2022-01-26 20:02:29 +00:00
14 changed files with 401 additions and 57 deletions
--- a/.drone.jsonnet
+++ b/.drone.jsonnet
@ -71,7 +71,7 @@ local PipelineDeployment(scenario='centos7') = {
    'linting',
  ],
  trigger: {
-    ref: ['refs/heads/master', 'refs/tags/**'],
+    ref: ['refs/heads/master', 'refs/tags/**', 'refs/pull/**'],
  },
 };
@ -116,6 +116,7 @@ local PipelineDocumentation = {
  },
  depends_on: [
    'testing-centos7',
    'testing-rocky8',
  ],
 };
@ -154,6 +155,7 @@ local PipelineNotification = {
 [
  PipelineLinting,
  PipelineDeployment(scenario='centos7'),
  PipelineDeployment(scenario='rocky8'),
  PipelineDocumentation,
  PipelineNotification,
 ]
--- a/.drone.yml
+++ b/.drone.yml
@ -62,6 +62,40 @@ trigger:
  ref:
    - refs/heads/master
    - refs/tags/**
    - refs/pull/**
 depends_on:
  - linting
 ---
 kind: pipeline
 name: testing-rocky8
 platform:
  os: linux
  arch: amd64
 concurrency:
  limit: 1
 workspace:
  base: /drone/src
  path: ${DRONE_REPO_NAME}
 steps:
  - name: ansible-molecule
    image: thegeeklab/molecule:3
    commands:
      - molecule test -s rocky8
    environment:
      HCLOUD_TOKEN:
        from_secret: hcloud_token
 trigger:
  ref:
    - refs/heads/master
    - refs/tags/**
    - refs/pull/**
 depends_on:
  - linting
@ -108,6 +142,7 @@ trigger:
 depends_on:
  - testing-centos7
  - testing-rocky8
 ---
 kind: pipeline
@ -147,6 +182,6 @@ depends_on:
 ---
 kind: signature
-hmac: 6fb4bbe578d0a67f6def789d5b7a11d422bca42f07695c24fac97950f02cf51a
+hmac: 4e3ffd7002957963c30b32275a59b62e7c19a1ccf7bd40369411bca13d94614e
 ...
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,15 +1,16 @@
 ---
 sshd_protocol: 2
-sshd_permit_root_login: 'yes'
+sshd_permit_root_login: "yes"
-sshd_permit_empty_passwords: 'no'
+sshd_permit_empty_passwords: "no"
-sshd_password_authentication: 'no'
+sshd_password_authentication: "no"
-sshd_gssapi_authentication: 'yes'
+sshd_gssapi_authentication: "no"
-sshd_strict_modes: 'yes'
+sshd_strict_modes: "yes"
 sshd_allow_groups: []
-sshd_ignore_rhosts: 'yes'
+sshd_ignore_rhosts: "yes"
-sshd_hostbased_authentication: 'no'
+sshd_hostbased_authentication: "no"
 sshd_client_alive_interval: 900
 sshd_client_alive_count_max: 0
 sshd_ciphers:
  - chacha20-poly1305@openssh.com
  - aes256-gcm@openssh.com
@ -17,33 +18,37 @@ sshd_ciphers:
  - aes256-ctr
  - aes192-ctr
  - aes128-ctr
 sshd_kex:
  - curve25519-sha256@libssh.org
  - diffie-hellman-group-exchange-sha256
 sshd_moduli_minimum: 2048
 sshd_macs:
  - hmac-sha2-512-etm@openssh.com
  - hmac-sha2-256-etm@openssh.com
  - hmac-ripemd160-etm@openssh.com
  - umac-128-etm@openssh.com
  - hmac-sha2-512
  - hmac-sha2-256
-  - hmac-ripemd160
+  - umac-128@openssh.com
-sshd_allow_agent_forwarding: 'no'
+
-sshd_x11_forwarding: 'yes'
+sshd_allow_agent_forwarding: "no"
-sshd_allow_tcp_forwarding: 'yes'
+sshd_x11_forwarding: "yes"
 sshd_allow_tcp_forwarding: "yes"
 sshd_compression: delayed
 sshd_log_level: INFO
 sshd_max_auth_tries: 6
 sshd_max_sessions: 10
-sshd_tcp_keep_alive: 'yes'
+sshd_tcp_keep_alive: "yes"
-sshd_use_dns: 'yes'
+sshd_use_dns: "no"
 sshd_disable_crypto_policy: False
 # @var sshd_challenge_response_authentication:description: >
-# If you disable password auth you should disable
+# If you disable password auth you should disable ChallengeResponseAuth also.
