dustin
/
configpolicy
1
1
Fork 0
Code Issues Releases Activity

r/doas: Configure sudo alternative 

In the spirit of replacing bloated tools with unnecessary functionality
with smaller, more focused alternatives, we can use `doas` instead of
`sudo`.  Originally, it was a BSD tool, but the Linux port supports PAM,
so we can still use `pam_auth_ssh_agent` for ppasswordless
authentication.
dynamic-inventory
Dustin 2024-11-23 20:01:37 -06:00
parent c95a96a33c
commit 7a5f01f8a3
4 changed files with 47 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
group_vars/all.yml
View File

@ -5,6 +5,11 @@ managed_users:
groups: groups:
- wheel - wheel
doas_authorized_ssh_keys: |
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIF4yQAS0bAQ9Ymxgxv828MsX0z4ff/Fs//0PQOtPexRJAAAABHNzaDo= dustin@rosalina.pyrocufflink.blue
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINal4+Gn/KuyP6YTsQuW4cphfDcjrS428osVIqnqMfagAAAABHNzaDo= dustin@luma.pyrocufflink.blue
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDD3Ebb7dyEyCylgEjmhFxvGqbPkT+0KSpI+xEGXLFnn jenkins
sshca_url: https://sshca.pyrocufflink.blue sshca_url: https://sshca.pyrocufflink.blue
ssh_trusted_user_ca_keys: >- ssh_trusted_user_ca_keys: >-
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyi18IfxAf9wLnyffnMrThYpqxVwu0rsuiLoqW6rcwF sshca.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyi18IfxAf9wLnyffnMrThYpqxVwu0rsuiLoqW6rcwF sshca.pyrocufflink.blue

7
roles/doas/files/pam.conf Normal file
View File

@ -0,0 +1,7 @@
#%PAM-1.0
auth required pam_ssh_agent_auth.so file=/etc/security/doas.authorized_keys
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
session include system-auth

31
roles/doas/tasks/main.yml Normal file
View File

@ -0,0 +1,31 @@
- name: ensure required packages are installed
package:
name:
- libuser
- opendoas
- pam_ssh_agent_auth
state: present
tags:
- install
- name: ensure pam is configured for doas
copy:
src: pam.conf
dest: /etc/pam.d/doas
owner: root
group: root
mode: u=rw,go=r
tags:
- pam
- pam-ssh-agent
- name: ensure doas authorized ssh_keys are configured
copy:
dest: /etc/security/doas.authorized_keys
content: '{{ doas_authorized_ssh_keys }}'
mode: u=rw,go=r
owner: root
group: root
tags:
- pam-ssh-agent
- pam-ssh-agent-keys

4
users.yml
View File

@ -1,4 +1,8 @@
- hosts: all - hosts: all
roles:
- role: doas
tags:
- doas
tasks: tasks:
- name: ensure users exist - name: ensure users exist
user: user: