diff --git a/.gitignore b/.gitignore index 47389e54c..4096bc0b6 100644 --- a/.gitignore +++ b/.gitignore @@ -5,7 +5,6 @@ collections/ roles/cloudalchemy.grafana/ roles/dev-sec.os-hardening/ -roles/dev-sec.ssh-hardening/ roles/galaxyproject.galaxy/ roles/galaxyproject.nginx/ roles/galaxyproject.cvmfs/ diff --git a/all.yml b/all.yml index c4b246d57..fa86044ac 100644 --- a/all.yml +++ b/all.yml @@ -1,6 +1,9 @@ --- -- name: Manage authorized SSH keys +- name: Configure SSH service and manage authorized keys hosts: all - gather_facts: false + gather_facts: true roles: - role: usegalaxy_eu.ssh_manager + - ssh-host-sign + - role: devsec.hardening.ssh_hardening + become: true diff --git a/apollo.yml b/apollo.yml index 11b20de9a..5574933cd 100644 --- a/apollo.yml +++ b/apollo.yml @@ -45,4 +45,3 @@ # END custom - dj-wasabi.telegraf # - dev-sec.os-hardening - # - dev-sec.ssh-hardening diff --git a/beacon.yml b/beacon.yml index ec1264b0f..bd9e3601e 100644 --- a/beacon.yml +++ b/beacon.yml @@ -8,8 +8,6 @@ - group_vars/beacon/vars.yml - group_vars/beacon/vault.yml vars: - collections: - - devsec.hardening roles: - role: usegalaxy_eu.handy.os_setup vars: diff --git a/build.yml b/build.yml index 87e18bbe4..f7ef95719 100644 --- a/build.yml +++ b/build.yml @@ -21,8 +21,6 @@ loop: - http - https - collections: - - devsec.hardening roles: - hostname - usegalaxy-eu.dynmotd diff --git a/cvmfs.yml b/cvmfs.yml index fa4d8ef56..56d87f009 100644 --- a/cvmfs.yml +++ b/cvmfs.yml @@ -7,8 +7,6 @@ - "secret_group_vars/all.yml" - mounts/mountpoints.yml - mounts/dest/all.yml - collections: - - devsec.hardening pre_tasks: - name: Set default version of Python alternatives: @@ -51,7 +49,6 @@ - dj-wasabi.telegraf # hardening - os_hardening - - ssh_hardening # # - hostname @@ -69,4 +66,3 @@ # # END custom # - dj-wasabi.telegraf # - dev-sec.os-hardening -# - dev-sec.ssh-hardening diff --git a/galaxy-test.yml b/galaxy-test.yml index b5f806555..265fb72e2 100644 --- a/galaxy-test.yml +++ b/galaxy-test.yml @@ -149,4 +149,3 @@ # Some of our 'cleanups' also generate telegraf format so this goes at end. - dj-wasabi.telegraf #- dev-sec.os-hardening - - dev-sec.ssh-hardening diff --git a/grafana.yml b/grafana.yml index 02e417143..1f96ca046 100644 --- a/grafana.yml +++ b/grafana.yml @@ -25,7 +25,6 @@ name: - git collections: - - devsec.hardening - grafana.grafana roles: ## Starting configuration of the operating system diff --git a/group_vars/all/ssh-host-sign.yml b/group_vars/all/ssh-host-sign.yml new file mode 100644 index 000000000..73c134eda --- /dev/null +++ b/group_vars/all/ssh-host-sign.yml @@ -0,0 +1,11 @@ +ssh_host_sign_keys: + - key: /etc/ssh/ssh_host_rsa_key.pub + certificate: /etc/ssh/ssh_host_rsa_key-cert.pub + + - key: /etc/ssh/ssh_host_ecdsa_key.pub + certificate: /etc/ssh/ssh_host_ecdsa_key-cert.pub + + - key: /etc/ssh/ssh_host_ed25519_key.pub + certificate: /etc/ssh/ssh_host_ed25519_key-cert.pub + +ssh_host_sign_cert_domains_ips: "*.galaxyproject.eu,*.usegalaxy.eu,*.bi.privat,192.52.33.*,192.52.32.*,10.4.68.*,10.5.68.*,10.5.67.