From 1dd471f09e41a575a6c78c854b3ddc56b7cdcab9 Mon Sep 17 00:00:00 2001 From: LinuxSquare Date: Sat, 24 Aug 2024 00:53:33 +0200 Subject: [PATCH] add podman --- openssh/config.ansible.yml | 6 +- openssh/files/openssh_authorized_keys | 1 + openssh/files/openssh_sshd_config | 130 ++++++++++++++++++++++++++ podman/directory.ansible.yml | 9 ++ podman/files/files_unprivileged_ports | 1 + podman/init.ansible.yml | 6 +- podman/pkg.ansible.yml | 9 ++ podman/rootless.ansible.yml | 32 +++++++ podman/service.ansible.yml | 13 +++ podman/user.ansible.yml | 24 +++++ 10 files changed, 227 insertions(+), 4 deletions(-) create mode 100644 openssh/files/openssh_authorized_keys create mode 100644 openssh/files/openssh_sshd_config create mode 100644 podman/directory.ansible.yml create mode 100644 podman/files/files_unprivileged_ports create mode 100644 podman/pkg.ansible.yml create mode 100644 podman/rootless.ansible.yml create mode 100644 podman/service.ansible.yml create mode 100644 podman/user.ansible.yml diff --git a/openssh/config.ansible.yml b/openssh/config.ansible.yml index 0524294..c347815 100644 --- a/openssh/config.ansible.yml +++ b/openssh/config.ansible.yml @@ -4,20 +4,20 @@ template: src: files/openssh_sshd_config dest: /etc/ssh/sshd_config - mode: '0644' + mode: "0644" owner: root group: root - name: Configure root .ssh directory file: state: directory path: /root/.ssh - mode: '0755' + mode: "0755" owner: root group: root - name: Configure root authorized_keys template: src: files/openssh_authorized_keys dest: /root/.ssh/authroized_keys - mode: '0644' + mode: "0644" owner: root group: root diff --git a/openssh/files/openssh_authorized_keys b/openssh/files/openssh_authorized_keys new file mode 100644 index 0000000..f2fa2a7 --- /dev/null +++ b/openssh/files/openssh_authorized_keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2kBMGGTKYtcIC8oJSqG0BvUXabIYyttte06pGtJ3f5 diff --git a/openssh/files/openssh_sshd_config b/openssh/files/openssh_sshd_config new file mode 100644 index 0000000..7595638 --- /dev/null +++ b/openssh/files/openssh_sshd_config @@ -0,0 +1,130 @@ +# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +# To modify the system-wide sshd configuration, create a *.conf file under +# /etc/ssh/sshd_config.d/ which will be automatically included below +Include /etc/ssh/sshd_config.d/*.conf + +# If you want to change the port on a SELinux system, you have to tell +# SELinux about this change. +# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER +# +Port 22 +#AddressFamily any +ListenAddress 127.0.0.1 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin prohibit-password +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +#KbdInteractiveAuthentication yes + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no +#KerberosUseKuserok yes + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no +#GSSAPIEnablek5users no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the KbdInteractiveAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via KbdInteractiveAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and KbdInteractiveAuthentication to 'no'. +# WARNING: 'UsePAM no' is not supported in Fedora and may cause several +# problems. +#UsePAM no + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/libexec/openssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server diff --git a/podman/directory.ansible.yml b/podman/directory.ansible.yml new file mode 100644 index 0000000..3013417 --- /dev/null +++ b/podman/directory.ansible.yml @@ -0,0 +1,9 @@ +- hosts: localhost + tasks: + - name: Create podman directory + file: + path: /opt/podman + owner: puser + group: puser + state: directory + mode: "0755" diff --git a/podman/files/files_unprivileged_ports b/podman/files/files_unprivileged_ports new file mode 100644 index 0000000..c74c392 --- /dev/null +++ b/podman/files/files_unprivileged_ports @@ -0,0 +1 @@ +net.ipv4.ip_unprivileged_port_start=0 diff --git a/podman/init.ansible.yml b/podman/init.ansible.yml index 24ca4e1..453c82e 100644 --- a/podman/init.ansible.yml +++ b/podman/init.ansible.yml @@ -1 +1,5 @@ -- import_playbook: +- import_playbook: pkg.ansible.yml +- import_playbook: rootless.ansible.yml +- import_playbook: user.ansible.yml +- import_playbook: directory.ansible.yml +- import_playbook: service.ansible.yml diff --git a/podman/pkg.ansible.yml b/podman/pkg.ansible.yml new file mode 100644 index 0000000..907687b --- /dev/null +++ b/podman/pkg.ansible.yml @@ -0,0 +1,9 @@ +- hosts: localhost + tasks: + - name: Install podman package + package: + state: present + name: + - podman + - podman-openrc + - podman-compose diff --git a/podman/rootless.ansible.yml b/podman/rootless.ansible.yml new file mode 100644 index 0000000..d0c672d --- /dev/null +++ b/podman/rootless.ansible.yml @@ -0,0 +1,32 @@ +- hosts: localhost + tasks: + - name: cgroup mode + lineinfile: + path: "/etc/rc.conf" + regexp: "^rc_cgroup_mode.?=.?" + line: rc_cgroup_mode="unified" + - name: cgroups service + service: + name: cgroups + enabled: true + - name: rootless modules + lineinfile: + state: present + path: /etc/modules + insertafter: EOF + line: | + tun + fuse + ip_tables + - name: subgid + lineinfile: + state: present + path: /etc/subgid + insertafter: EOF + line: puser:100000:65536 + - name: subuid + lineinfile: + state: present + path: /etc/subuid + insertafter: EOF + line: puser:100000:65536 diff --git a/podman/service.ansible.yml b/podman/service.ansible.yml new file mode 100644 index 0000000..48363f3 --- /dev/null +++ b/podman/service.ansible.yml @@ -0,0 +1,13 @@ +- hosts: localhost + tasks: + - name: Enable podman service + service: + name: podman + enabled: true + - name: Podman unprivileged ports + template: + src: files/files_unprivileged_ports + dest: /etc/sysctl.d/podman.conf + owner: root + group: root + mode: "0644" diff --git a/podman/user.ansible.yml b/podman/user.ansible.yml new file mode 100644 index 0000000..53dfb80 --- /dev/null +++ b/podman/user.ansible.yml @@ -0,0 +1,24 @@ +- hosts: localhost + tasks: + - name: Create puser user + user: + uid: 2000 + name: puser + shell: /bin/zsh + home: /home/puser + password: "*" + create_home: true + - name: puser .ssh dir + file: + state: directory + path: /home/puser/.ssh + mode: "0755" + owner: puser + group: puser + - name: puser authorized_keys + template: + src: ../openssh/files/openssh_authorized_keys + dest: /home/puser/.ssh/authorized_keys + mode: "0644" + owner: puser + group: puser