 # ChallengeResponseAuth also.
 # @end
-sshd_challenge_response_authentication: 'no'
+sshd_challenge_response_authentication: "no"
 # @var sshd_google_auth_enabled:description: >
 # Google Authenticator required ChallengeResponseAuth!
--- a/molecule/default
+++ b/molecule/default
@ -1 +1 @@
-centos7
+rocky8
--- a/molecule/rocky8/converge.yml
+++ b/molecule/rocky8/converge.yml
@ -0,0 +1,5 @@
 ---
 - name: Converge
  hosts: all
  roles:
    - role: xoxys.sshd
--- a/molecule/rocky8/create.yml
+++ b/molecule/rocky8/create.yml
@ -0,0 +1,120 @@
 ---
 - name: Create
  hosts: localhost
  connection: local
  gather_facts: false
  no_log: "{{ molecule_no_log }}"
  vars:
    ssh_port: 22
    ssh_user: root
    ssh_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/ssh_key"
  tasks:
    - name: Create SSH key
      user:
        name: "{{ lookup('env', 'USER') }}"
        generate_ssh_key: true
        ssh_key_file: "{{ ssh_path }}"
        force: true
      register: generated_ssh_key
    - name: Register the SSH key name
      set_fact:
        ssh_key_name: "molecule-generated-{{ 12345 | random | to_uuid }}"
    - name: Register SSH key for test instance(s)
      hcloud_ssh_key:
        name: "{{ ssh_key_name }}"
        public_key: "{{ generated_ssh_key.ssh_public_key }}"
        state: present
    - name: Create molecule instance(s)
      hcloud_server:
        name: "{{ item.name }}"
        server_type: "{{ item.server_type }}"
        ssh_keys:
          - "{{ ssh_key_name }}"
        image: "{{ item.image }}"
        location: "{{ item.location | default(omit) }}"
        datacenter: "{{ item.datacenter | default(omit) }}"
        user_data: "{{ item.user_data | default(omit) }}"
        api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
        state: present
      register: server
      loop: "{{ molecule_yml.platforms }}"
      async: 7200
      poll: 0
    - name: Wait for instance(s) creation to complete
      async_status:
        jid: "{{ item.ansible_job_id }}"
      register: hetzner_jobs
      until: hetzner_jobs.finished
      retries: 300
      loop: "{{ server.results }}"
    - name: Create volume(s)
      hcloud_volume:
        name: "{{ item.name }}"
        server: "{{ item.name }}"
        location: "{{ item.location | default(omit) }}"
        size: "{{ item.volume_size | default(10) }}"
        api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
        state: "present"
      loop: "{{ molecule_yml.platforms }}"
      when: item.volume | default(False) | bool
      register: volumes
      async: 7200
      poll: 0
    - name: Wait for volume(s) creation to complete
      async_status:
        jid: "{{ item.ansible_job_id }}"
      register: hetzner_volumes
      until: hetzner_volumes.finished
      retries: 300
      when: volumes.changed
      loop: "{{ volumes.results }}"
    # Mandatory configuration for Molecule to function.
    - name: Populate instance config dict
      set_fact:
        instance_conf_dict:
          {
            "instance": "{{ item.hcloud_server.name }}",
            "ssh_key_name": "{{ ssh_key_name }}",
            "address": "{{ item.hcloud_server.ipv4_address }}",
            "user": "{{ ssh_user }}",
            "port": "{{ ssh_port }}",
            "identity_file": "{{ ssh_path }}",
            "volume": "{{ item.item.item.volume | default(False) | bool }}",
          }
      loop: "{{ hetzner_jobs.results }}"
      register: instance_config_dict
      when: server.changed | bool
    - name: Convert instance config dict to a list
      set_fact:
        instance_conf: "{{ instance_config_dict.results | map(attribute='ansible_facts.instance_conf_dict') | list }}"
      when: server.changed | bool
    - name: Dump instance config
      copy:
        content: |
          # Molecule managed
