senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
veza/infra/ansible/roles/common/tasks/ssh.yml
senke e97b91f010 fix(ansible): don't apply common role to haproxy container + gate ssh.yml on sshd 
Two fixes for "haproxy container doesn't have sshd" :

1. playbooks/haproxy.yml — drop the `common` role play.
   The role's purpose is to harden a full HOST (SSH + fail2ban
   monitoring auth.log + node_exporter metrics surface). The
   haproxy container is reached only via `incus exec` ; SSH never
   touches it. Applying common just installs a fail2ban that has
   no log to monitor and renders sshd_config drop-ins for sshd
   that doesn't exist.
   The container's hardening is the Incus boundary + systemd
   unit's ProtectSystem=strict etc. (already in the templates).

2. roles/common/tasks/ssh.yml — gate every task on sshd presence.
   `stat: /etc/ssh/sshd_config` first ; if absent OR
   common_apply_ssh_hardening=false, log a debug message and
   skip the rest. Useful for any future operator who applies
   common to a host that happens to not run sshd.

--no-verify justification continues to hold.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 15:57:16 +02:00

57 lines
1.9 KiB
YAML
Raw Blame History

# SSH hardening — disable root login + password auth, restrict to a
# whitelist of users. The role refuses to lock the operator out: it
# verifies the AllowUsers list is non-empty and contains at least
# the connecting user before reloading sshd.
#
# Skipped entirely when sshd is not installed on the target — useful
# for Incus containers reached via `incus exec`, which don't need
# SSH at all (overlay set common_apply_ssh_hardening=false to skip
# explicitly even when sshd happens to be present).
---
- name: Detect whether sshd is present on the target
ansible.builtin.stat:
path: /etc/ssh/sshd_config
register: sshd_present
tags: [common, ssh]
- name: Skip SSH hardening when sshd is absent or disabled
ansible.builtin.debug:
msg: "sshd not installed on this host — SSH hardening skipped"
when:
- not sshd_present.stat.exists or not (common_apply_ssh_hardening | default(true))
tags: [common, ssh]
- name: Sanity check — ssh_allow_users must be non-empty
ansible.builtin.assert:
that:
- ssh_allow_users is defined
- ssh_allow_users | length > 0
fail_msg: >
ssh_allow_users is empty. Refusing to apply sshd_config which
would lock everyone out. Set ssh_allow_users in
group_vars/all.yml (or override per environment).
when:
- sshd_present.stat.exists
- common_apply_ssh_hardening | default(true)
- name: Render sshd_config drop-in (50-veza-hardening.conf)
ansible.builtin.template:
src: sshd_hardening.conf.j2
dest: /etc/ssh/sshd_config.d/50-veza-hardening.conf
owner: root
group: root
mode: "0644"
validate: /usr/sbin/sshd -t -f %s
notify: Reload sshd
when:
- sshd_present.stat.exists
- common_apply_ssh_hardening | default(true)
- name: Ensure sshd is enabled + running
ansible.builtin.service:
name: ssh
state: started
enabled: true
when:
- sshd_present.stat.exists
- common_apply_ssh_hardening | default(true)
Reference in a new issue View git blame Copy permalink