commit c1988b6bf6d20ab4af369108e214cb5dfb9deef8
parent 99e89e8eb0933b612752fd8f264d010fe587aca0
Author: pyratebeard <root@pyratebeard.net>
Date: Wed, 10 Jan 2024 13:04:57 +0000
use ansible instead
Diffstat:
| M | forge | | | 138 | ++++++++++++++++--------------------------------------------------------------- |
| A | playbook.yml | | | 169 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
| A | sshd_config.j2 | | | 126 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
3 files changed, 322 insertions(+), 111 deletions(-)
diff --git a/forge b/forge
@@ -14,15 +14,7 @@
# usage ▓▒ curl -L https://s.rum.sh/forge > forge && chmod +x forge && ./forge
# ▓▓▒░ user vars
-export USR="dwarf"
-export U_UID=0
-export ARCH="x86"
-
-U_HOME="/usr/${USR}"
-DWARF="sudo -u dwarf"
-EMAIL="root@pyratebeard.net"
-USERCA_KEY="userca.pub"
-HOSTCA_KEY="hostca-key-01"
+VAULT_PASS_FILE="/tmp/vault.pass"
# ▓▓▒░ functions
function _echo() { printf "\n╓───── %s \n╙────────────────────────────────────── ─ ─ \n" "$1"; }
@@ -32,6 +24,13 @@ function _echo() { printf "\n╓───── %s \n╙────────
exit 1
}
+# ▓▓▒░ vault
+_echo "enter domain"
+read DOMAIN
+
+[[ $(hostname -f) == $(hostname -s).$DOMAIN ]] || \
+ echo "$(hostname -s).$DOMAIN" > /etc/hostname
+
# ▓▓▒░ locale
_echo "setting up locales"
locale-gen "en_US.UTF-8"
@@ -41,112 +40,29 @@ systemctl daemon-reload
# ▓▓▒░ packages
_echo "installing runtime deps"
-apt update && apt install -y git gpg bash curl locales gnupg software-properties-common unzip
-
-_echo "install pkgs"
-apt-get update && \
- apt-get install -y \
- bash \
- coreutils \
- dnsutils \
- expect \
- fail2ban \
- secure-delete \
- stow \
- sudo \
- tmux \
- tree \
- unzip \
- vim \
- zsh
+apt update && apt install -y ansible curl git
-# bitwarden
-curl -sL -o bw.zip "https://vault.bitwarden.com/download/?app=cli&platform=linux" && \
- unzip -d /usr/local/bin bw.zip
+# ▓▓▒░ install collection for bitwarden lookup
+ansible-galaxy collection install community.general
-_echo "remove pkgs"
-apt-get remove -y \
- nano \
- telnet
-apt-get autoremove -y
-
-_echo "bitwarden login"
+# ▓▓▒░ bitwarden
+_echo "bitwarden setup"
+curl -sL -o /tmp/bw.zip "https://vault.bitwarden.com/download/?app=cli&platform=linux" && \
+ unzip -d /usr/local/bin /tmp/bw.zip
export BW_SESSION=$(bw login "${EMAIL}" --raw --method 0)
-_echo "adding dwarf user"
-id "${USR}" >/dev/null 2>&1 || \
- useradd -omd ${U_HOME} -u ${U_UID} -g ${U_UID} -s $(which zsh) ${USR}
-
-_echo "creating home skel"
-## skeleton directories
-mkdir -p \
- ${U_HOME}/.{config,local} \
- ${U_HOME}/.local/{bin,cache,lib,share,src,state} \
- ${U_HOME}/.local/state/zsh \
- ${U_HOME}/.local/share/gpg
-
-_echo "dot dot dot"
-if [ ! -d ${U_HOME}/.local/src/dotfiles ] ; then
- ${DWARF} git clone git://git.pyratebeard.net/dotfiles.git ${U_HOME}/.local/src/dotfiles && \
- cd ${U_HOME}/.local/src/dotfiles && \
- ${DWARF} stow git gpg tmux vim zsh -t ${U_HOME}
-fi
-
-# ▓▓▒░ bin
-_echo "bins"
-if [ ! -d ${U_HOME}/.local/src/scripts ] ; then
- ${DWARF} git clone git://git.pyratebeard.net/scripts.git ${U_HOME}/.local/src/scripts && \
- cd ${U_HOME}/.local/src/scripts && \
- ${DWARF} stow bin fun -t ${U_HOME}
-fi
+# ▓▓▒░ pull play
+_echo "cloning repo"
+git clone git://git.pyratebeard.net/setup.git /tmp/setup && \
+ cd /tmp/setup
-# ▓▓▒░ shortcuts
-_echo "creating ~src and ~dot aliases"
-id dot >/dev/null 2>&1 || \
-useradd -d ${U_HOME}/.local/src/dotfiles -s $(which nologin) dot