*" diff --git a/group_vars/all/ssh_hardening.yml b/group_vars/all/ssh_hardening.yml new file mode 100644 index 000000000..1e16e46bb --- /dev/null +++ b/group_vars/all/ssh_hardening.yml @@ -0,0 +1,5 @@ +ssh_host_certificates: "{{ ssh_host_sign_keys | map(attribute='certificate') }}" +ssh_permit_root_login: "without-password" +ssh_use_pam: true +sftp_enabled: true +ssh_client_alive_interval: 600 diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index e5a1c61b8..65c13a07b 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -64,9 +64,6 @@ nginx_selinux_allow_local_connections: true #nginx_servers: # - redirect-ssl -# Allow root login on all machines - TBD -ssh_allow_root_with_key: true - redis_connection_string: "redis://:{{ redis_requirepass }}@mq02.galaxyproject.eu:6379/0" # Chrony chrony_server: 'time.ruf.uni-freiburg.de iburst' @@ -168,28 +165,6 @@ au_random_sleep: 360 sysctl_config: net.ipv6.conf.all.disable_ipv6: 0 -# SSH - -# ALL hosts should have signed SSH keys. -# ssh-host-(re)sign role -ssh_host_key_cert_files: - - /etc/ssh/ssh_host_rsa_key-cert.pub - - /etc/ssh/ssh_host_ecdsa_key-cert.pub - - /etc/ssh/ssh_host_ed25519_key-cert.pub - -# dev-sec.ssh-hardening role -# Allow root login on all machines -ssh_permit_root_login: "without-password" -sshd_custom_options: - - "HostCertificate {{ ssh_host_key_cert_files[0] }}" - - "HostCertificate {{ ssh_host_key_cert_files[1] }}" - - "HostCertificate {{ ssh_host_key_cert_files[2] }}" -# Anything else prevents more login -ssh_use_pam: true -# Required if you want to run ansible more than once. -sftp_enabled: true -ssh_client_alive_interval: 600 - # Apollo env vars apollo_env: "GALAXY_WEBAPOLLO_URL={{ GALAXY_WEBAPOLLO_URL }} GALAXY_WEBAPOLLO_USER={{ GALAXY_WEBAPOLLO_USER }} GALAXY_WEBAPOLLO_PASSWORD={{ GALAXY_WEBAPOLLO_PASSWORD }} GALAXY_WEBAPOLLO_EXT_URL={{ GALAXY_WEBAPOLLO_EXT_URL }} GALAXY_SHARED_DIR={{ GALAXY_SHARED_DIR }} GALAXY_APOLLO_ORG_SUFFIX=id" diff --git a/host_vars/apps.galaxyproject.eu.yml b/host_vars/apps.galaxyproject.eu.yml new file mode 100644 index 000000000..1d273bb5a --- /dev/null +++ b/host_vars/apps.galaxyproject.eu.yml @@ -0,0 +1 @@ +ssh_server_ports: ["8080"] diff --git a/incoming.yml b/incoming.yml index 187d41ca3..af5761c72 100644 --- a/incoming.yml +++ b/incoming.yml @@ -9,8 +9,6 @@ - secret_group_vars/all.yml - mounts/mountpoints.yml - mounts/dest/all.yml - collections: - - devsec.hardening pre_tasks: - name: Set timezone to Europe/Berlin community.general.timezone: diff --git a/influxdb.yml b/influxdb.yml index 4716f6e1b..ca0958101 100644 --- a/influxdb.yml +++ b/influxdb.yml @@ -39,8 +39,6 @@ ansible.builtin.service: name: firewalld state: reloaded - collections: - - devsec.hardening roles: ## Starting configuration of the operating system - geerlingguy.swap diff --git a/maintenance.yml b/maintenance.yml index 6c72c8bdd..d263fe0d7 100644 --- a/maintenance.yml +++ b/maintenance.yml @@ -8,8 +8,6 @@ - secret_group_vars/all.yml - mounts/dest/all.yml - mounts/mountpoints.yml - collections: - - devsec.hardening handlers: - name: restart rsyslog service: diff --git a/mq.yml b/mq.yml index ed9400bed..b40ce4aca 100644 --- a/mq.yml +++ b/mq.yml @@ -6,8 +6,6 @@ - secret_group_vars/all.yml - secret_group_vars/aws.yml # AWS creds - secret_group_vars/pulsar.yml # Pulsar + MQ Connections - collections: - - devsec.hardening pre_tasks: # - name: Set default version of Python # alternatives: diff --git a/one-off/cvmfs-stratum0.yml b/one-off/cvmfs-stratum0.yml index c49493819..4c38bd769 100644 --- a/one-off/cvmfs-stratum0.yml +++ b/one-off/cvmfs-stratum0.yml @@ -30,4 +30,3 @@ # END custom - dj-wasabi.telegraf # - dev-sec.os-hardening -# - dev-sec.ssh-hardening diff --git a/one-off/denbi-stratum0.yml b/one-off/denbi-stratum0.yml index a5877ebc1..322f952a6 100644 --- a/one-off/denbi-stratum0.yml +++ b/one-off/denbi-stratum0.yml @@ -29,4 +29,3 @@ # END custom - dj-wasabi.telegraf #- dev-sec.os-hardening - #- dev-sec.ssh-hardening diff --git a/one-off/hicbrowser.yml b/one-off/hicbrowser.yml index 94c74b455..1613d9bb7 100644 --- a/one-off/hicbrowser.yml +++ b/one-off/hicbrowser.yml @@ -16,4 +16,3 @@ # END custom - dj-wasabi.telegraf - dev-sec.os-hardening - - dev-sec.ssh-hardening diff --git a/one-off/job-working-dir.yml b/one-off/job-working-dir.yml index 3270a341f..6cb95616e 100644 --- a/one-off/job-working-dir.yml +++ b/one-off/job-working-dir.yml @@ -19,4 +19,3 @@ # END custom - dj-wasabi.telegraf - dev-sec.os-hardening - - dev-sec.ssh-hardening diff --git a/one-off/org-jenkins-nodes.yml b/one-off/org-jenkins-nodes.yml index 2f986d490..7e41b19e2 100644 --- a/one-off/org-jenkins-nodes.yml +++ b/one-off/org-jenkins-nodes.yml @@ -45,4 +45,3 @@ - hxr.monitor-email - influxdata.chrony - dev-sec.os-hardening - - dev-sec.ssh-hardening diff --git a/one-off/ssds1.yml b/one-off/ssds1.yml index 7d8f1c2bb..ea1ad1f0b 100644 --- a/one-off/ssds1.yml +++ b/one-off/ssds1.yml @@ -15,4 +15,3 @@ - geerlingguy.nfs - linuxhq.yum_cron - dev-sec.os-hardening - - dev-sec.ssh-hardening diff --git a/plausible.yml b/plausible.yml index 8ea11fac9..5a616b405 100644 --- a/plausible.yml +++ b/plausible.yml @@ -7,8 +7,6 @@ vars_files: - secret_group_vars/all.yml - secret_group_vars/plausible.yml - collections: - - devsec.hardening roles: - hostname - usegalaxy-eu.dynmotd diff --git a/proxy.yml b/proxy.yml index fd3d4b587..1af900114 100644 --- a/proxy.yml +++ b/proxy.yml @@ -6,8 +6,6 @@ hostname: proxy.galaxyproject.eu vars_files: - secret_group_vars/all.yml - collections: - - devsec.hardening pre_tasks: - name: Set default version of Python alternatives: diff --git a/requirements.yaml b/requirements.yaml index 69abca846..c47789a79 100644 --- a/requirements.yaml +++ b/requirements.yaml @@ -55,8 +55,6 @@ collections: roles: - name: dev-sec.os-hardening version: 4.2.0 - - name: dev-sec.ssh-hardening - version: 9.7.0 - name: devops.tomcat7 version: 1.0.0 - name: dj-wasabi.telegraf diff --git a/resign-keys.yml b/resign-keys.yml deleted file mode 100644 index 3e8b876e9..000000000 --- a/resign-keys.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: resign all ssh keys - hosts: all - become: true - roles: - - ssh-host-resign - - dev-sec.ssh-hardening diff --git a/roles/ssh-host-resign/files/server_ca b/roles/ssh-host-resign/files/server_ca deleted file mode 100644 index b765389d7..000000000 --- a/roles/ssh-host-resign/files/server_ca +++ /dev/null @@ -1,89 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -35623839633831636162636331376561353430653030373638656231386430653237383632616132 -3130353037313362666566653963653133653430613635350a633665393632613365663264353635 -63643337666264366164396238643164326461626331316134626130323630376132646335363266 -3234363236393633330a633164643363666435346330306466366230636133636438616634343639 -32373535653265633966373930323732323162313565386332383338303132666339343630376663 -38383339653238373632313838613332643331303031356263636534316636393335643766323266 -30623535633666633439646563356562633764643464313964316536613065343235643832393437 -66646532333939356130663136663231343337326434316232323865343136373266373665623633 -65646166323232623733353734333665396533303839326461623761313333613837656261353464 -39663732326461333162643763323161366133663130616236363766633234313861353933613736 -30323962666166363161363462653939313861643231316534326163333738326561646436396263 -38626239363764623766353434373733313862646131363230653337326234346466363830343836 -30306332336337346562386262393263353064393161393464373263373736393863376339366263 -32616131656661623836643034373931303465373961356431386464646638646362353065323934 -63313635396564356437353838383265333737346234383261663533626233626230333564656336 -36313031636533623663653135383334653136646133396536663337636332336532326538646563 -64336136646436376334393865303935663433393237323939323639343861643033323934643835 -63653530393134323933356166653065393939666533383463663235643535353262626434316439 -38376133393338343437383136393038643937323639613531663631613262343032363732346263 -61383837666331626266326335646564353262393933323731643933366232643836646431663364 -35323166383564666634336535326531353137663633323561623333373234373934656333383733 -35313236363363396639386639316338356334343137333731376233356230636461353838363238 -39363961663233633836363834313663663732383435663434376634636437656431613430343430 -36653239633662356534313166323835633531613364653432306338613933313038646236323038 -34366535366530343163373638623666356163393864366662666439666134333738636132653235 -35313430343537343764643061353861633465636430643361323563303733633130393763303461 -37343761653864333835313635356237656431646230393439393566623631386166363437326339 -38383061346634643839346339663864663531336263623039613365343439383163636230366266 -61316232393164366563363138333338393463653234363535373836363235306230636331663537 -32326634383863316538303561346665626437393336323537383630373434356239336161363430 -65376561656532663534626631383162313031376537626237666665336561626564643335346165 -39613861383966356162643562643039323334313632653061316566333637646461633834623037 -34663330366536343538363862616161303835343365643935653037386230313663393261363237 -36353631303232303863343839613933373264313933326462333037613735646239373731333431 -36633464333730396635333635666337656635666538356263653036383637303266316563363434 -30306437643032303064323961393164616635313862306264666362336666306636313236373365 -64623364613630373938653535326136653831656138656165373461353734396661316239643838 -39363364366662396364353531316366396333343465653237306664306362383465326366316630 -38366333616263366632633663353466656562353030633064373933636633633138613333323761 -36373261666465643538366632326463626339663433386433343261646462616433656565643431 -32373165313434633365376661376561626339663863383332333332343566613466333766303366 -65613939323933646335623636356534636666346261313532616663366162356164373630373564 -37386133646439643463366339633066626165376436393164646431663231393062396631313966 -64643063613138326361333037323133323563356361326439666361646630643931643964646466 -36303338383033623638383330363164356161646566643834633566316261323330383562333762 -65333833393638353436626365663637663938643465323038336237633563306631666264396635 -37333937613133346130363064383330356638623034356532393733393361653961366662313134 -63653035386633386432313033363732303730326634366366333938656339613361656333303934 -34306530346463306361303436643435633636313263626139393361376362303939613134646263 -65626139626637383664663065333564336136363766623036323233336166666631373962316638 -34613363316238613336356639393031353537353863303438376530633539653162623165326235 -31363933336537626563306133383566666533383262363163343035636634366237663035373062 -63323934396132343031656431343039393036366662623164343033383663323236306133623437 -34373063386236343434306230396561373838313139303933633332636565646365393461313839 -32333261626637306362303665373638333663643037313535326239373665663166373636323139 -37356530303039363265353533306237396664343532653765636562616634656461623237336638 -66323036663962376334623533366463396338353532633337356666626634333732316639333438 -65356532396462353734326439373335646235333666333365346661353834626563626436663436 -65643634383837643930643961363032356336626535666465613934326230333832393564356565 -34636530346432613165616464336337643637343330626335636265616265646238623332343330 -37353063313537613866373565386564353162393463396166613636393537393461653838323039 -61653966656434623037306666626666363938333133373337313939373765303531346566356535 -34666331323038646562306439613266646231353836353832333536396165303563643931346237 -63616435316566343736633864353038376531366164663762616137663264383031373039616534 -64656233366563393561663438383736636330333465653163343564643565336436653964306665 -32303465316461303063316463383335376532373062313931343539353064613139366336616663 -61343064643336646237393839646164386364366564323237323338356234636363643362663266 -62353533323562633332316437373030663966356562323466666563303731636666626537386263 -34356363663136656636623565373336336339616535343532626166656238333666303439343537 -34643838316562666437643366623539633462653939333938363538386264653934326363643661 -65333363626331316266356266663237306536376564383134376265613135346238646361366331 -66356465316138303834386432386363333961653765303665386533343164633663306664363634 -63633264376563393566653766383966313065636134383037356134316365313261373930303366 -34353461616433336530646165353065376330306235333037633230653136653663653032323531 -35343866383635306539643834333563633866633633613666653533626166653932333934323961 -30376333323866376131323934336162306133373035326562643361616161316663353966363365 -38653531316165653137663734316662313062306637303761653961353938323863366639386565 -64666661383462323435336231366639313236636237353033353134616336313865633932643961 -38316666653832636663343233386662376431383438303566366434653964323138656336396664 -62643065346538326138396631393935613238646136626436666530363838666633343839613737 -62643537303963303134393961373932336265373866333961303532363665353366373162323633 -66643430386263363630653064346339623539343565353937666330326231326564653135656461 -35366266353531643739646261306135343264663564333062366138653737316436633236326535 -34333362666337373831353538313363366462326366623864323738623731366338383733626433 -62636637353835643438363562613033313264323463656262616163366133613136616434363139 -38646132366366313064623564626265386265316365636539653532383866643537393561323431 -62616163663338306265326465356262323431323964616661386233363937386132633538343832 -30326637313637336365 diff --git a/roles/ssh-host-resign/files/server_ca.pub b/roles/ssh-host-resign/files/server_ca.pub deleted file mode 100644 index fb30aa98f..000000000 --- a/roles/ssh-host-resign/files/server_ca.