From ff92d88583f1fe6c18759d40af8f578519cedb3c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mi=20-=20Le=20Filament?= <remi@le-filament.com> Date: Thu, 10 Jun 2021 05:13:28 +0200 Subject: [PATCH] Add GitLab sshd config and disable ipv6 --- README.md | 3 ++- tasks/main.yml | 7 +++++++ templates/sshd_config.j2 | 5 ++++- vars/RedHat.yml | 2 +- vars/main.yml | 4 ++++ 5 files changed, 18 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 6512762..b861bd0 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ This role initializes a server with the following actions : Requirements ------------ -This role mostly uses ansible.builtin module but also authorized_key from ansible.posix collection +This role mostly uses mainly ansible.builtin modules but also authorized_key and sysctl from ansible.posix collection Role Variables -------------- @@ -34,6 +34,7 @@ Variables from vars directory (OS specific): * users_to_remove : list of users to remove from default delivered servers * Global : * default_ssh_public_keys : ssh_public_key + extra_public_key (if exists) + * sysctl_disable_ipv6_keys : sysctl entries to activate to disable ipv6 This role also makes use of variables gathered from facts : * ansible_os_family : Family of Operating System (Debian or RedHat) diff --git a/tasks/main.yml b/tasks/main.yml index 6a2911a..a828a19 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -156,6 +156,13 @@ export TMOUT when: ansible_os_family == "RedHat" +- name: disable ipv6 + sysctl: + name: "{{ item }}" + value: '1' + sysctl_set: true + with_items: "{{ sysctl_disable_ipv6_keys }}" + - name: Check if backup servers present in root known hosts lineinfile: path: /root/.ssh/known_hosts diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2 index a2279e3..e491820 100644 --- a/templates/sshd_config.j2 +++ b/templates/sshd_config.j2 @@ -10,6 +10,9 @@ LogLevel VERBOSE MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com PasswordAuthentication no PermitRootLogin no +{% if inventory_hostname in groups.gitlab %} +Port 22 +{% endif %} Port {{ default_sshd_port }} PrintMotd no Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO @@ -25,5 +28,5 @@ Match Group sftpgroup GatewayPorts no X11Forwarding no {% else %} -AllowUsers {{ host_user }}{% if host_user2 is defined %} {{ host_user2 }}{% endif %} +AllowUsers {{ host_user }}{% if host_user2 is defined %} {{ host_user2 }}{% endif %}{% if inventory_hostname in groups.gitlab %} git{% endif %} {% endif %} diff --git a/vars/RedHat.yml b/vars/RedHat.yml index 01eedb5..1fb5304 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -2,4 +2,4 @@ packages_to_remove: [] files_to_remove: [] users_to_remove: -- zabbix + - zabbix diff --git a/vars/main.yml b/vars/main.yml index 7237f73..9fbbd86 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,2 +1,6 @@ --- default_ssh_public_keys: "{{ ssh_public_key }}{% if extra_public_key is defined %} \n {{ extra_public_key }}{% endif %}" +sysctl_disable_ipv6_keys: + - net.ipv6.conf.all.disable_ipv6 + - net.ipv6.conf.default.disable_ipv6 + - net.ipv6.conf.lo.disable_ipv6 -- GitLab