From deb9c4ecb1ba6b19b583dcf9df7eb3f75981fb35 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?ok=C3=A4nd?= Date: Wed, 10 Jun 2026 13:16:26 +0200 Subject: [PATCH] sftp and infuse role --- roles/sftp_conf/README.md | 2 ++ roles/sftp_conf/files/10-nopassword.conf | 3 +++ roles/sftp_conf/files/11-sftpaccess.conf | 4 ++++ roles/sftp_conf/files/99-dropmatch.conf | 2 ++ roles/sftp_conf/tasks/main.yml | 18 ++++++++++++++++++ 5 files changed, 29 insertions(+) create mode 100644 roles/sftp_conf/README.md create mode 100644 roles/sftp_conf/files/10-nopassword.conf create mode 100644 roles/sftp_conf/files/11-sftpaccess.conf create mode 100644 roles/sftp_conf/files/99-dropmatch.conf create mode 100644 roles/sftp_conf/tasks/main.yml diff --git a/roles/sftp_conf/README.md b/roles/sftp_conf/README.md new file mode 100644 index 0000000..192157d --- /dev/null +++ b/roles/sftp_conf/README.md @@ -0,0 +1,2 @@ +# sftp +disables password auth for ssh, then creates a user for infuse and allows it to use sftp with password anyway \ No newline at end of file diff --git a/roles/sftp_conf/files/10-nopassword.conf b/roles/sftp_conf/files/10-nopassword.conf new file mode 100644 index 0000000..5c936a3 --- /dev/null +++ b/roles/sftp_conf/files/10-nopassword.conf @@ -0,0 +1,3 @@ +# disable password auth +PasswordAuthentication no +ChallengeResponseAuthentication no diff --git a/roles/sftp_conf/files/11-sftpaccess.conf b/roles/sftp_conf/files/11-sftpaccess.conf new file mode 100644 index 0000000..70acd1f --- /dev/null +++ b/roles/sftp_conf/files/11-sftpaccess.conf @@ -0,0 +1,4 @@ +# allow password only for infuse +Match User infuse +PasswordAuthentication yes +ForceCommand internal-sftp diff --git a/roles/sftp_conf/files/99-dropmatch.conf b/roles/sftp_conf/files/99-dropmatch.conf new file mode 100644 index 0000000..d08aacb --- /dev/null +++ b/roles/sftp_conf/files/99-dropmatch.conf @@ -0,0 +1,2 @@ +# drop user matches again +Match all diff --git a/roles/sftp_conf/tasks/main.yml b/roles/sftp_conf/tasks/main.yml new file mode 100644 index 0000000..46b3763 --- /dev/null +++ b/roles/sftp_conf/tasks/main.yml @@ -0,0 +1,18 @@ +- name: Add infuse user + become: true + ansible.builtin.user: + name: infuse + uid: 1001 + shell: /usr/sbin/nologin + password: $6$PsOR1shOjC3iPF17$RiSD0NjSHNbnfN.cf5xqeLfzR9M4ySq3fnBPQ6Ng/zznALcMdwLbZ.OBft6gXn2F6qf.HxTvo.i4NxwmVdIQE/ + +- name: Add sftp-config + become: true + ansible.builtin.copy: + src: "{{ item.src }}" + dest: /etc/ssh/sshd_config.d/{{ item.src }} + mode: "0644" + loop: + - src: 10-nopassword.conf + - src: 11-sftpaccess.conf + - src: 99-dropmatch.conf