From 1f92937db83f5364fca213868345fbb3f77f3ae7 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Thu, 1 Sep 2022 18:04:38 +0300 Subject: VMs on stamina: disable authorized_keys files Sponsored-by: author --- ansible/apt-dev.yml | 5 +++++ ansible/billion.yml | 5 +++++ ansible/clab-dev.yml | 5 +++++ ansible/debian-ansible-dev.yml | 5 +++++ ansible/ewww-dev.yml | 5 +++++ ansible/ewww-test.yml | 5 +++++ ansible/jt-dev.yml | 5 +++++ ansible/obnam-bench.yml | 5 +++++ ansible/obnam-dev.yml | 2 +- ansible/openpgp-ca-dev.yml | 5 +++++ ansible/openpgp-card-dev.yml | 5 +++++ ansible/python-mess.yml | 8 +++----- ansible/rikiwiki-dev.yml | 5 +++++ ansible/roadmap-dev.yml | 5 +++++ ansible/rust-dev.yml | 5 +++++ ansible/sequoia-dev.yml | 5 +++++ ansible/sequoia-web.yml | 5 +++++ ansible/ssh-dev.yml | 5 +++++ ansible/sshca-dev.yml | 5 +++++ ansible/stamina-vm-check.sh | 35 +++++++++++++++++++++++++++++++++++ ansible/subplot-dev.yml | 5 +++++ ansible/v-i-dev.yml | 5 +++++ ansible/vmadm-dev.yml | 5 +++++ ansible/vmdb2-dev.yml | 5 +++++ ansible/web.yml | 4 ++++ 25 files changed, 148 insertions(+), 6 deletions(-) create mode 100755 ansible/stamina-vm-check.sh diff --git a/ansible/apt-dev.yml b/ansible/apt-dev.yml index 763528f..54c3d99 100644 --- a/ansible/apt-dev.yml +++ b/ansible/apt-dev.yml @@ -4,6 +4,8 @@ roles: - role: sane_debian_system tags: [sane] + - role: sshd + tags: [sshd] - role: comfortable-debian-system tags: [comfy] - role: unix_users @@ -71,3 +73,6 @@ {{ liw_personal_ssh_pub }} - username: debian sudo: yes + + sshd_version: 1 + sshd_allow_authorized_keys: yes diff --git a/ansible/billion.yml b/ansible/billion.yml index 1357964..841ad45 100644 --- a/ansible/billion.yml +++ b/ansible/billion.yml @@ -3,6 +3,8 @@ become: yes roles: - sane_debian_system + - role: sshd + tags: [sshd] - comfortable-debian-system - unix_users - self-updating-system @@ -20,3 +22,6 @@ - username: liw comment: Lars Wirzenius sudo: yes + + sshd_version: 1 + sshd_allow_authorized_keys: yes diff --git a/ansible/clab-dev.yml b/ansible/clab-dev.yml index 7817e21..5d386e3 100644 --- a/ansible/clab-dev.yml +++ b/ansible/clab-dev.yml @@ -4,6 +4,8 @@ roles: - role: sane_debian_system tags: [sane] + - role: sshd + tags: [sshd] - role: comfortable-debian-system tags: [comfy] - role: unix_users @@ -46,3 +48,6 @@ sane_debian_system_sources_lists: - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main signing_key: "{{ ci_prod_signing_key }}" + + sshd_version: 1 + sshd_allow_authorized_keys: yes diff --git a/ansible/debian-ansible-dev.yml b/ansible/debian-ansible-dev.yml index a4969f8..b8f2300 100644 --- a/ansible/debian-ansible-dev.yml +++ b/ansible/debian-ansible-dev.yml @@ -4,6 +4,8 @@ roles: - role: sane_debian_system tags: [sane] + - role: sshd + tags: [sshd] - role: comfortable-debian-system tags: [comfy] - role: unix_users @@ -61,3 +63,6 @@ sane_debian_system_sources_lists: - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main signing_key: "{{ ci_prod_signing_key }}" + + sshd_version: 1 + sshd_allow_authorized_keys: yes diff --git a/ansible/ewww-dev.yml b/ansible/ewww-dev.yml index f08a6a5..5a24d37 100644 --- a/ansible/ewww-dev.yml +++ b/ansible/ewww-dev.yml @@ -4,6 +4,8 @@ roles: - role: sane_debian_system tags: [sane] + - role: sshd + tags: [sshd] - role: comfortable-debian-system tags: [comfy] - role: unix_users @@ -50,3 +52,6 @@ sane_debian_system_sources_lists: - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main signing_key: "{{ ci_prod_signing_key }}" + + sshd_version: 1 + sshd_allow_authorized_keys: yes diff --git a/ansible/ewww-test.yml b/ansible/ewww-test.yml index 9b826ac..67b2123 100644 --- a/ansible/ewww-test.yml +++ b/ansible/ewww-test.yml @@ -3,6 +3,8 @@ become: yes roles: - role: sane_debian_system + - role: sshd + tags: [sshd] - role: unix_users - role: self-updating-system tasks: @@ -111,3 +113,6 @@ unix_users: - username: _ewww comment: Static web site content + + sshd_version: 1 + sshd_allow_authorized_keys: yes diff --git a/ansible/jt-dev.yml b/ansible/jt-dev.yml index f355ac1..ccb405b 100644 --- a/ansible/jt-dev.yml +++ b/ansible/jt-dev.yml @@ -4,6 +4,8 @@ roles: - role: sane_debian_system tags: [sane] + - role: sshd + tags: [sshd] - role: comfortable-debian-system tags: [comfy] - role: unix_users @@ -43,3 +45,6 @@ sane_debian_system_sources_lists: - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main signing_key: "{{ ci_prod_signing_key }}" + + sshd_version: 1 + sshd_allow_authorized_keys: yes diff --git a/ansible/obnam-bench.yml b/ansible/obnam-bench.yml index 0d7f948..7b5c393 100644 --- a/ansible/obnam-bench.yml +++ b/ansible/obnam-bench.yml @@ -4,6 +4,8 @@ roles: - role: sane_debian_system tags: [sane] + - role: sshd + tags: [sshd] - role: unix_users tags: [users] - role: rust-rustup @@ -44,3 +46,6 @@ unix_users: - username: liw comment: Lars Wirzenius + + sshd_version: 1 + sshd_allow_authorized_keys: yes diff --git a/ansible/obnam-dev.yml b/ansible/obnam-dev.yml index 2a9c06e..332d3cb 100644 --- a/ansible/obnam-dev.yml +++ b/ansible/obnam-dev.yml @@ -67,4 +67,4 @@ flamegraph sshd_version: 1 - sshd_allow_authorized_keys: no + sshd_allow_authorized_keys: yes diff --git a/ansible/openpgp-ca-dev.yml b/ansible/openpgp-ca-dev.yml index 32f7bc8..52afa6c 100644 --- a/ansible/openpgp-ca-dev.yml +++ b/ansible/openpgp-ca-dev.yml @@ -4,6 +4,8 @@ roles: - role: sane_debian_system tags: [sane] + - role: sshd + tags: [sshd] - role: version-controller tags: [vcs] - role: unix_users @@ -41,3 +43,6 @@ unix_users: - username: liw comment: Lars Wirzenius + + sshd_version: 1 + sshd_allow_authorized_keys: yes diff --git a/ansible/openpgp-card-dev.yml b/ansible/openpgp-card-dev.yml index b82d2b6..64d9904 100644 --- a/ansible/openpgp-card-dev.yml +++ b/ansible/openpgp-card-dev.yml @@ -4,6 +4,8 @@ roles: - role: sane_debian_system tags: [sane] + - role: sshd + tags: [sshd] - role: version-controller tags: [vcs] - role: unix_users @@ -36,3 +38,6 @@ unix_users: - username: liw comment: Lars Wirzenius + + sshd_version: 1 + sshd_allow_authorized_keys: yes diff --git a/ansible/python-mess.yml b/ansible/python-mess.yml index 9c3abb4..3cbdc91 100644 --- a/ansible/python-mess.yml +++ b/ansible/python-mess.yml @@ -4,8 +4,8 @@ roles: - role: sane_debian_system tags: [sane] - # - role: sshd - # tags: [sshd] + - role: sshd + tags: [sshd] - role: comfortable-debian-system