Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions
34634 commits 9 branches 0 tags 111 MiB
Commit graph

80 commits

Author SHA1 Message Date
Pierre-Yves Chibon
00804542f3 Revert "basessh/distgit: adjust the way ssh is configured for distgit" 
This is still being reviewed and wasn't meant to be pushed out yet

This reverts commit 67844b4504.
 2021-04-03 19:10:54 +02:00
Pierre-Yves Chibon
67844b4504 basessh/distgit: adjust the way ssh is configured for distgit 
Basically, we are now installing a small wrapper in /usr/local/bin
which just echoes to stdout what should be in the authorized_keys
file for that user.
That content is generated by retrieving the ssh key from sssd via
the command sss_ssh_authorizedkeys as well as the usual ssh way to
restrict the action an user/key can do: command="...".
In this case, we're setting a couple of environment variable that
are needed later on for things to work properly as well as only
allow the user to call the aclchecker.py script provided by pagure.

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
 2021-04-03 19:01:38 +02:00
Kevin Fenzi
ddbda78af2 basessh: should be an else here 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2021-03-29 21:13:48 -07:00
Kevin Fenzi
a1121be991 basessh / pagure: undo change to everyone using git user, as we are not doing this now 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2021-03-29 20:57:58 -07:00
Pierre-Yves Chibon
a3677b36a1 distgit: start working on moving dist-git to use git@ for ssh 
Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
 2021-03-01 13:16:18 +01:00
Kevin Fenzi
68ae773dc6 basessh: in stg setup sssd/ipa to handle ssh keys 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2021-01-18 15:51:28 -08:00
Kevin Fenzi
bfc5675848 basessh: it's pagure02 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2020-11-04 15:19:52 -08:00
Kevin Fenzi
9fba0f7ff4 basessh: revert new ed25519 key on pagure.io as well 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2020-11-04 15:17:09 -08:00
Kevin Fenzi
84a7bbe56e basessh: do not add new host key on pkgs01* 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2020-11-03 16:32:52 -08:00
Kevin Fenzi
07d908dfc5 basessh: enable ed25519 ssh host keys everywhere 
For newer ssh (in fedora) we need to have certs that are not using
sha-1. So, we need to regenerate the certs signed by our CA with sha256.
While we are at it, enable the ed25519 host keys as rsa keys are
increasingly in disfavor.

So, old ssh will use the old rsa host certs that are sha1 for now, but
new ssh will use the sha256 signed ed25519 certs. If everything works
fine for a while, we can resign the rsa host keys also and totally get
rid of the sha1 certs.

Since both host keys are signed by our CA, they should still be just as
trusted as before. If you are asked to approve a new host key for
something, make sure you have our CA in your known_hosts file:
https://admin.fedoraproject.org/ssh_known_hosts

