Stricter ssh and doas access - better version

Fix #34

We now use a unique evobsd_group (evolix by default).
Each user has 2 groups : evobsd_group and user.name.
Only evobsd_group can ssh to server and use doas.

I also added a password restrictions block for IPs/group.
And we make sure the home folder is only readable by owner.

roles/accounts/tasks/main.yml

@@ -1,20 +1,15 @@
 ---
-- name: "Create {{ evolinux_sudo_group }}"
+- name: "Create {{ evobsd_group }} group"
   group:
-    name: "{{ evolinux_sudo_group }}"
+    name: "{{ evobsd_group }}"
-    system: true
-
-- name: "Create {{ evolinux_ssh_group }}"
-  group:
-    name: "{{ evolinux_ssh_group }}"
     system: true
 
 - name: Create user accounts
   include: user.yml
   vars:
     user: "{{ item.value }}"
-  with_dict: "{{ evolinux_users }}"
+  with_dict: "{{ evolix_users }}"
-  when: evolinux_users != {}
+  when: evolix_users != {}
 
 - name: verify AllowGroups directive
   command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
@@ -40,10 +35,10 @@
     ssh_allowgroups:
       "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}"
 
-- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
+- name: "Add AllowGroups sshd directive with '{{ evobsd_group }}'"
   lineinfile:
     dest: /etc/ssh/sshd_config
-    line: "\nAllowGroups {{ evolinux_ssh_group }}"
+    line: "\nAllowGroups {{ evobsd_group }}"
     insertafter: 'Subsystem'
     validate: '/usr/sbin/sshd -t -f %s'
   notify: reload sshd
@@ -51,30 +46,33 @@
     - ssh_allowgroups
     - grep_allowgroups_ssh.rc == 1
 
-- name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive"
+- name: "Append '{{ evobsd_group }}' to AllowGroups sshd directive"
   replace:
     dest: /etc/ssh/sshd_config
-    regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$'
+    regexp: '^(AllowGroups ((?!\b{{ evobsd_group }}\b).)*)$'
-    replace: '\1 {{ evolinux_ssh_group }}'
+    replace: '\1 {{ evobsd_group }}'
     validate: '/usr/sbin/sshd -t -f %s'
   notify: reload sshd
   when:
     - ssh_allowgroups
     - grep_allowgroups_ssh.rc == 0
 
-- name: "Append '{{ item.name }}' to AllowUsers sshd directive"
+- name: "Security directives for EvoBSD"
-  replace:
+  blockinfile:
     dest: /etc/ssh/sshd_config
-    regexp: '^(AllowUsers ((?!\b{{ item.name }}\b).)*)$'
+    marker: "# {mark} EVOBSD PASSWORD RESTRICTIONS"
-    replace: '\1 {{ item.name }}'
+    block: |
+      Match Address {{ evolix_trusted_ips | join(',') }}
+          PasswordAuthentication yes
+      Match Group {{ evobsd_group }}
+          PasswordAuthentication no
+    insertafter: EOF
     validate: '/usr/sbin/sshd -t -f %s'
-  with_dict: "{{ evolinux_users }}"
   notify: reload sshd
   when:
-    - not ssh_allowgroups
+    - evolix_trusted_ips != []
-    - grep_allowusers_ssh == 1
 
-- name: disable root login
+- name: "Disable root login"
   replace:
     dest: /etc/ssh/sshd_config
     regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'

roles/accounts/tasks/user.yml

@@ -1,16 +1,31 @@
 ---
+- name: "Group '{{ user.name }}' is present"
+  group:
+    state: present
+    name: "{{ user.name }}"
+    gid: "{{ user.uid }}"
+
 - name: "User '{{ user.name }}' is present"
   user:
     state: present
     name: '{{ user.name }}'
     uid: '{{ user.uid }}'
     password: '{{ user.password_hash_openbsd }}'
+    group: "{{ user.name }}"
     groups: wheel
     shell: /bin/ksh
     append: true
   tags:
     - admin
 
+- name: "Home directory for '{{ user.name }}' is only accesible by owner"
+  file:
+    name: '/home/{{ user.name }}'
+    mode: "0700"
+    owner: "{{ user.name }}"
+    group: "{{ user.name }}"
+    state: directory
+
 - name: "SSH public keys for '{{ user.name }}' are present"
   authorized_key:
     user: "{{ user.name }}"
@@ -23,18 +38,10 @@
   tags:
     - admin
 
-- name: "Add {{ user.name }} to {{ evolinux_sudo_group }} group"
+- name: "Add {{ user.name }} to {{ evobsd_group }} group"
   user:
     name: "{{ user.name }}"
-    groups: "{{ evolinux_sudo_group }}"
+    groups: "{{ evobsd_group }}"
-    append: true
-  tags:
-    - admin
-
-- name: "Add {{ user.name }} to {{ evolinux_ssh_group }} group"
-  user:
-    name: "{{ user.name }}"
-    groups: "{{ evolinux_ssh_group }}"
     append: true
   tags:
     - admin

roles/base/templates/doas.conf.j2

@@ -1,7 +1,7 @@
 # {{ ansible_managed }}
-permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evolinux_sudo_group }}
+permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evobsd_group }}
 permit nopass root
-permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evolinux_sudo_group }} as root cmd /usr/share/scripts/evomaintenance.sh
+permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evobsd_group }} as root cmd /usr/share/scripts/evomaintenance.sh
 permit nopass _collectd as root cmd /usr/sbin/bgpctl
 permit nopass _nrpe as root cmd /sbin/bioctl args sd2
 permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_mailq

vars/main.yml

@@ -8,9 +8,6 @@
 #
 # general_alert_email: "root@localhost"
 # general_technical_realm: "example.com"
-evolinux_ssh_group: "evolinux-ssh"
-evolinux_sudo_group: "evolinux-sudo"
-evolinux_root_disable_ssh: true
 #
 # evomaintenance_realm: "example.com"
 # evomaintenance_alert_email:
@@ -27,6 +24,8 @@ evolinux_root_disable_ssh: true
 # evomaintenance_urgency_from: mama.doe@example.com
 # evomaintenance_urgency_tel: "06.00.00.00.00"
 #
+evobsd_group: "evolix"
+#
 # evolix_users:
 #  foo:
 #    name: foo