From 728527c63c0025df04bb18f889659a898a9340a8 Mon Sep 17 00:00:00 2001 From: Hamatoma Date: Fri, 4 Jul 2025 08:39:56 +0200 Subject: [PATCH] V0.1.2 Korrekturen, SFTP - 90_wartung: Korrektur Playbookname - mysql_create_db_and_user.yaml: Korrektur Name - neu: sftp_create.yaml und t_sftp_create.yaml - CreateSysInfo: Verbesserung Log --- CHANGELOG.md | 8 ++ docu/de/90_wartung.md | 2 +- .../mysql_create_db_and_user.yaml | 2 +- playbooks.templates/sftp_create.yaml | 10 ++ tasks.templates/t_sftp_create.yaml | 96 +++++++++++++++++++ templates.fix/scripts/CreateSysInfo | 2 +- templates.local/scripts/ExampleBackup | 0 7 files changed, 117 insertions(+), 3 deletions(-) create mode 100644 playbooks.templates/sftp_create.yaml create mode 100644 tasks.templates/t_sftp_create.yaml mode change 100644 => 100755 templates.local/scripts/ExampleBackup diff --git a/CHANGELOG.md b/CHANGELOG.md index 3f31eb6..ff15207 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,11 @@ +# V0.1.2 Korrekturen, SFTP + +- 90_wartung: Korrektur Playbookname +- mysql_create_db_and_user.yaml: Korrektur Name +- neu: sftp_create.yaml und t_sftp_create.yaml +- CreateSysInfo: Verbesserung Log + + # V0.1.1 - templates.fix/scripts: new: BtrSnapshot, SvWebapp diff --git a/docu/de/90_wartung.md b/docu/de/90_wartung.md index b6c6558..29bb1b6 100644 --- a/docu/de/90_wartung.md +++ b/docu/de/90_wartung.md @@ -57,7 +57,7 @@ ansible-playbook playbooks/system_files.yaml ### Benutzte Playbooks bei Installation - i_10_basic.yaml - i_11_user.yaml -- i_15_server.yaml +- i_15_server_packages.yaml - i_17_configuration.yaml - i_20_nginx.yaml - i_30_mariadb.yaml diff --git a/playbooks.templates/mysql_create_db_and_user.yaml b/playbooks.templates/mysql_create_db_and_user.yaml index 035db8d..ee36fd6 100644 --- a/playbooks.templates/mysql_create_db_and_user.yaml +++ b/playbooks.templates/mysql_create_db_and_user.yaml @@ -11,4 +11,4 @@ - ../vars/mysql.yaml tasks: - name: Create the database adminstrator {{dba_name}} - import_tasks : ../tasks/t_mysql_db_and_user.yaml + import_tasks : ../tasks/t_mysql_create_db_and_user.yaml diff --git a/playbooks.templates/sftp_create.yaml b/playbooks.templates/sftp_create.yaml new file mode 100644 index 0000000..207bc93 --- /dev/null +++ b/playbooks.templates/sftp_create.yaml @@ -0,0 +1,10 @@ +--- +- name: SFTP Access Setup for a given user and a given directory + # needed facts (variables) from the commandline: (e.g. ansible-playbook -e "domain=example.com") + # - user: the user for SFTP access + # - password: the password for the SFTP user + # - path: the path to the directory for SFTP access + hosts: all + tasks: + - name: Creates a SFT access for {{user}} in {{path}}/jail and mount the {{path}} into the jail + import_tasks: ../tasks/t_sftp_c \ No newline at end of file diff --git a/tasks.templates/t_sftp_create.yaml b/tasks.templates/t_sftp_create.yaml new file mode 100644 index 0000000..e44e656 --- /dev/null +++ b/tasks.templates/t_sftp_create.yaml @@ -0,0 +1,96 @@ +- name: Ensure variable user exists + ansible.builtin.fail: msg="missing user and/or password and/or path, e.g. -e user=jonny" + when: user is not defined or password is not defined or path is not defined + +- name: Ensure SFTP group exists + ansible.builtin.group: + name: "sftpusers" + state: present + +- name: Ensure SFTP user exists with no login shell + ansible.builtin.user: + name: "{{ user }}" + group: "sftpusers" + shell: /usr/sbin/nologin + create_home: true + password: "{{ password | password_hash('sha512') }}" + state: present + # Passwort kann hier direkt gesetzt werden, oder interaktiv abgefragt werden + # password: "{{ 'your_secure_password' | password_hash('sha512') }}" # Besser über Vault + # Oder besser: Benutzer wird zur Passwortänderung gezwungen + # expire: true + +- name: Add user to the group www-data + ansible.builtin.user: + name: "{{ user }}" + groups: "www-data" + append: yes + state: present + +- name: Ensure chroot base directory ownership and permissions + ansible.builtin.file: + path: "/home/jail/{{ user }}" + state: directory + owner: root + group: root + mode: '0755' + recurse: + +#- name: Ensure target directory ownership and permissions +# ansible.builtin.file: +# path: "{{ target_dir }}" +# state: directory +# owner: "{{ sftp_user }}" +# group: "{{ sftp_group }}" +# mode: '0775' +# recurse: yes # Wichtig, wenn Unterverzeichnisse existieren sollen + +- name: Backup sshd_config before modifying + ansible.builtin.copy: + src: "/etc/ssh/sshd_config" + dest: "/etc/ssh/sshd_config.{{ ansible_date_time.date | replace('-', '.') }}" + remote_src: true + changed_when: false + +- name: Ensure sshd_config uses internal-sftp and has Match Group block + ansible.builtin.lineinfile: + path: "/etc/ssh/sshd_config" + regexp: '^(Subsystem sftp |#Subsystem sftp ).*$' + line: 'Subsystem sftp internal-sftp' + backrefs: true + +- name: Add SFTP Match Group configuration to sshd_config + ansible.builtin.blockinfile: + path: "/etc/ssh/sshd_config" + block: | + Match User {{ user }} + ChrootDirectory /home/{{ user }}/jail + ForceCommand internal-sftp + AllowTCPForwarding no + X11Forwarding no + PermitTunnel no + insertafter: EOF + +- name: Perform the bind mount from source_dir to target_dir + ansible.posix.mount: + src: "{{ path }}" + path: "/home/jail/{{ user }}/{{ path | basename}}" + opts: bind + state: mounted + fstype: none + +- name: Add bind mount to /etc/fstab for persistence + ansible.posix.mount: + src: "{{ path }}" + path: "/home/jail/{{ user }}/{{ path | basename }}" + opts: bind + state: present + fstype: none + dump: '0' + passno: '0' + + +- name: Restart sshd service to apply changes + ansible.builtin.systemd: + name: sshd + state: restarted diff --git a/templates.fix/scripts/CreateSysInfo b/templates.fix/scripts/CreateSysInfo index 6dba4d4..1d614ff 100644 --- a/templates.fix/scripts/CreateSysInfo +++ b/templates.fix/scripts/CreateSysInfo @@ -123,7 +123,7 @@ if [ ! -f /usr/local/bin/local/CreateSysInfo.conf ]; then echo "+++ missing /usr/local/bin/local/CreateSysInfo.conf" ShowConfig elif [ -z "$DIR_INFO" -o ! -d "$DIR_INFO" ]; then - echo "+++ missing DIR_INFO" + echo "+++ missing DIR_INFO $DIR_INFO" ShowConfig else DoIt diff --git a/templates.local/scripts/ExampleBackup b/templates.local/scripts/ExampleBackup old mode 100644 new mode 100755 -- 2.39.5