-id src >/dev/null 2>&1 || \
- useradd -d ${U_HOME}/.local/src -g src -s $(which nologin) src
+_echo "let's play"
+ansible-playbook playbook.yml
-# ▓▓▒░ ssh
-_echo "ssh config"
-# userca trusted keys
-bw get notes "${USERCA_KEY}" | tee /etc/ssh/${USERCA_KEY}
-
-## add trustedusercakeys line before ciphers section
-sed -i "/^#\ Ciphers\ and\ keying/i TrustedUserCAKeys\ \/etc\/ssh\/${USERCA_KEY}\n" \
- /etc/ssh/sshd_config
-
-# hostca self sign
-#bw get notes "5f1af206-bc1c-4900-abc0-b0d90113fb41" | tee /etc/ssh/${HOSTCA_KEY} >/dev/null
-#chmod 400 /etc/ssh/${HOSTCA_KEY}
-#ssh-keygen -s /etc/ssh/${HOSTCA_KEY} -h -I $(hostname -s)@$(hostname -d) -n $(hostname -f),$(hostname -s) -V +52w /etc/ssh/ssh_host_ed25519_key.pub
-#sed -i '/HostKey\ \/etc\/ssh\/ssh_host_ed25519_key/a HostCertificate\ \/etc\/ssh\/ssh_host_ed25519_key-cert.pub' /etc/ssh/sshd_config
-
-## ensure root login is allowed with keys only
-sed -i 's/.*\(PermitRootLogin\).*/\1 prohibit-password/' /etc/ssh/sshd_config
-## disable password authentication
-sed -i 's/.*\(PasswordAuthentication\).*/\1 no/' /etc/ssh/sshd_config
-## {update,set} allow users
-echo "AllowUsers ${USR}" | tee -a /etc/ssh/sshd_config
-
-systemctl reload sshd
-
-# ▓▓▒░ security
-_echo "setting up fail2ban"
-cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
-fail2ban-client reload
-
-# ▓▓▒░ forged
_echo "forge complete"
-IP=$(dig +short myip.opendns.com @resolver1.opendns.com)
-echo "${HOSTNAME}: ${USR}@${IP}"
-
-_echo "cleanup"
-cd $HOME
-bw logout
-srm -dvrl bw.zip
-srm -dvrl .config/Bitwarden\ CLI/ &>/dev/null
-
-_echo "selfdestruct"
-srm -dvrl "$0" &> /dev/null
-systemctl reboot
+srm -drvl /etc/ssh/hostca-key
+srm -dvrl /tmp/setup
+srm -dvrl /tmp/bw.zip
+srm -dvrl /usr/local/bin/bw
+srm -dvrl "$0" &>/dev/null
+reboot
diff --git a/playbook.yml b/playbook.yml
@@ -0,0 +1,169 @@
+---
+#
+
+- hosts: localhost
+ gather_facts: false
+ become: true
+ vars:
+ username: "dwarf"
+ user_home: "/usr/{{ username }}"
+ user_shell: "/usr/bin/zsh"
+ home_skel:
+ - .config
+ - .local
+ - .local/bin
+ - .local/cache
+ - .local/lib
+ - .local/share
+ - .local/src
+ - .local/state
+ - .local/state/zsh
+ - .local/share/gpg
+ install_pkgs:
+ - bash
+ - coreutils
+ - curl
+ - python3-pexpect
+ - git
+ - gnupg
+ - gpg
+ - secure-delete
+ - stow
+ - sudo
+ - tmux
+ - tree
+ - unzip
+ - vim
+ - zsh
+ remove_pkgs:
+ - nano
+ - telnet
+
+ tasks:
+ - name: "forge | install pkgs"
+ ansible.builtin.package:
+ name: "{{ item }}"
+ state: latest
+ with_items: "{{ install_pkgs }}"
+
+ - name: "forge | remove pkgs"
+ ansible.builtin.package:
+ name: "{{ item }}"
+ state: absent
+ with_items: "{{ remove_pkgs }}"
+
+ - name: "forge | add dwarf user"
+ ansible.builtin.user:
+ name: "{{ username }}"
+ uid: 0
+ group: root
+ shell: "{{ user_shell }}"
+ home: "{{ user_home }}"
+ non_unique: true
+
+ - name: "forge | create home skeleton directories"
+ ansible.builtin.file:
+ name: "{{ user_home }}/{{ item }}"
+ state: directory
+ owner: root
+ group: root
+ mode: 0755
+ with_items: "{{ home_skel }}"
+
+ - name: "forge | clone dotfiles"
+ ansible.builtin.git:
+ repo: "git://git.pyratebeard.net/dotfiles.git"
+ dest: "{{ user_home }}/.local/src/dotfiles"
+ single_branch: true
+ version: main
+
+ - name: "forge | stow dotfiles"
+ args:
+ chdir: "{{ user_home }}/.local/src/dotfiles"
+ remote_user: "{{ username }}"
+ ansible.builtin.command: stow git gpg tmux vim zsh -t {{ user_home|quote }}
+
+ - name: "forge | clone scripts"
+ ansible.builtin.git:
+ repo: "git://git.pyratebeard.net/scripts.git"
+ dest: "{{ user_home }}/.local/src/scripts"
+ single_branch: true
+ version: main
+
+ - name: "forge | stow scripts"
+ args:
+ chdir: "{{ user_home }}/.local/src/scripts"
+ remote_user: "{{ username }}"
+ ansible.builtin.command: stow bin fun -t {{ user_home|quote }}
+
+ - name: "forge | add directory aliases"
+ vars:
+ users:
+ dot:
+ home: "{{ user_home }}/.local/src/dotfiles"
+ src:
+ home: "{{ user_home }}/.local/src/scripts"
+ ansible.builtin.user:
+ name: "{{ item.key }}"
+ shell: /usr/bin/nologin
+ home: "{{ item.value.home }}"
+ loop: "{{ lookup('ansible.builtin.dict', users) }}"
+
+ - name: "forge | set hostname"
+ set_fact:
+ hostname: "{{ lookup('file', '/etc/hostname')|regex_replace('^(\\w+)\\..*', '\\1') }}"
+ tags: hostname
+
+ - name: "forge | set domain"
+ set_fact:
+ domain: "{{ lookup('file', '/etc/hostname')|regex_replace('^\\w+\\.(.*)', '\\1') }}"
+ tags: hostname
+
+ - debug:
+ msg: "{{ hostname }} and {{ domain }}"
+ tags: hostname
+
+ - name: "forge | download ssh ca keys"
+ vars:
+ ssh_ca:
+ userca_pub:
+ key: "{{ lookup('community.general.bitwarden', 'userca.pub', field='notes') }}"
+ dest: "userca.pub"
+ mode: "0644"
+ hostca_pub:
+ key: "{{ lookup('community.general.bitwarden', 'hostca-' + domain + '.pub', field='notes') }}"
+ dest: "hostca-key.pub"
+ mode: "0644"
+ hostca:
+ key: "{{ lookup('community.general.bitwarden', 'hostca-' + domain, field='notes') }}"
+ dest: "hostca-{{ domain }}"
+ mode: "0600"
+ ansible.builtin.copy:
+ content: "{{ item.value.key[0] }}"
+ dest: "/etc/ssh/{{ item.value.dest }}"
+ mode: "{{ item.value.mode }}"
+ loop: "{{ lookup('ansible.builtin.dict', ssh_ca) }}"
+
+ - name: "forge | self-sign host key"
+ vars:
+ hostca_key_passphrase: "{{ lookup('community.general.bitwarden', 'hostca-' + domain + '-passphrase', field='password') }}"
+ ansible.builtin.expect:
+ command: ssh-keygen -s /etc/ssh/hostca-{{ domain }} -h -I {{ hostname }}@{{ domain }} -n {{ hostname }}.{{ domain }},{{ hostname }} /etc/ssh/ssh_host_ed25519_key.pub
+ responses:
+ Enter passphrase: "{{ hostca_key_passphrase }}"
+ no_log: true
+
+ - name: "forge | deploy ssh config"
+ ansible.builtin.template:
+ src: sshd_config.j2
+ dest: /etc/ssh/sshd_config
+ owner: root
+ group: root
+ mode: 0644
+ notify: reload sshd
+
+ handlers:
+ - name: reload sshd
+ ansible.builtin.service:
+ name: sshd
+ state: restarted
diff --git a/sshd_config.j2 b/sshd_config.j2
@@ -0,0 +1,126 @@
+
+# This is the sshd server system-wide configuration file. See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented. Uncommented options override the
+# default value.
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
+
+TrustedUserCAKeys /etc/ssh/userca.pub
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin prohibit-password
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+KbdInteractiveAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the KbdInteractiveAuthentication and
+# PasswordAuthentication. Depending on your PAM configuration,
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin prohibit-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and KbdInteractiveAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+PrintLastLog no
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+# X11Forwarding no
+# AllowTcpForwarding no
+# PermitTTY no
+# ForceCommand cvs server
+AllowUsers dwarf
