mirror of
https://github.com/phfroidmont/self-hosting.git
synced 2025-12-25 21:57:00 +01:00
131 lines
4.7 KiB
YAML
131 lines
4.7 KiB
YAML
---
|
|
# All nodes may use the ssh proxy user to connect to any other node
|
|
# to use point-to-point tunnelling.
|
|
|
|
# remove existing interfaces in case of an error so we don't run out of ip addresses
|
|
- name: Remove existing tunnel interfaces
|
|
include: ssh-down.yml
|
|
|
|
- name: Add the proxy user
|
|
user:
|
|
name: "{{ proxy_ssh_user }}"
|
|
shell: /bin/false
|
|
|
|
- name: Allow point-to-point tunnelling for the ssh proxy user
|
|
blockinfile:
|
|
block: |
|
|
# sshproxy start
|
|
Match User {{ proxy_ssh_user }}
|
|
AllowTcpForwarding yes
|
|
PermitTunnel point-to-point
|
|
ForceCommand /bin/false
|
|
# sshproxy end
|
|
dest: "/etc/ssh/sshd_config"
|
|
validate: "/usr/sbin/sshd -T -f %s"
|
|
notify: reload sshd
|
|
|
|
- meta: flush_handlers
|
|
|
|
- name: Create ssh private key
|
|
shell: yes '' | ssh-keygen -N ''
|
|
args:
|
|
chdir: "/home/{{ proxy_ssh_user }}"
|
|
creates: "/home/{{ proxy_ssh_user }}/.ssh/id_rsa.pub"
|
|
become: True
|
|
become_method: su
|
|
become_flags: '-s /bin/sh'
|
|
become_user: "{{ proxy_ssh_user }}"
|
|
|
|
- name: Read public key
|
|
slurp:
|
|
src: "/home/{{ proxy_ssh_user }}/.ssh/id_rsa.pub"
|
|
register: public_key_result
|
|
|
|
- name: Set public key fact
|
|
set_fact:
|
|
proxy_ssh_public_key: "{{ public_key_result.content | b64decode | trim }}"
|
|
|
|
- block:
|
|
- name: Set authorized keys
|
|
authorized_key:
|
|
user: "{{ proxy_ssh_user }}"
|
|
key: "{{ item }}"
|
|
with_items: "{{ hostvars.values() | selectattr('inventory_hostname', 'in', groups['k8s']) | selectattr('proxy_ssh_public_key', 'defined') | map(attribute='proxy_ssh_public_key') | list }}"
|
|
|
|
- name: Create tunnel interfaces on the router host
|
|
shell:
|
|
cmd: |
|
|
bash -s <<'EOF'
|
|
{{ lookup('template', './tunnel.j2') }}
|
|
EOF
|
|
register: tun_result
|
|
with_items: "{{ hostvars.values() | selectattr('inventory_hostname', 'in', groups['k8s']) | selectattr('proxy_inet', '==', False) | map(attribute='inventory_hostname') | list }}"
|
|
|
|
- name: Set created interfaces fact
|
|
set_fact:
|
|
proxy_ssh_tunnel_map: "{{ tun_result.results | map(attribute='stdout') | map('from_json') | list }}"
|
|
|
|
- name: Add tunnel iptables (1/2)
|
|
iptables:
|
|
chain: FORWARD
|
|
in_interface: "{{ proxy_interface }}"
|
|
out_interface: "{{ item.interface }}"
|
|
ctstate:
|
|
- RELATED
|
|
- ESTABLISHED
|
|
jump: ACCEPT
|
|
with_items: "{{ proxy_ssh_tunnel_map }}"
|
|
|
|
- name: Add tunnel iptables (2/2)
|
|
iptables:
|
|
chain: FORWARD
|
|
in_interface: "{{ item.interface }}"
|
|
out_interface: "{{ proxy_interface }}"
|
|
jump: ACCEPT
|
|
with_items: "{{ proxy_ssh_tunnel_map }}"
|
|
|
|
when: inventory_hostname == proxy_router_hostname
|
|
|
|
- block:
|
|
- set_fact: proxy_target="{{ ( hostvars[proxy_router_hostname].proxy_ssh_tunnel_map | selectattr('target_hostname', '==', inventory_hostname) | list )[0] }}"
|
|
|
|
- block:
|
|
- shell: "ip route get 169.254.42.42 | head -n1 | sed -E 's/.+ dev ([^ ]+).+/\\1/'"
|
|
register: result
|
|
|
|
- set_fact: proxy_private_interface="{{ result.stdout }}"
|
|
|
|
when: proxy_private_interface | length == 0
|
|
|
|
# TODO edit /etc/network/interfaces (?) to apply rules on network up
|
|
- name: Create tunnel interface on the target hosts
|
|
shell:
|
|
cmd: |
|
|
bash -s <<'EOF'
|
|
echo "## sshproxy" > /etc/network/interfaces.d/{{ proxy_target.interface }}
|
|
ip tuntap add mode tun dev {{ proxy_target.interface }}
|
|
ip addr add {{ proxy_target.target_ip }}/30 peer {{ proxy_target.router_ip }} dev {{ proxy_target.interface }}
|
|
ip link set dev {{ proxy_target.interface }} up
|
|
|
|
DEFAULT_GATEWAY=$(ip route | awk '$3 == "{{ proxy_private_interface }}" { print $1 }' | cut -d'/' -f1)
|
|
ip route add 10.0.0.0/8 via $DEFAULT_GATEWAY dev {{ proxy_private_interface }}
|
|
ip route add 169.254.0.0/16 via $DEFAULT_GATEWAY dev {{ proxy_private_interface }}
|
|
ip route add 172.16.0.0/12 via $DEFAULT_GATEWAY dev {{ proxy_private_interface }}
|
|
ip route add 192.168.0.0/16 via $DEFAULT_GATEWAY dev {{ proxy_private_interface }}
|
|
ip route replace default via {{ proxy_target.target_ip }}
|
|
EOF
|
|
|
|
- name: Establish the SSH tunnel
|
|
shell: |
|
|
ssh -N -f \
|
|
-w {{ proxy_target.interface_id }}:{{ proxy_target.interface_id }} \
|
|
-o StrictHostKeyChecking=no \
|
|
-o UserKnownHostsFile=/dev/null \
|
|
{{ hostvars[proxy_router_hostname]['ansible_' + proxy_private_interface].ipv4.address }} &
|
|
echo $!
|
|
become: True
|
|
become_method: su
|
|
become_flags: '-s /bin/sh'
|
|
become_user: "{{ proxy_ssh_user }}"
|
|
|
|
when: inventory_hostname in hostvars[proxy_router_hostname].proxy_ssh_tunnel_map | map(attribute='target_hostname') | list
|