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2020-11-03 15:11:16 -08:00
Kevin Fenzi
925f314af5 basessh: see if we can generate a sha256 cert 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2020-11-03 15:04:51 -08:00
Kevin Fenzi
259a1734ae bastion02: try resigning and using better host certs. 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2020-11-03 14:59:21 -08:00
Stephen Smoogen
d05626d43c [pagure] put back changes into configs I whacked earlier 2020-04-24 21:34:20 +02:00
Stephen Smoogen
ccaa519dd3 [pkgs]: remove mentions of repospanner so that playbooks will set up things without it 2020-04-24 21:34:20 +02:00
Kevin Fenzi
88e27098a3 basessh: simplify when conditional 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2020-04-24 21:34:18 +02:00
Peter Robinson
c0e2e1dbe9 basessh: fix up check for libselinux python OS version chceks 2020-04-24 21:34:14 +02:00
Kevin Fenzi
d535829453 basessh: fix up logic for el8 machines. 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2020-04-24 21:34:13 +02:00
Kevin Fenzi
2eb26dd5f9 basessh: carefully adjust install so it only fixes rhel8 and changes nothing else for freeze. 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2020-04-24 21:34:13 +02:00
Kevin Fenzi
50d998849b basessh: We need these conditions to apply to CentOS as well as RedHat due to maintainer test instances. 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2020-04-24 21:34:13 +02:00
Kevin Fenzi
81fb4582e7 ansible: change when conditions to use == instead of is when checking strings. 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2020-04-24 21:34:10 +02:00
Kevin Fenzi
e4222545c1 basessh: Did ansible variable handling change on us? 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2020-04-24 21:34:10 +02:00
Kevin Fenzi
b3197a473f basessh: can drop this section now too. 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2020-04-24 21:34:10 +02:00
Kevin Fenzi
a562b8a3f8 ansible_distribution_version: address FIXME's/review tweaks. 
download: mod_limitipconn isn't used anyone, dropped the entire line.
transient_cloud: just dropped the dnf part and use 'package' entirely.
sshd_config: UsePrivilegeSeparation isn't used in Fedora at all.
koji_hub: no fedora or rhel8 hubs yet, so just 7 is fine for now.
openvpn: changes look ok
packages3: Should get cverna to review, packages is using fedora now.
varnish: no rhel8 varnish servers yet.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2020-04-24 21:34:10 +02:00
Karsten Hopp
c9ed62ac32 update ansible_distribution_major_version conditionals 
Signed-off-by: Karsten Hopp <karsten@redhat.com>
 2020-04-24 21:34:10 +02:00
Kevin Fenzi
27929fa58b basessh: Always run the keygen shell command if needed, even in check mode. 
Without this check mode will fail if there's not an old signed copy of the key around.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2020-04-24 21:34:10 +02:00
Kevin Fenzi
812c4c0f0d basessh: set the delegate here to localhost 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2019-07-01 18:18:03 +00:00
Kevin Fenzi
3ed359e343 basessh: do not set python2 here, it should be autodetected. 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2019-07-01 18:06:09 +00:00
Kevin Fenzi
d74c28a2c8 basessh: try and set /usr/bin/python for the delegations to batcave01 for python3 using hosts. 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2019-06-16 20:01:10 +00:00
Karsten Hopp
a713ec2e71 basessh: dnf -> package 2019-06-11 14:55:11 +00:00
Stephen Smoogen
309677ee8a try to figure out which of the identical named jobs arent working on grobisplitter 2019-06-01 17:48:43 +00:00
Kevin Fenzi
59e3454683 basessh: Only use useprivseperation on rhel7 and add sftp on koji01 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2019-04-13 21:56:57 +00:00
Mikolaj Izdebski
3cedc1366b basessh: Fix libselinux-python installation on Fedora >= 31 2019-04-11 15:24:49 +02:00
Mikolaj Izdebski
6680b25ef8 basessh: Fix conditionals for installing libselinux-python 2019-04-11 15:18:39 +02:00
Kevin Fenzi
41c92c2e9c Revert "basessh: We need a sftp server for ansible, so switch to the internal one." 
This reverts commit 0be4815020.

Instead, we will just switch ansible to scp
 2019-04-09 18:42:28 +00:00
Kevin Fenzi
0be4815020 basessh: We need a sftp server for ansible, so switch to the internal one. 
The external one won't start if it can't read /etc/ssh/sshd_config
and the internal one is likely faster and better anyhow.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2019-04-09 18:13:26 +00:00
Kevin Fenzi
321c458292 basessh: switch fedora to use dnf here (since package wants dnf-2) 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2019-04-08 20:59:29 +00:00
Patrick Uiterwijk
5080bfbee2 basessh: sandbox privsep is not supported on el6 
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
 2019-04-08 19:13:21 +02:00
Patrick Uiterwijk
9b09d4d5d0 basessh: Fix EL6 detection logic 
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
 2019-04-08 19:11:40 +02:00
Patrick Uiterwijk
27a21881d4 basessh: Make keyhelper explicit 
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
 2019-04-08 18:56:03 +02:00
Patrick Uiterwijk
4f3c609815 basessh: Migrate sshd config to single template and strengthen ciphers 
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
 2019-04-08 18:51:31 +02:00
Kevin Fenzi
76789fc3be basessh: Fedora 30 also has no python3 version of libselinux, add conditionals. 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2019-03-28 16:10:09 +00:00
Kevin Fenzi
abff8931f9 basessh: adjust for package names in rhel8beta 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2019-02-12 22:14:49 +00:00
Kevin Fenzi
8c5b02c072 Explicitly set Protocol 2 on sshd for pagure. 
This doesn't actually change anything for sshd (only proto 2 is default),
However, rkhunter complains about it not setting that explicitly.
So, this is just to get rkhunter to shut up about it.
 2018-10-20 19:19:17 +00:00
Patrick Uiterwijk
448b08dfe6 Add keyhelper to pagure.io 
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
 2018-10-11 19:12:08 +02:00
Rick Elrod
f3a72d1039 remove all instances of bkernel01/02 
Signed-off-by: Rick Elrod <relrod@redhat.com>
 2018-08-22 21:15:17 +00:00
Patrick Uiterwijk
350110f769 Only run date once 
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
 2018-08-20 17:35:01 +00:00
Patrick Uiterwijk
dcc9aa15d2 Use a date pipe lookup, since sometime ansible_date_Time seems to be undefined... 
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
 2018-08-20 17:33:42 +00:00
Patrick Uiterwijk
7cce79de07 Also integer-ize the epoch 
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
 2018-08-16 17:42:17 +00:00
Patrick Uiterwijk
b35d4402e1 Try to convert this string to int 
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
 2018-08-16 17:40:59 +00:00
Patrick Uiterwijk
9b48361d76 Do the loop 
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
 2018-08-16 17:39:55 +00:00