          {{ instance_conf | to_nice_yaml(indent=2) }}
        dest: "{{ molecule_instance_config }}"
      when: server.changed | bool
    - name: Wait for SSH
      wait_for:
        port: "{{ ssh_port }}"
        host: "{{ item.address }}"
        search_regex: SSH
        delay: 10
      loop: "{{ lookup('file', molecule_instance_config) | from_yaml }}"
    - name: Wait for VM to settle down
      pause:
        seconds: 30
--- a/molecule/rocky8/destroy.yml
+++ b/molecule/rocky8/destroy.yml
@ -0,0 +1,78 @@
 ---
 - name: Destroy
  hosts: localhost
  connection: local
  gather_facts: false
  no_log: "{{ molecule_no_log }}"
  tasks:
    - name: Check existing instance config file
      stat:
        path: "{{ molecule_instance_config }}"
      register: cfg
    - name: Populate the instance config
      set_fact:
        instance_conf: "{{ (lookup('file', molecule_instance_config) | from_yaml) if cfg.stat.exists else [] }}"
    - name: Destroy molecule instance(s)
      hcloud_server:
        name: "{{ item.instance }}"
        api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
        state: absent
      register: server
      loop: "{{ instance_conf }}"
      async: 7200
      poll: 0
    - name: Wait for instance(s) deletion to complete
      async_status:
        jid: "{{ item.ansible_job_id }}"
      register: hetzner_jobs
      until: hetzner_jobs.finished
      retries: 300
      loop: "{{ server.results }}"
    - pause:
        seconds: 5
    - name: Destroy volume(s)
      hcloud_volume:
        name: "{{ item.instance }}"
        server: "{{ item.instance }}"
        api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
        state: "absent"
      register: volumes
      loop: "{{ instance_conf }}"
      when: item.volume | default(False) | bool
      async: 7200
      poll: 0
    - name: Wait for volume(s) deletion to complete
      async_status:
        jid: "{{ item.ansible_job_id }}"
      register: hetzner_volumes
      until: hetzner_volumes.finished
      retries: 300
      when: volumes.changed
      loop: "{{ volumes.results }}"
    - name: Remove registered SSH key
      hcloud_ssh_key:
        name: "{{ instance_conf[0].ssh_key_name }}"
        state: absent
      when: (instance_conf | default([])) | length > 0
    # Mandatory configuration for Molecule to function.
    - name: Populate instance config
      set_fact:
        instance_conf: {}
    - name: Dump instance config
      copy:
        content: |
          # Molecule managed
          {{ instance_conf | to_nice_yaml(indent=2) }}
        dest: "{{ molecule_instance_config }}"
      when: server.changed | bool
--- a/molecule/rocky8/molecule.yml
+++ b/molecule/rocky8/molecule.yml
@ -0,0 +1,24 @@
 ---
 dependency:
  name: galaxy
  options:
    role-file: molecule/requirements.yml
    requirements-file: molecule/requirements.yml
  env:
    ANSIBLE_GALAXY_DISPLAY_PROGRESS: "false"
 driver:
  name: delegated
 platforms:
  - name: rocky8-sshd
    image: rocky-8
    server_type: cx11
 lint: |
  /usr/local/bin/flake8
 provisioner:
  name: ansible
  env:
    ANSIBLE_FILTER_PLUGINS: ${ANSIBLE_FILTER_PLUGINS:-./plugins/filter}
    ANSIBLE_LIBRARY: ${ANSIBLE_LIBRARY:-./library}
  log: False
 verifier:
  name: testinfra
--- a/molecule/rocky8/prepare.yml
+++ b/molecule/rocky8/prepare.yml
@ -0,0 +1,15 @@
 ---
 - name: Prepare
  hosts: all
  gather_facts: false
  tasks:
    - name: Bootstrap python for Ansible
      raw: |
        command -v python3 python || (
        (test -e /usr/bin/dnf && sudo dnf install -y python3) ||
        (test -e /usr/bin/apt && (apt -y update && apt install -y python-minimal)) ||
        (test -e /usr/bin/yum && sudo yum -y -qq install python3) ||
        echo "Warning: Python not boostrapped due to unknown platform."