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLQD6fG38uwFj91GSe6YnRnBuTjXWZN6Pck1JRCTWtufwKV0SZNczD+qUdnFfZrCx/wBVK8R6zL2VWS9hcFK1LuE8HK86f8qG/gcB6yFt/0I/PWoSjcbUMPQTzFIy8yxvdIoPTlj/P6+uNgweTvMFI4+UOuCI71IhB/liTHn1/2dXQM94SFd4VQeg+3Tc6gDxEqRSS6dLIq0uvR8//luIpoW38yh2ozwHmjMKTvHnbduGqHlES4qz9cU9iZkWoPzSp+qoxCOijHvwzL5vD0/k4hZ/iJyTzDHQLDra3Kaa8ykWdERCxjpMp1y9dVQ23lVxp+UUAt3RHOCU1/KuNM9Pr hxr@mk diff --git a/roles/ssh-host-resign/tasks/main.yml b/roles/ssh-host-resign/tasks/main.yml deleted file mode 100644 index a37721bf1..000000000 --- a/roles/ssh-host-resign/tasks/main.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- -- name: Copy server key into VM temporarily - copy: - src: server_ca - dest: /tmp/server_ca - owner: root - group: root - mode: 0600 - -- name: Sign Keys - command: ssh-keygen -s /tmp/server_ca -I key_for_test1 -h -V +520w /etc/ssh/ssh_host_{{ item }}_key.pub - with_items: - - rsa - - ecdsa - - ed25519 - -# Requires dev-sec.ssh-hardening + patches -- set_fact: - ssh_host_key_cert_files: - - /etc/ssh/ssh_host_rsa_key-cert.pub - - /etc/ssh/ssh_host_ecdsa_key-cert.pub - - /etc/ssh/ssh_host_ed25519_key-cert.pub - notify: "restart sshd" - -- name: Ensure server key is gone - file: - path: /tmp/server_ca - state: absent - -- name: "Helper" - debug: - msg: "Please add the following to your known_hosts file: @cert-authority {{ lookup('file', 'server_ca.pub') }}" diff --git a/roles/ssh-host-sign/tasks/main.yml b/roles/ssh-host-sign/tasks/main.yml index df60c7c9f..64399b81d 100644 --- a/roles/ssh-host-sign/tasks/main.yml +++ b/roles/ssh-host-sign/tasks/main.yml @@ -1,45 +1,16 @@ --- -- stat: path=/etc/ssh/ssh_host_rsa_key-cert.pub - register: st +- name: Sign host keys if missing or expired + ansible.builtin.include_tasks: + file: sign.yml + with_items: "{{ ssh_host_sign_keys }}" -- name: Copy server key into VM temporarily - copy: - src: server_ca - dest: /tmp/server_ca - owner: root - group: root - mode: 0600 - when: not st.stat.exists - -- name: Sign Keys - command: ssh-keygen -s /tmp/server_ca -I key_for_test1 -h -V +520w /etc/ssh/ssh_host_{{ item }}_key.pub - with_items: - - rsa - - ecdsa - - ed25519 - when: not st.stat.exists - -# Requires dev-sec.ssh-hardening -- set_fact: - sshd_custom_options: - - "HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub" - - "HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub" - - "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub" - notify: "restart sshd" - -- name: Ensure server key is gone - file: - path: /tmp/server_ca - state: absent - when: not st.stat.exists - -- name: Another way to call known_hosts - known_hosts: - name: "CA" - key: "@cert-authority * {{ lookup('file', 'server_ca.pub') }}" +- name: Add CA certificate to known_hosts file + ansible.builtin.lineinfile: + line: "@cert-authority {{ ssh_host_sign_cert_domains_ips }} {{ lookup('file', 'server_ca.pub') }}" path: /etc/ssh/ssh_known_hosts state: present + create: true -# - name: "Helper" -# debug: -# msg: "Please add the following to your known_hosts file: @cert-authority {{ lookup('file', 'server_ca.pub') }}" +- name: "Helper" + ansible.builtin.debug: + msg: "Please add the following to your