -u algo tee /home/algo/.ssh/authorized_keys)
|
||||
|
||||
sudo apt-get remove -y --purge sshguard || true
|
||||
systemctl restart sshd.service
|
@ -0,0 +1,29 @@
|
||||
#cloud-config
|
||||
output: {all: '| tee -a /var/log/cloud-init-output.log'}
|
||||
|
||||
package_update: true
|
||||
package_upgrade: true
|
||||
|
||||
packages:
|
||||
- sudo
|
||||
|
||||
users:
|
||||
- default
|
||||
- name: algo
|
||||
homedir: /home/algo
|
||||
sudo: ALL=(ALL) NOPASSWD:ALL
|
||||
groups: adm,netdev
|
||||
shell: /bin/bash
|
||||
lock_passwd: true
|
||||
ssh_authorized_keys:
|
||||
- "{{ lookup('file', '{{ SSH_keys.public }}') }}"
|
||||
|
||||
write_files:
|
||||
- path: /etc/ssh/sshd_config
|
||||
content: |
|
||||
{{ lookup('template', 'files/cloud-init/sshd_config') | indent(width=6) }}
|
||||
|
||||
runcmd:
|
||||
- set -x
|
||||
- sudo apt-get remove -y --purge sshguard || true
|
||||
- systemctl restart sshd.service
|
@ -0,0 +1,10 @@
|
||||
Port {{ ssh_port }}
|
||||
AllowGroups algo
|
||||
PermitRootLogin no
|
||||
PasswordAuthentication no
|
||||
ChallengeResponseAuthentication no
|
||||
UsePAM yes
|
||||
X11Forwarding yes
|
||||
PrintMotd no
|
||||
AcceptEnv LANG LC_*
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
Loading…
Reference in New Issue