blob: 02d358aa7aaa60239b0d25f147ea3c034b783f48 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
|
---
- hosts: all
become: true
vars:
no_rvm: no
myuser: vagrant
mygroup: vagrant
homedir: /home/vagrant
ruby_version: '2.7.7'
ruby_versions_ssl1:
- '2.6.10'
- '2.7.7'
- '3.0.5'
ruby_versions:
- '3.2.1'
- '3.1.3'
rvm_install_path: '/usr/local/rvm'
foopwd: "$6$mhOzf/yapZwS$3RwDl4GfWZ5VcfcsHrK9xNNTxyzLOJBsmMttDNaegIbXxMahV86.v/5HsNtit16MEl0EFf5CSW8Dz2yXV.8GB0"
foo2pwd: "$6$JiB7y7.M0yI$Abt.ZGIc4DwkRWeI6nKxzzPUZcux7hLRXSdpoKoZvswJz1SZyg5GRQWn9pGID0dgC6e4wFglfW6ev/qZoTqGk/"
openssh_version: '9.3p1'
openssh_with_ssl1: False
pre_tasks:
- name: get currently installed ruby version
command: "{{rvm_install_path}}/rubies/ruby-{{ruby_version}}/bin/ruby -e 'puts \"#{RUBY_VERSION}\"'"
register: current_ruby_version
ignore_errors: true
- name: check openssl version
shell: "openssl version"
ignore_errors: true
register: openssl_version_query
- name: Install openssl-1.1.1g
block:
- name: "Download openssl-1.1.1g sources"
unarchive:
src: https://www.openssl.org/source/openssl-1.1.1g.tar.gz
dest: /tmp
remote_src: True
validate_certs: False
- name: Install openssl 1.1
command: sh -c "./config --prefix=/opt/openssl-1.1.1g --openssldir=/opt/openssl-1.1.1g && make && sudo make install"
args:
chdir: /tmp/openssl-1.1.1g
creates: /opt/openssl-1.1.1g/lib/libssl.so
when:
openssl_version_query.stdout.find('OpenSSL 3.') != -1
roles:
- { role: rvm.ruby,
tags: ruby,
become: true,
rvm1_user: 'root',
rvm1_rubies: "{{ ruby_versions_ssl1 }}",
rvm1_install_path: "{{rvm_install_path}}",
rvm1_install_flags: '--auto-dotfiles', # Make sure RVM sets itself up so the user has access to it
rvm1_ruby_install_flags: '--with-openssl-dir=/opt/openssl-1.1.1g',
rvm1_gpg_key_server: 'hkp://keys.openpgp.org',
when: "current_ruby_version.stdout|default() != ruby_version and not no_rvm and openssl_version_query.stdout.find('OpenSSL 3.') != -1"
}
tasks:
- name: Install packages
apt:
pkg:
- libssl-dev
- build-essential
- group: name="{{mygroup}}" state=present
- user: name=net_ssh_1 password="{{foopwd}}" group="{{mygroup}}" state=present
- user: name=net_ssh_2 password="{{foo2pwd}}" group="{{mygroup}}" state=present
- file: dest=/home/net_ssh_1/.ssh/ state=directory mode=0740 owner=net_ssh_1
- file: dest=/home/net_ssh_2/.ssh/ state=directory mode=0740 owner=net_ssh_2
- lineinfile: dest=/etc/sudoers.d/net_ssh_1 mode=0440 state=present create=yes
line='net_ssh_1 ALL=(ALL) NOPASSWD:ALL' regexp=net_ssh_1
- lineinfile: dest=/etc/sudoers.d/net_ssh_1 mode=0440 state=present create=yes
line='net_ssh_2 ALL=(ALL) NOPASSWD:ALL' regexp=net_ssh_2
- unarchive:
src: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-{{openssh_version}}.tar.gz
dest: /tmp
remote_src: True
validate_certs: False
- name: building and installing openssh {{openssh_version}} with OpenSSL 1 (used in forward test)
command: sh -c "LD_LIBRARY_PATH=/opt/openssl-1.1.1g/lib ./configure --prefix=/opt/net-ssh-openssh --with-ssl-dir=/opt/openssl-1.1.1g --with-ldflags="-fcommon -L/opt/openssl-1.1.1g/lib" && make && sudo make install"
args:
chdir: /tmp/openssh-{{openssh_version}}/
