Skip to content
Extraits de code Groupes Projets
Valider ff92d885 rédigé par Rémi - Le Filament's avatar Rémi - Le Filament
Parcourir les fichiers

Add GitLab sshd config and disable ipv6

parent d1bc846e
Aucune branche associée trouvée
Aucune étiquette associée trouvée
Aucune requête de fusion associée trouvée
Afficher les modifications d'espaces
En ligne Côte à côte
README.md
+ 2
1
Voir le fichier @ ff92d885
...@@ -12,7 +12,7 @@ This role initializes a server with the following actions : ...@@ -12,7 +12,7 @@ This role initializes a server with the following actions :
Requirements Requirements
------------ ------------
This role mostly uses ansible.builtin module but also authorized_key from ansible.posix collection This role mostly uses mainly ansible.builtin modules but also authorized_key and sysctl from ansible.posix collection
Role Variables Role Variables
-------------- --------------
...@@ -34,6 +34,7 @@ Variables from vars directory (OS specific): ...@@ -34,6 +34,7 @@ Variables from vars directory (OS specific):
* users_to_remove : list of users to remove from default delivered servers * users_to_remove : list of users to remove from default delivered servers
* Global : * Global :
* default_ssh_public_keys : ssh_public_key + extra_public_key (if exists) * default_ssh_public_keys : ssh_public_key + extra_public_key (if exists)
* sysctl_disable_ipv6_keys : sysctl entries to activate to disable ipv6
This role also makes use of variables gathered from facts : This role also makes use of variables gathered from facts :
* ansible_os_family : Family of Operating System (Debian or RedHat) * ansible_os_family : Family of Operating System (Debian or RedHat)
......
tasks/main.yml
+ 7
0
Voir le fichier @ ff92d885
...@@ -156,6 +156,13 @@ ...@@ -156,6 +156,13 @@
export TMOUT export TMOUT
when: ansible_os_family == "RedHat" when: ansible_os_family == "RedHat"
- name: disable ipv6
sysctl:
name: "{{ item }}"
value: '1'
sysctl_set: true
with_items: "{{ sysctl_disable_ipv6_keys }}"
- name: Check if backup servers present in root known hosts - name: Check if backup servers present in root known hosts
lineinfile: lineinfile:
path: /root/.ssh/known_hosts path: /root/.ssh/known_hosts
......
templates/sshd_config.j2
+ 4
1
Voir le fichier @ ff92d885
...@@ -10,6 +10,9 @@ LogLevel VERBOSE ...@@ -10,6 +10,9 @@ LogLevel VERBOSE
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
PasswordAuthentication no PasswordAuthentication no
PermitRootLogin no PermitRootLogin no
{% if inventory_hostname in groups.gitlab %}
Port 22
{% endif %}
Port {{ default_sshd_port }} Port {{ default_sshd_port }}
PrintMotd no PrintMotd no
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
...@@ -25,5 +28,5 @@ Match Group sftpgroup ...@@ -25,5 +28,5 @@ Match Group sftpgroup
GatewayPorts no GatewayPorts no
X11Forwarding no X11Forwarding no
{% else %} {% else %}
AllowUsers {{ host_user }}{% if host_user2 is defined %} {{ host_user2 }}{% endif %} AllowUsers {{ host_user }}{% if host_user2 is defined %} {{ host_user2 }}{% endif %}{% if inventory_hostname in groups.gitlab %} git{% endif %}
{% endif %} {% endif %}
vars/RedHat.yml
+ 1
1
Voir le fichier @ ff92d885
vars/main.yml
+ 4
0
Voir le fichier @ ff92d885
--- ---
default_ssh_public_keys: "{{ ssh_public_key }}{% if extra_public_key is defined %} \n {{ extra_public_key }}{% endif %}" default_ssh_public_keys: "{{ ssh_public_key }}{% if extra_public_key is defined %} \n {{ extra_public_key }}{% endif %}"
sysctl_disable_ipv6_keys:
- net.ipv6.conf.all.disable_ipv6
- net.ipv6.conf.default.disable_ipv6
- net.ipv6.conf.lo.disable_ipv6
0% ou .
You are about to add 0 people to the discussion. Proceed with caution.
Veuillez vous inscrire ou vous pour commenter