tags: [comfy] - role: unix_users @@ -38,6 +38,4 @@ sudo: yes sshd_version: 1 - sshd_host_key: "{{ lookup('pipe', 'sshca host private-key python-mess') }}" - sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v4 python-mess') }}" - sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v3') }}" + sshd_allow_authorized_keys: yes diff --git a/ansible/rikiwiki-dev.yml b/ansible/rikiwiki-dev.yml index 31d5cfc..79c7139 100644 --- a/ansible/rikiwiki-dev.yml +++ b/ansible/rikiwiki-dev.yml @@ -4,6 +4,8 @@ roles: - role: sane_debian_system tags: [sane] + - role: sshd + tags: [sshd] - role: comfortable-debian-system tags: [comfy] - role: unix_users @@ -58,3 +60,6 @@ rustup_cargo_install: | flamegraph + + sshd_version: 1 + sshd_allow_authorized_keys: yes diff --git a/ansible/roadmap-dev.yml b/ansible/roadmap-dev.yml index f2e5b02..ac98d3a 100644 --- a/ansible/roadmap-dev.yml +++ b/ansible/roadmap-dev.yml @@ -4,6 +4,8 @@ roles: - role: sane_debian_system tags: [sane] + - role: sshd + tags: [sshd] - role: comfortable-debian-system tags: [comfy] - role: unix_users @@ -39,3 +41,6 @@ - username: liw comment: Lars Wirzenius sudo: yes + + sshd_version: 1 + sshd_allow_authorized_keys: yes diff --git a/ansible/rust-dev.yml b/ansible/rust-dev.yml index 7ea3993..23d9ba5 100644 --- a/ansible/rust-dev.yml +++ b/ansible/rust-dev.yml @@ -4,6 +4,8 @@ roles: - role: sane_debian_system tags: [sane] + - role: sshd + tags: [sshd] - role: comfortable-debian-system tags: [comfy] - role: unix_users @@ -35,3 +37,6 @@ sane_debian_system_sources_lists: - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main signing_key: "{{ ci_prod_signing_key }}" + + sshd_version: 1 + sshd_allow_authorized_keys: yes diff --git a/ansible/sequoia-dev.yml b/ansible/sequoia-dev.yml index ea38646..6f1af3d 100644 --- a/ansible/sequoia-dev.yml +++ b/ansible/sequoia-dev.yml @@ -4,6 +4,8 @@ roles: - role: sane_debian_system tags: [sane] + - role: sshd + tags: [sshd] - role: unix_users tags: [users] - role: rust-rustup @@ -54,3 +56,6 @@ unix_users: - username: liw comment: Lars Wirzenius + + sshd_version: 1 + sshd_allow_authorized_keys: yes diff --git a/ansible/sequoia-web.yml b/ansible/sequoia-web.yml index eb730e0..b769c9e 100644 --- a/ansible/sequoia-web.yml +++ b/ansible/sequoia-web.yml @@ -3,6 +3,8 @@ become: yes roles: - role: sane_debian_system + - role: sshd + tags: [sshd] - role: unix_users - role: comfortable-debian-system - role: liw @@ -106,3 +108,6 @@ comment: Lars Wirzenius - username: _ewww comment: Static web site content + + sshd_version: 1 + sshd_allow_authorized_keys: yes diff --git a/ansible/ssh-dev.yml b/ansible/ssh-dev.yml index 09d67ff..3b05e70 100644 --- a/ansible/ssh-dev.yml +++ b/ansible/ssh-dev.yml @@ -3,6 +3,8 @@ become: yes roles: - role: sane_debian_system + - role: sshd + tags: [sshd] - role: unix_users vars: ansible_python_interpreter: /usr/bin/python3 @@ -15,3 +17,6 @@ unix_users_version: 2 unix_users: - username: liw + + sshd_version: 1 + sshd_allow_authorized_keys: yes diff --git a/ansible/sshca-dev.yml b/ansible/sshca-dev.yml index c6843b0..dd5097a 100644 --- a/ansible/sshca-dev.yml +++ b/ansible/sshca-dev.yml @@ -4,6 +4,8 @@ roles: - role: sane_debian_system tags: [sane] + - role: sshd + tags: [sshd] - role: comfortable-debian-system tags: [comfy] - role: unix_users @@ -47,3 +49,6 @@ sane_debian_system_sources_lists: - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main signing_key: "{{ ci_prod_signing_key }}" + + sshd_version: 1 + sshd_allow_authorized_keys: yes diff --git a/ansible/stamina-vm-check.sh b/ansible/stamina-vm-check.sh new file mode 100755 index 0000000..0934ad4 --- /dev/null +++ b/ansible/stamina-vm-check.sh @@ -0,0 +1,35 @@ +#!/bin/bash + +set -eu + +playbooks=" +apt-dev +billion +clab-dev +debian-ansible-dev +ewww-dev +ick2-dev +icktool +jt-dev +obnam-bench +obnam-dev +openpgp-ca-dev +openpgp-card-dev +python-mess +rikiwiki-dev +roadmap-dev +rust-dev +sequoia-dev +sequoia-web +ssh-dev +sshca-dev +subplot-dev +v-i-dev +vmadm-dev +vmdb2-dev +" + +for x in $playbooks; do + echo "$x" + ssh "$x" hostname +done diff --git a/ansible/subplot-dev.yml b/ansible/subplot-dev.yml index 643429f..71741e7 100644 --- a/ansible/subplot-dev.yml +++ b/ansible/subplot-dev.yml @@ -4,6 +4,8 @@ roles: - role: sane_debian_system tags: [sane] + - role: sshd + tags: [sshd] - role: comfortable-debian-system tags: [comfy] - role: unix_users @@ -49,3 +51,6 @@ unix_users: - username: liw comment: Lars Wirzenius + + sshd_version: 1 + sshd_allow_authorized_keys: yes diff --git a/ansible/v-i-dev.yml b/ansible/v-i-dev.yml index 615f896..6c9e948 100644 --- a/ansible/v-i-dev.yml +++ b/ansible/v-i-dev.yml @@ -4,6 +4,8 @@ roles: - role: sane_debian_system tags: [sane] + - role: sshd + tags: [sshd] - role: comfortable-debian-system tags: [comfy] - role: unix_users @@ -47,3 +49,6 @@ sane_debian_system_sources_lists: - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main signing_key: "{{ ci_prod_signing_key }}" + + sshd_version: 1 + sshd_allow_authorized_keys: yes diff --git a/ansible/vmadm-dev.yml b/ansible/vmadm-dev.yml index cdfd428..2f5aaa5 100644 --- a/ansible/vmadm-dev.yml +++ b/ansible/vmadm-dev.yml @@ -4,6 +4,8 @@ roles: - role: sane_debian_system tags: [sane] + - role: sshd + tags: [sshd] - role: comfortable-debian-system tags: [comfy] - role: unix_users @@ -63,3 +65,6 @@ - username: liw comment: Lars Wirzenius sudo: yes + + sshd_version: 1 + sshd_allow_authorized_keys: yes diff --git a/ansible/vmdb2-dev.yml b/ansible/vmdb2-dev.yml index e54f717..ef2cca6 100644 --- a/ansible/vmdb2-dev.yml +++ b/ansible/vmdb2-dev.yml @@ -4,6 +4,8 @@ roles: - role: sane_debian_system tags: [sane] + - role: sshd + tags: [sshd] - role: comfortable-debian-system tags: [comfy] - role: unix_users @@ -63,3 +65,6 @@ sane_debian_system_sources_lists: - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main signing_key: "{{ ci_prod_signing_key }}" + + sshd_version: 1 + sshd_allow_authorized_keys: yes diff --git a/ansible/web.yml b/ansible/web.yml index ad17168..26f0602 100644 --- a/ansible/web.yml +++ b/ansible/web.yml @@ -3,6 +3,8 @@ become: yes roles: - role: sane_debian_system + - role: sshd + tags: [sshd] - role: unix_users - role: self-updating-system tasks: @@ -108,3 +110,5 @@ - username: _ewww comment: Static web site content + sshd_version: 1 + sshd_allow_authorized_keys: yes -- cgit v1.2.1