--- - hosts: all become: true vars: no_rvm: no myuser: vagrant mygroup: vagrant homedir: /home/vagrant ruby_version: '2.7.7' ruby_versions_ssl1: - '2.6.10' - '2.7.7' - '3.0.5' ruby_versions: - '3.2.1' - '3.1.3' rvm_install_path: '/usr/local/rvm' foopwd: "$6$mhOzf/yapZwS$3RwDl4GfWZ5VcfcsHrK9xNNTxyzLOJBsmMttDNaegIbXxMahV86.v/5HsNtit16MEl0EFf5CSW8Dz2yXV.8GB0" foo2pwd: "$6$JiB7y7.M0yI$Abt.ZGIc4DwkRWeI6nKxzzPUZcux7hLRXSdpoKoZvswJz1SZyg5GRQWn9pGID0dgC6e4wFglfW6ev/qZoTqGk/" openssh_version: '9.3p1' openssh_with_ssl1: False pre_tasks: - name: get currently installed ruby version command: "{{rvm_install_path}}/rubies/ruby-{{ruby_version}}/bin/ruby -e 'puts \"#{RUBY_VERSION}\"'" register: current_ruby_version ignore_errors: true - name: check openssl version shell: "openssl version" ignore_errors: true register: openssl_version_query - name: Install openssl-1.1.1g block: - name: "Download openssl-1.1.1g sources" unarchive: src: https://www.openssl.org/source/openssl-1.1.1g.tar.gz dest: /tmp remote_src: True validate_certs: False - name: Install openssl 1.1 command: sh -c "./config --prefix=/opt/openssl-1.1.1g --openssldir=/opt/openssl-1.1.1g && make && sudo make install" args: chdir: /tmp/openssl-1.1.1g creates: /opt/openssl-1.1.1g/lib/libssl.so when: openssl_version_query.stdout.find('OpenSSL 3.') != -1 roles: - { role: rvm.ruby, tags: ruby, become: true, rvm1_user: 'root', rvm1_rubies: "{{ ruby_versions_ssl1 }}", rvm1_install_path: "{{rvm_install_path}}", rvm1_install_flags: '--auto-dotfiles', # Make sure RVM sets itself up so the user has access to it rvm1_ruby_install_flags: '--with-openssl-dir=/opt/openssl-1.1.1g', rvm1_gpg_key_server: 'hkp://keys.openpgp.org', when: "current_ruby_version.stdout|default() != ruby_version and not no_rvm and openssl_version_query.stdout.find('OpenSSL 3.') != -1" } tasks: - name: Install packages apt: pkg: - libssl-dev - build-essential - group: name="{{mygroup}}" state=present - user: name=net_ssh_1 password="{{foopwd}}" group="{{mygroup}}" state=present - user: name=net_ssh_2 password="{{foo2pwd}}" group="{{mygroup}}" state=present - file: dest=/home/net_ssh_1/.ssh/ state=directory mode=0740 owner=net_ssh_1 - file: dest=/home/net_ssh_2/.ssh/ state=directory mode=0740 owner=net_ssh_2 - lineinfile: dest=/etc/sudoers.d/net_ssh_1 mode=0440 state=present create=yes line='net_ssh_1 ALL=(ALL) NOPASSWD:ALL' regexp=net_ssh_1 - lineinfile: dest=/etc/sudoers.d/net_ssh_1 mode=0440 state=present create=yes line='net_ssh_2 ALL=(ALL) NOPASSWD:ALL' regexp=net_ssh_2 - unarchive: src: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-{{openssh_version}}.tar.gz dest: /tmp remote_src: True validate_certs: False - name: building and installing openssh {{openssh_version}} with OpenSSL 1 (used in forward test) command: sh -c "LD_LIBRARY_PATH=/opt/openssl-1.1.1g/lib ./configure --prefix=/opt/net-ssh-openssh --with-ssl-dir=/opt/openssl-1.1.1g --with-ldflags="-fcommon -L/opt/openssl-1.1.1g/lib" && make && sudo make install" args: chdir: /tmp/openssh-{{openssh_version}}/ creates: /opt/net-ssh-openssh when: