Increment the ip

9e768de8 · Weise, Martin · ee355572 · 9e768de8 · 9e768de8
Verified Commit 9e768de8 authored 3 years ago by Weise, Martin
--- a/create-user.yml
+++ b/create-user.yml
@@ -41,7 +41,6 @@
 - hosts: proidentity
  vars_files:
    - vars/auth.yml
-    - vars/secure.yml
  vars_prompt:
    - name: first
      prompt: First name of the user account?
@@ -120,20 +119,23 @@
      rescue:
        - name: Delete profile
-          become: yes
          command: "/usr/local/sbin/vpnrm {{ username }}"
    - name: Block
      block:
        - name: Retrieve address
-          command: grep -oP "(\d+\.\d+\.\d+\.\d+)" /root/.bashrc
+          command: "cat /home/sysadmin/cur_ip"
          register: ip_result
        - name: Create firewall zone
          command: "firewall-cmd --permanent --new-zone='{{ username }}'"
        - name: Create firewall rule
-          command: "firewall-cmd --permanent --zone='{{ username }}' --add-rich-rule='rule family=\"ipv4\" source address=\"{{ ip_result.stdout }}\" port protocol=\"tcp\" port=\"22\" accept'"
+          ansible.posix.firewalld:
+            zone: "{{ username }}"
+            source: "{{ ip_result.stdout }}"
+            permanent: yes
+            state: enabled
      rescue:
        - name: Delete firewall zone

--- a/roles/setup_node/templates/vpn.cfg.j2
+++ b/roles/setup_node/templates/vpn.cfg.j2
@@ -30,10 +30,10 @@ packages:
 runcmd:
  - /root/rsyslog-init && logger "Configured rsyslog"
  - /root/firewall-init && logger "Configured firewalld"
-  - /root/2fa-init && logger "Configured two-factor authentication"
  - /root/idm-init && logger "Configured identity client"
  - /usr/bin/rm -f /root/idm-init
  - /root/init-hosts && logger "Configured initial hosts"
+  - /root/init-ip && logger "Configured initial ip"
  - /usr/local/sbin/vpnsetup && logger "Installed OpenVPN Access Server"
  - /usr/local/sbin/vpnadd sysadmin && logger "Added sysadmin profile"
  - /usr/local/sbin/vpnadd dbadmin && logger "Added dbadmin profile"
@@ -94,6 +94,12 @@ write_files:
      logger "Enable ip forwarding ..."
      echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
+  - path: /root/init-ip
+    permissions: '0744'
+    content: |
+      #!/bin/bash
+      sudo -H -u sysadmin echo "10.8.0.2" > /home/sysadmin/cur_ip
  - path: /usr/local/sbin/vpnadd
    permissions: '0744'
    content: |
@@ -105,17 +111,18 @@ write_files:
      export CLIENT=$1
      export PASS="1"
      /usr/local/sbin/vpnconfig
-      echo "ipconfig-push $(nextip) 255.255.255.255" > /etc/openvpn/ccd/$1
+      echo "ipconfig-push $(/usr/local/sbin/nextip) 255.255.255.255" > /etc/openvpn/ccd/$1
  - path: /usr/local/sbin/nextip
    permissions: '0744'
    content: |
      #!/bin/bash
+      CURRENT_VPN_IP=$(cat /home/sysadmin/cur_ip)
      echo "$CURRENT_VPN_IP"
      IP_HEX=$(printf '%.2X%.2X%.2X%.2X\n' `echo $CURRENT_VPN_IP | sed -e 's/\./ /g'`)
      NEXT_IP_HEX=$(printf %.8X `echo $(( 0x$IP_HEX + 1 ))`)
      NEXT_IP=$(printf '%d.%d.%d.%d\n' `echo $NEXT_IP_HEX | sed -r 's/(..)/0x\1 /g'`)
-      sed -i "s/CURRENT_VPN_IP.*/CURRENT_VPN_IP=$NEXT_IP/g" /root/.bashrc
+      echo "$NEXT_IP" > /home/sysadmin/cur_ip
  - path: /usr/local/sbin/vpnrevoke
    permissions: '0744'
@@ -158,32 +165,6 @@ write_files:
      echo '{{ idm_adm_passwd }}' | kinit admin
      ipa hostgroup-add-member corenodes --hosts=vpn.ossdip.at
-  - path: /root/2fa-init
-    permissions: '0744'
-    content: |
-      #!/bin/bash
-      logger "Configuring two-factor authentication ..."
-      /usr/bin/dnf install -y epel-release
-      /usr/bin/dnf install -y google-authenticator
-      sudo -H -u sysadmin bash -c '/usr/bin/google-authenticator --time-based --disallow-reuse --window-size=5 --rate-limit=1 --rate-time=15 --force --qr-mode=none --emergency-codes=0 --quiet'
-      # /usr/bin/chattr +i /home/sysadmin/.google_authenticator # prevent change of mfa
-      # pam
-      echo "auth       required     pam_google_authenticator.so secret=\${HOME}/.google_authenticator" >> /etc/pam.d/sshd
-      sed -i "s/^auth *substack *password-auth */# auth substack password-auth/g" /etc/pam.d/sshd
-      # selinux prevents google-authenticator pam
-      sudo setenforce 0
-      # ssh.d config
-      sed -i "s/^ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/g" /etc/ssh/sshd_config
-      sed -i "s/^UsePAM.*/UsePAM yes/g" /etc/ssh/sshd_config
-      cat <<EOF >> /etc/ssh/sshd_config
-      Match Group mfa
-          X11Forwarding yes
-          AllowTcpForwarding yes
-          PermitTTY yes
-          AuthenticationMethods publickey,keyboard-interactive
-      EOF
-      /bin/systemctl restart sshd
  - path: /root/init-hosts
    permissions: '0744'
    content: |