--- /dev/null
+---
+- name: SFTP Access Setup for a given user and a given directory
+ # needed facts (variables) from the commandline: (e.g. ansible-playbook -e "domain=example.com")
+ # - user: the user for SFTP access
+ # - password: the password for the SFTP user
+ # - path: the path to the directory for SFTP access
+ hosts: all
+ tasks:
+ - name: Creates a SFT access for {{user}} in {{path}}/jail and mount the {{path}} into the jail
+ import_tasks: ../tasks/t_sftp_c
\ No newline at end of file
--- /dev/null
+- name: Ensure variable user exists
+ ansible.builtin.fail: msg="missing user and/or password and/or path, e.g. -e user=jonny"
+ when: user is not defined or password is not defined or path is not defined
+
+- name: Ensure SFTP group exists
+ ansible.builtin.group:
+ name: "sftpusers"
+ state: present
+
+- name: Ensure SFTP user exists with no login shell
+ ansible.builtin.user:
+ name: "{{ user }}"
+ group: "sftpusers"
+ shell: /usr/sbin/nologin
+ create_home: true
+ password: "{{ password | password_hash('sha512') }}"
+ state: present
+ # Passwort kann hier direkt gesetzt werden, oder interaktiv abgefragt werden
+ # password: "{{ 'your_secure_password' | password_hash('sha512') }}" # Besser über Vault
+ # Oder besser: Benutzer wird zur Passwortänderung gezwungen
+ # expire: true
+
+- name: Add user to the group www-data
+ ansible.builtin.user:
+ name: "{{ user }}"
+ groups: "www-data"
+ append: yes
+ state: present
+
+- name: Ensure chroot base directory ownership and permissions
+ ansible.builtin.file:
+ path: "/home/jail/{{ user }}"
+ state: directory
+ owner: root
+ group: root
+ mode: '0755'
+ recurse:
+
+#- name: Ensure target directory ownership and permissions
+# ansible.builtin.file:
+# path: "{{ target_dir }}"
+# state: directory
+# owner: "{{ sftp_user }}"
+# group: "{{ sftp_group }}"
+# mode: '0775'
+# recurse: yes # Wichtig, wenn Unterverzeichnisse existieren sollen
+
+- name: Backup sshd_config before modifying
+ ansible.builtin.copy:
+ src: "/etc/ssh/sshd_config"
+ dest: "/etc/ssh/sshd_config.{{ ansible_date_time.date | replace('-', '.') }}"
+ remote_src: true
+ changed_when: false
+
+- name: Ensure sshd_config uses internal-sftp and has Match Group block
+ ansible.builtin.lineinfile:
+ path: "/etc/ssh/sshd_config"
+ regexp: '^(Subsystem sftp |#Subsystem sftp ).*$'
+ line: 'Subsystem sftp internal-sftp'
+ backrefs: true
+
+- name: Add SFTP Match Group configuration to sshd_config
+ ansible.builtin.blockinfile:
+ path: "/etc/ssh/sshd_config"
+ block: |
+ Match User {{ user }}
+ ChrootDirectory /home/{{ user }}/jail
+ ForceCommand internal-sftp
+ AllowTCPForwarding no
+ X11Forwarding no
+ PermitTunnel no
+ insertafter: EOF
+
+- name: Perform the bind mount from source_dir to target_dir
+ ansible.posix.mount:
+ src: "{{ path }}"
+ path: "/home/jail/{{ user }}/{{ path | basename}}"
+ opts: bind
+ state: mounted
+ fstype: none
+
+- name: Add bind mount to /etc/fstab for persistence
+ ansible.posix.mount:
+ src: "{{ path }}"
+ path: "/home/jail/{{ user }}/{{ path | basename }}"
+ opts: bind
+ state: present
+ fstype: none
+ dump: '0'
+ passno: '0'
+
+
+- name: Restart sshd service to apply changes
+ ansible.builtin.systemd:
+ name: sshd
+ state: restarted
projects / ansknife.git / commitdiff