moved ssh to cert based

Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>
2025-03-25 01:09:08 +01:00
parent 924e4a2f92
commit 56f058c254
21 changed files with 160 additions and 87 deletions
--- a/roles/common/files/ssh/vault-ca.pub
+++ b/roles/common/files/ssh/vault-ca.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDxIbkko72kVSfYDjJpiMH9SjHUGqBn3MbBvmotsPQhybFgnnkBpX/3fM9olP+Z6PGsmbOEs0fOjPS6uY5hjKcKsyHdZfS6cA4wjY/DL8fwATAW5FCDBtMpdg2/sb8j9jutHHs4sQeRBolVwKcv+ZAaJNnOzNHwxVUfT9bNwShthnAFjkY7oZo657FRomlkDJjmGQuratP0veKA8jYzqqPWwWidTGQerLYTyJ3Z8pbQa5eN7svrvabjjDLbVTDESE8st9WEmwvAwoj7Kz+WovCy0Uz7LRFVmaRiapM8SXtPPUC0xfyzAB3NxwBtxizdUMlShvLcL6cujcUBMulVMpsqEaOESTpmVTrMJhnJPZG/3j9ziGoYIa6hMj1J9/qLQ5dDNVVXMxw99G31x0LJoy12IE90P4Cahux8iN0Cp4oB4+B6/qledxs1fcRzsnQY/ickjKhqcJwgHzsnwjDkeYRaYte5x4f/gJ77kA20nPto7mxr2mhWot/i9B1KlMURVXOH/q4nrzhJ0hPJpM0UtzQ58TmzE4Osf/B5yoe8V//6XnelbmG/nKCIzg12d7PvaLjbFMn8IgOwDMRlip+vpyadRr/+pCawrfo4vLF7BsnJ84aoByIpbwaysgaYHtjfZWImorMVkgviC4O6Hn9/ZiLNze2A9DaNUnLVJ0nYNbmv9Q==
--- a/roles/common/tasks/sshd.yml
+++ b/roles/common/tasks/sshd.yml
@@ -10,8 +10,7 @@

 - name: Copy pubkey
  ansible.builtin.copy:
-    content: "{{ pubkey }}"
-    dest: "/home/{{ user }}/.ssh/authorized_keys"
-    owner: "{{ user }}"
-    group: "{{ user }}"
+    src: files/ssh/vault-ca.pub
+    dest: "/etc/ssh/vault-ca.pub"
    mode: "644"
+  become: true
--- a/roles/common/templates/ssh/sshd_config
+++ b/roles/common/templates/ssh/sshd_config
@@ -1,4 +1,3 @@
-Include /etc/ssh/sshd_config.d/*.conf
 Protocol 2
 PermitRootLogin no
 MaxAuthTries 3
@@ -13,6 +12,7 @@ X11Forwarding no
 PrintMotd no
 TCPKeepAlive no
 ClientAliveCountMax 2
+TrustedUserCAKeys /etc/ssh/vault-ca.pub
 UseDNS yes
 AcceptEnv LANG LC_*
 Subsystem	sftp	/usr/lib/openssh/sftp-server
--- a/roles/proxmox_vm/tasks/create_vm.yml
+++ b/roles/proxmox_vm/tasks/create_vm.yml
@@ -0,0 +1,7 @@
+---
+# - name: Create VM
+#   community.general.proxmox:
+#     api_host: "{{ api_host }}"
+#     api_user: "{{ api_user }}"
+#     api_password: "{{ vault.proxmox.api_password }}"
+#     node: "{{  }}"
--- a/roles/proxmox_vm/tasks/get_info.yml
+++ b/roles/proxmox_vm/tasks/get_info.yml
@@ -0,0 +1,11 @@
+---
+- name: List existing nodes
+  community.general.proxmox_node_info:
+    api_host: "{{ proxmox_api_host }}"
+    api_user: "{{ proxmox_api_user }}@pam"
+    api_password: "{{ proxmox_api_password }}"
+  register: proxmox_nodes
+
+- name: Print info
+  ansible.builtin.debug:
+    msg: "{{ proxmox_nodes }}"
--- a/roles/proxmox_vm/tasks/main.yml
+++ b/roles/proxmox_vm/tasks/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Get info
+  ansible.builtin.include_tasks: get_info.yml
+# - name: Create vm
+#   ansible.builtin.include_tasks: create_vm.yml
--- a/roles/reverse_proxy/templates/Caddyfile.j2
+++ b/roles/reverse_proxy/templates/Caddyfile.j2
@@ -10,7 +10,7 @@
 {% if http_port %}
 {{ service.name }}.{{ domain }} {
    {% for vm in service.vm %}
-    reverse_proxy {{ hostvars[vm].ansible_host }}:{{ http_port[0] }}
+    reverse_proxy {{ hostvars[vm].host.ip }}:{{ http_port[0] }}
    {% endfor %}
    log {
        output file /var/log/caddy/{{ service.name }}.log
				`@@ -0,0 +1 @@`
				ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDxIbkko72kVSfYDjJpiMH9SjHUGqBn3MbBvmotsPQhybFgnnkBpX/3fM9olP+Z6PGsmbOEs0fOjPS6uY5hjKcKsyHdZfS6cA4wjY/DL8fwATAW5FCDBtMpdg2/sb8j9jutHHs4sQeRBolVwKcv+ZAaJNnOzNHwxVUfT9bNwShthnAFjkY7oZo657FRomlkDJjmGQuratP0veKA8jYzqqPWwWidTGQerLYTyJ3Z8pbQa5eN7svrvabjjDLbVTDESE8st9WEmwvAwoj7Kz+WovCy0Uz7LRFVmaRiapM8SXtPPUC0xfyzAB3NxwBtxizdUMlShvLcL6cujcUBMulVMpsqEaOESTpmVTrMJhnJPZG/3j9ziGoYIa6hMj1J9/qLQ5dDNVVXMxw99G31x0LJoy12IE90P4Cahux8iN0Cp4oB4+B6/qledxs1fcRzsnQY/ickjKhqcJwgHzsnwjDkeYRaYte5x4f/gJ77kA20nPto7mxr2mhWot/i9B1KlMURVXOH/q4nrzhJ0hPJpM0UtzQ58TmzE4Osf/B5yoe8V//6XnelbmG/nKCIzg12d7PvaLjbFMn8IgOwDMRlip+vpyadRr/+pCawrfo4vLF7BsnJ84aoByIpbwaysgaYHtjfZWImorMVkgviC4O6Hn9/ZiLNze2A9DaNUnLVJ0nYNbmv9Q==