        )
      become: true
      changed_when: false
--- a/molecule/rocky8/tests/test_default.py
+++ b/molecule/rocky8/tests/test_default.py
@ -0,0 +1,16 @@
 import os
 import testinfra.utils.ansible_runner
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
    os.environ["MOLECULE_INVENTORY_FILE"]
 ).get_hosts("all")
 def test_sshd_config_file(host):
    sshd = host.file("/etc/ssh/sshd_config")
    assert sshd.exists
    assert sshd.user == "root"
    assert sshd.group == "root"
    assert sshd.mode == 0o600
--- a/tasks/ssh_default.yml
+++ b/tasks/ssh_default.yml
@ -1,4 +1,9 @@
 ---
 - name: Gather package facts
  package_facts:
  check_mode: False
  when: sshd_disable_crypto_policy | bool
 - block:
    - name: Hardening sshd config
      template:
@ -16,8 +21,9 @@
      check_mode: no
    - name: Remove all small primes
-      shell: awk '$5 >= {{ sshd_moduli_minimum }}' /etc/ssh/moduli > /etc/ssh/moduli.new ;
+      shell:
-            [ -r /etc/ssh/moduli.new -a -s /etc/ssh/moduli.new ] && mv /etc/ssh/moduli.new /etc/ssh/moduli || true
+        awk '$5 >= {{ sshd_moduli_minimum }}' /etc/ssh/moduli > /etc/ssh/moduli.new ;
        [ -r /etc/ssh/moduli.new -a -s /etc/ssh/moduli.new ] && mv /etc/ssh/moduli.new /etc/ssh/moduli || true
      notify: __sshd_restart
      when: __sshd_register_moduli.stdout
@ -26,5 +32,16 @@
        name: "{{ item }}"
        state: present
      loop: "{{ sshd_allow_groups }}"
    - name: Disable SSH server CRYPTO_POLICY
      copy:
        src: etc/sysconfig/sshd
        dest: /etc/sysconfig/sshd
        owner: "root"
        group: "root"
        mode: "0640"
      when:
        - sshd_disable_crypto_policy | bool
        - ('crypto-policies' in ansible_facts.packages)
  become: True
  become_user: root
--- a/tasks/ssh_univention.yml
+++ b/tasks/ssh_univention.yml
@ -5,18 +5,30 @@
        path: "{{ item.path }}"
        value: "{{ item.value }}"
      loop:
-        - { path: sshd/permitroot, value: "{{ sshd_permit_root_login | default('') }}" }
+        - path: sshd/permitroot
-        - { path: sshd/PermitEmptyPasswords, value: "{{ sshd_permit_empty_passwords | default('') }}" }
+          value: "{{ sshd_permit_root_login | default('') }}"
-        - { path: sshd/permitroot, value: "{{ sshd_permit_root_login | default('') }}" }
+        - path: sshd/PermitEmptyPasswords
-        - { path: sshd/passwordauthentication, value: "{{ sshd_password_authentication | default('') }}" }
+          value: "{{ sshd_permit_empty_passwords | default('') }}"
-        - { path: sshd/challengeresponse, value: "{{ sshd_password_authentication | default('') }}" }
+        - path: sshd/permitroot
-        - { path: sshd/IgnoreRhosts, value: "{{ sshd_ignore_rhosts | default('') }}" }
+          value: "{{ sshd_permit_root_login | default('') }}"
-        - { path: sshd/HostbasedAuthentication, value: "{{ sshd_hostbased_authentication | default('') }}" }
+        - path: sshd/passwordauthentication
-        - { path: sshd/ClientAliveInterval, value: "{{ sshd_client_alive_interval | default('') }}" }
+          value: "{{ sshd_password_authentication | default('') }}"
-        - { path: sshd/ClientAliveCountMax, value: "{{ sshd_client_alive_count_max | default('') }}" }
+        - path: sshd/challengeresponse
-        - { path: sshd/Ciphers, value: "{{ sshd_ciphers | default('[]') | join(',') }}" }
+          value: "{{ sshd_password_authentication | default('') }}"
-        - { path: sshd/KexAlgorithms, value: "{{ sshd_kex | default('[]') | join(',') }}" }
+        - path: sshd/IgnoreRhosts
-        - { path: sshd/MACs, value: "{{ sshd_macs | default('[]') | join(',') }}" }
+          value: "{{ sshd_ignore_rhosts | default('') }}"
        - path: sshd/HostbasedAuthentication
          value: "{{ sshd_hostbased_authentication | default('') }}"
        - path: sshd/ClientAliveInterval
          value: "{{ sshd_client_alive_interval | default('') }}"
        - path: sshd/ClientAliveCountMax
          value: "{{ sshd_client_alive_count_max | default('') }}"
        - path: sshd/Ciphers
          value: "{{ sshd_ciphers | default('[]') | join(',') }}"
        - path: sshd/KexAlgorithms
          value: "{{ sshd_kex | default('[]') | join(',') }}"
        - path: sshd/MACs
          value: "{{ sshd_macs | default('[]') | join(',') }}"
      loop_control:
        label: "variable: {{ item.path }}={{ item.value }}"
      notify: __sshd_restart
@ -30,7 +42,7 @@
    - name: Create SSH Usergroup
      group:
        name: "{{ item }}"
-        system: 'yes'
+        system: "yes"
        state: present
      loop: "{{ sshd_allow_groups }}"
  become: True
--- a/templates/etc/ssh/sshd_config.j2
+++ b/templates/etc/ssh/sshd_config.j2
@ -1,9 +1,8 @@
 #jinja2: lstrip_blocks: True
 {{ ansible_managed | comment }}
 #	$OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
-# This is the sshd server system-wide configuration file.  See
+# This is the sshd server system-wide configuration file.