creates: /opt/net-ssh-openssh
when:
openssh_with_ssl1 == True
- name: building and installing openssh {{openssh_version}} (used in forward test)
command: sh -c "./configure --prefix=/opt/net-ssh-openssh && make && sudo make install"
args:
chdir: /tmp/openssh-{{openssh_version}}/
creates: /opt/net-ssh-openssh
when:
openssh_with_ssl1 != True
- name: drop installed openssh etc/ in favor of symlink
file:
state: absent
path: /opt/net-ssh-openssh/etc
- name: creating symlink between system etc/ssh/ and our etc/
file:
src: /etc/ssh
dest: /opt/net-ssh-openssh/etc
state: link
- command: ssh-keygen -A
args:
creates: /etc/ssh/ssh_host_ed25519_key
notify: restart sshd
- name: sshd debug
lineinfile: dest='/etc/ssh/sshd_config' line='LogLevel DEBUG' regexp=LogLevel
notify: restart sshd
- name: sshd allow interactive
lineinfile: dest='/etc/ssh/sshd_config' line='ChallengeResponseAuthentication yes' regexp='^ChallengeResponseAuthentication.+'
notify: restart sshd
- command: ssh-keygen -f /etc/ssh/users_ca -N ''
args:
creates: /etc/ssh/users_ca.pub
notify: restart sshd
- name: sshd cert auth
lineinfile: dest='/etc/ssh/sshd_config' line='TrustedUserCAKeys /etc/ssh/users_ca.pub'
notify: restart sshd
- name: sshd allow forward
lineinfile: dest='/etc/ssh/sshd_config' line='AllowTcpForwarding all' regexp=AllowTcpForwarding
notify: restart sshd
- name: sshd allow forward
lineinfile: dest='/etc/ssh/sshd_config' line='GatewayPorts yes' regexp=GatewayPorts
notify: restart sshd
- name: disable x11 forward
lineinfile: dest='/etc/ssh/sshd_config' line='X11Forwarding no' regexp=X11Forwarding
notify: restart sshd
- name: sshd allow forward
lineinfile: dest='/etc/ssh/sshd_config' line='#PasswordAuthentication no' regexp='#?PasswordAuthentication.+no'
notify: restart sshd
- name: sshd allow forward
lineinfile: dest='/etc/ssh/sshd_config' line='PasswordAuthentication yes' regexp=PasswordAuthentication
notify: restart sshd
- name: put NET_SSH_RUN_INTEGRATION_TESTS=YES environment
lineinfile: dest='/etc/environment' line='NET_SSH_RUN_INTEGRATION_TESTS=YES'
- name: change dir in bashrc
lineinfile: dest="{{homedir}}/.bashrc" owner="{{myuser}}" mode=0644
regexp='^cd ' line='cd /net-ssh'
- name: add host aliases1
lineinfile: dest='/etc/hosts' owner='root' group='root' mode=0644
regexp='^127\.0\.0\.1\s+gateway.netssh' line='127.0.0.1 gateway.netssh'
- name: add host aliases2
lineinfile: dest='/etc/hosts' owner='root' group='root' mode=0644
regexp='^127\.0\.0\.1\s+one.hosts.netssh' line='127.0.0.1 one.hosts.netssh'
- name: Update APT Cache
apt:
update_cache: yes
force_apt_get: yes
- name: Wait for locfile removal
become: yes
shell: while sudo fuser /var/lib/dpkg/lock >/dev/null 2>&1; do sleep 5; done;
- name: Install packages
apt:
pkg:
- pv
- libgmp3-dev
- git
- libssl-dev
state: present
- copy: content='echo "cd /net-ssh ; rake integration-test"' dest=/etc/update-motd.d/99-net-ssh-tests mode=0755
- name: add user to rvm group so they can change gem wrappers
user:
name: "{{myuser}}"
groups: rvm
append: yes
when: "not no_rvm"
handlers:
- name: restart sshd
service: name=ssh state=restarted
|