openssh_with_ssl1 == True - name: building and installing openssh {{openssh_version}} (used in forward test) command: sh -c "./configure --prefix=/opt/net-ssh-openssh && make && sudo make install" args: chdir: /tmp/openssh-{{openssh_version}}/ creates: /opt/net-ssh-openssh when: openssh_with_ssl1 != True - name: drop installed openssh etc/ in favor of symlink file: state: absent path: /opt/net-ssh-openssh/etc - name: creating symlink between system etc/ssh/ and our etc/ file: src: /etc/ssh dest: /opt/net-ssh-openssh/etc state: link - command: ssh-keygen -A args: creates: /etc/ssh/ssh_host_ed25519_key notify: restart sshd - name: sshd debug lineinfile: dest='/etc/ssh/sshd_config' line='LogLevel DEBUG' regexp=LogLevel notify: restart sshd - name: sshd allow interactive lineinfile: dest='/etc/ssh/sshd_config' line='ChallengeResponseAuthentication yes' regexp='^ChallengeResponseAuthentication.+' notify: restart sshd - command: ssh-keygen -f /etc/ssh/users_ca -N '' args: creates: /etc/ssh/users_ca.pub notify: restart sshd - name: sshd cert auth lineinfile: dest='/etc/ssh/sshd_config' line='TrustedUserCAKeys /etc/ssh/users_ca.pub' notify: restart sshd - name: sshd allow forward lineinfile: dest='/etc/ssh/sshd_config' line='AllowTcpForwarding all' regexp=AllowTcpForwarding notify: restart sshd - name: sshd allow forward lineinfile: dest='/etc/ssh/sshd_config' line='GatewayPorts yes' regexp=GatewayPorts notify: restart sshd - name: disable x11 forward lineinfile: dest='/etc/ssh/sshd_config' line='X11Forwarding no' regexp=X11Forwarding notify: restart sshd - name: sshd allow forward lineinfile: dest='/etc/ssh/sshd_config' line='#PasswordAuthentication no' regexp='#?PasswordAuthentication.+no' notify: restart sshd - name: sshd allow forward lineinfile: dest='/etc/ssh/sshd_config' line='PasswordAuthentication yes' regexp=PasswordAuthentication notify: restart sshd - name: put NET_SSH_RUN_INTEGRATION_TESTS=YES environment lineinfile: dest='/etc/environment' line='NET_SSH_RUN_INTEGRATION_TESTS=YES' - name: change dir in bashrc lineinfile: dest="{{homedir}}/.bashrc" owner="{{myuser}}" mode=0644 regexp='^cd ' line='cd /net-ssh' - name: add host aliases1 lineinfile: dest='/etc/hosts' owner='root' group='root' mode=0644 regexp='^127\.0\.0\.1\s+gateway.netssh' line='127.0.0.1 gateway.netssh' - name: add host aliases2 lineinfile: dest='/etc/hosts' owner='root' group='root' mode=0644 regexp='^127\.0\.0\.1\s+one.hosts.netssh' line='127.0.0.1 one.hosts.netssh' - name: Update APT Cache apt: update_cache: yes force_apt_get: yes - name: Wait for locfile removal become: yes shell: while sudo fuser /var/lib/dpkg/lock >/dev/null 2>&1; do sleep 5; done; - name: Install packages apt: pkg: - pv - libgmp3-dev - git - libssl-dev state: present - copy: content='echo "cd /net-ssh ; rake integration-test"' dest=/etc/update-motd.d/99-net-ssh-tests mode=0755 - name: add user to rvm group so they can change gem wrappers user: name: "{{myuser}}" groups: rvm append: yes when: "not no_rvm" handlers: - name: restart sshd service: name=ssh state=restarted