-# sshd_config(5) for more information.
+# See sshd_config(5) for more information.
 # This sshd was compiled with PATH=/usr/local/bin:/usr/bin
@ -20,30 +19,31 @@
 #AddressFamily any
 #ListenAddress 0.0.0.0
 #ListenAddress ::
 {% if ansible_distribution_major_version is version('8', '<') %}
 # The default requires explicit activation of protocol 1
 Protocol {{ sshd_protocol }}
 {% endif %}
 # HostKey for protocol version 1
 #HostKey /etc/ssh/ssh_host_key
 # HostKeys for protocol version 2
 HostKey /etc/ssh/ssh_host_rsa_key
 #HostKey /etc/ssh/ssh_host_dsa_key
 HostKey /etc/ssh/ssh_host_ecdsa_key
 HostKey /etc/ssh/ssh_host_ed25519_key
 # Lifetime and size of ephemeral version 1 server key
 #KeyRegenerationInterval 1h
 #ServerKeyBits 1024
 # Ciphers and keying
 #RekeyLimit default none
 {% if not sshd_disable_crypto_policy | bool %}
 # This system is following system-wide crypto policy. The changes to
 # crypto properties (Ciphers, MACs, ...) will not have any effect here.
 # They will be overridden by command-line options passed to the server
 # on command line.
 # Please, check manual pages for update-crypto-policies(8) and sshd_config(5).
 {% else %}
 Ciphers {{ sshd_ciphers | join(',') }}
 KexAlgorithms {{ sshd_kex | join(',') }}
 MACs {{ sshd_macs | join(',') }}
 {% endif %}
 # Logging
 # obsoletes QuietMode and FascistLogging
 #SyslogFacility AUTH
 SyslogFacility AUTHPRIV
 LogLevel {{ sshd_log_level }}
@ -59,7 +59,6 @@ AllowGroups {{ sshd_allow_groups|join(',') }}
 MaxAuthTries {{ sshd_max_auth_tries }}
 MaxSessions {{ sshd_max_sessions }}
 #RSAAuthentication yes
 #PubkeyAuthentication yes
 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
@ -71,12 +70,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #AuthorizedKeysCommand none
 #AuthorizedKeysCommandUser nobody
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 #RhostsRSAAuthentication no
 # similar for protocol version 2
 HostbasedAuthentication {{ sshd_hostbased_authentication }}
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # RhostsRSAAuthentication and HostbasedAuthentication
 #IgnoreUserKnownHosts no
 # Don't read the user's ~/.rhosts and ~/.shosts files
 IgnoreRhosts {{ sshd_ignore_rhosts }}
@ -116,8 +110,8 @@ GSSAPICleanupCredentials no
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
-# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
+# WARNING: 'UsePAM no' is not supported on RH based systems and may
-# problems.
+# cause several problems.
 UsePAM yes
 AllowAgentForwarding {{ sshd_allow_agent_forwarding }}
@ -131,12 +125,13 @@ X11Forwarding {{ sshd_x11_forwarding }}
 #PrintLastLog no
 TCPKeepAlive {{ sshd_tcp_keep_alive }}
 #UseLogin no
 {% if ansible_distribution_major_version is version('8', '<') %}
 UsePrivilegeSeparation sandbox
 {% endif %}
 #PermitUserEnvironment no
 Compression {{ sshd_compression }}
 ClientAliveInterval {{ sshd_client_alive_interval }}
 ClientAliveCountMax {{ sshd_client_alive_count_max }}
 #ShowPatchLevel no
 UseDNS {{ sshd_use_dns }}
 #PidFile /var/run/sshd.pid
 #MaxStartups 10:30:100
--- a/templates/etc/sysconfig/sshd.j2
+++ b/templates/etc/sysconfig/sshd.j2
@ -0,0 +1,20 @@
 #jinja2: lstrip_blocks: True
 {{ ansible_managed | comment }}
 # Configuration file for the sshd service.
 # The server keys are automatically generated if they are missing.
 # To change the automatic creation, adjust sshd.service options for
 # example using  systemctl enable sshd-keygen@dsa.service  to allow creation
 # of DSA key or  systemctl mask sshd-keygen@rsa.service  to disable RSA key
 # creation.
 # Do not change this option unless you have hardware random
 # generator and you REALLY know what you are doing
 SSH_USE_STRONG_RNG=0
 # SSH_USE_STRONG_RNG=1
 # System-wide crypto policy:
 # To opt-out, uncomment the following line
 CRYPTO_POLICY=