known_hosts file: @cert-authority {{ ssh_host_sign_cert_domains_ips }} {{ lookup('file', 'server_ca.pub') }}" diff --git a/roles/ssh-host-sign/tasks/sign.yml b/roles/ssh-host-sign/tasks/sign.yml new file mode 100644 index 000000000..f3681d390 --- /dev/null +++ b/roles/ssh-host-sign/tasks/sign.yml @@ -0,0 +1,49 @@ +- name: Check if cert files exist + ansible.builtin.stat: + path: "{{ item.certificate }}" + register: "st" + +- set_fact: + is_outdated: 0 +- name: Determine if keys are outdated + when: st.stat.exists + block: + - ansible.builtin.command: + cmd: "ssh-keygen -L -f {{ item.certificate }}" + check_mode: false + changed_when: false + register: cert_info + - name: Parse expiration date + set_fact: + # Extracts "2036-01-02T12:22:54" + expiry_string: "{{ cert_info | regex_search('to\\s(\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2})', '\\1') | first | regex_replace('T', '\ ') }}" + - debug: + var: "{{ expiry_string }}" + + - name: Convert dates for comparison + set_fact: + expiry_date: "{{ (expiry_string | to_datetime) }}" + + - name: Determine if certificate will expire in less than a month + ansible.builtin.set_fact: + is_outdated: "{{ ((expiry_string | to_datetime) - now()).days < 30 }}" + +- name: Sign keys if outdated + when: (not st.stat.exists) or is_outdated + block: + - name: Copy server key into VM temporarily + copy: + src: server_ca + dest: /tmp/server_ca + owner: root + group: root + mode: 0600 + diff: false + + - name: Sign Keys + command: "ssh-keygen -s /tmp/server_ca -I key_for_test1 -h -V +520w {{ item.key }}" + always: + - name: Ensure server key is gone + file: + path: /tmp/server_ca + state: absent diff --git a/sn07.yml b/sn07.yml index fb4f921a8..06c73cf74 100644 --- a/sn07.yml +++ b/sn07.yml @@ -55,8 +55,6 @@ - templates/galaxy/config/job_conf.yml - mounts/mountpoints.yml - mounts/dest/all.yml - collections: - - devsec.hardening handlers: - name: Restart Galaxy shell: | diff --git a/sn09.yml b/sn09.yml index 44757b1f7..518ac9528 100644 --- a/sn09.yml +++ b/sn09.yml @@ -67,8 +67,6 @@ - templates/galaxy/config/job_conf.yml - mounts/dest/all.yml - mounts/mountpoints.yml - collections: - - devsec.hardening handlers: - name: Restart Galaxy ansible.builtin.shell: | diff --git a/sn11.yml b/sn11.yml index d8c01d728..69eaa2932 100644 --- a/sn11.yml +++ b/sn11.yml @@ -9,8 +9,6 @@ - group_vars/sn11.yml - mounts/dest/all.yml - mounts/mountpoints.yml - collections: - - devsec.hardening pre_tasks: - name: Add mosh service config for FirewallD ansible.builtin.copy: diff --git a/telescope.yml b/telescope.yml index 9518d934c..ecdfab940 100644 --- a/telescope.yml +++ b/telescope.yml @@ -24,4 +24,3 @@ # END custom - dj-wasabi.telegraf - dev-sec.os-hardening - - dev-sec.ssh-hardening diff --git a/tpv-broker.yml b/tpv-broker.yml index 1627a9e82..370108771 100644 --- a/tpv-broker.yml +++ b/tpv-broker.yml @@ -12,8 +12,6 @@ - group_vars/tpv-broker.yml - secret_group_vars/all.yml - secret_group_vars/aws.yml - collections: - - devsec.hardening pre_tasks: - name: Install Dependencies package: diff --git a/traefik-proxy.yml b/traefik-proxy.yml index f37c69ff0..608f72593 100644 --- a/traefik-proxy.yml +++ b/traefik-proxy.yml @@ -63,5 +63,4 @@ - usegalaxy-eu.dynmotd - artis3n.tailscale - usegalaxy_eu.traefik - - devsec.hardening.ssh_hardening - devsec.hardening.os_hardening