c4ch3c4d3
115 lines
2.9 KiB
YAML
115 lines
2.9 KiB
YAML
- name: Install terminal prerequisites
|
|
become: true
|
|
apt:
|
|
name:
|
|
- openssh-server
|
|
state: present
|
|
update_cache: true
|
|
|
|
- name: Ensure sshd drop-in directory exists
|
|
become: true
|
|
file:
|
|
path: /etc/ssh/sshd_config.d
|
|
state: directory
|
|
mode: "0755"
|
|
|
|
- name: Configure courseware loopback-only sshd policy
|
|
become: true
|
|
template:
|
|
src: sshd-courseware-terminal.conf.j2
|
|
dest: /etc/ssh/sshd_config.d/50-courseware-terminal.conf
|
|
mode: "0644"
|
|
register: courseware_terminal_sshd_config
|
|
|
|
- name: Ensure sshd runtime directory exists
|
|
become: true
|
|
file:
|
|
path: /run/sshd
|
|
state: directory
|
|
mode: "0755"
|
|
|
|
- name: Validate sshd configuration
|
|
become: true
|
|
command:
|
|
argv:
|
|
- /usr/sbin/sshd
|
|
- -t
|
|
- -f
|
|
- /etc/ssh/sshd_config
|
|
changed_when: false
|
|
|
|
- name: Start and enable sshd with systemd when available
|
|
become: true
|
|
systemd:
|
|
name: ssh
|
|
state: started
|
|
enabled: true
|
|
when: ansible_service_mgr == "systemd"
|
|
|
|
- name: Check for running sshd when systemd is unavailable
|
|
become: true
|
|
command: pgrep -x sshd
|
|
register: courseware_terminal_sshd_pid
|
|
changed_when: false
|
|
failed_when: false
|
|
when: ansible_service_mgr != "systemd"
|
|
|
|
- name: Reload running sshd when config changed outside systemd
|
|
become: true
|
|
command: pkill -HUP -x sshd
|
|
when:
|
|
- ansible_service_mgr != "systemd"
|
|
- courseware_terminal_sshd_pid.rc == 0
|
|
- courseware_terminal_sshd_config.changed
|
|
|
|
- name: Start sshd when it is not already running outside systemd
|
|
become: true
|
|
command:
|
|
argv:
|
|
- /usr/sbin/sshd
|
|
when:
|
|
- ansible_service_mgr != "systemd"
|
|
- courseware_terminal_sshd_pid.rc != 0
|
|
|
|
- name: Create contained WeTTY directory
|
|
file:
|
|
path: "{{ courseware_wetty_dir }}"
|
|
state: directory
|
|
mode: "0755"
|
|
|
|
- name: Install contained WeTTY runtime
|
|
command:
|
|
argv:
|
|
- npm
|
|
- install
|
|
- "{{ courseware_wetty_spec }}"
|
|
args:
|
|
chdir: "{{ courseware_wetty_dir }}"
|
|
creates: "{{ courseware_wetty_dir }}/node_modules/.bin/wetty"
|
|
environment:
|
|
PATH: "{{ courseware_node_runtime_bin_dir }}:{{ ansible_env.PATH }}"
|
|
|
|
- name: Check loopback sshd listener
|
|
become: true
|
|
command: ss -ltn
|
|
register: courseware_terminal_ss_listeners
|
|
changed_when: false
|
|
|
|
- name: Assert sshd is loopback-only
|
|
assert:
|
|
that:
|
|
- "'127.0.0.1:22' in courseware_terminal_ss_listeners.stdout"
|
|
- "'0.0.0.0:22' not in courseware_terminal_ss_listeners.stdout"
|
|
- "'[::]:22' not in courseware_terminal_ss_listeners.stdout"
|
|
fail_msg: "sshd must listen only on 127.0.0.1:22 for the browser terminal deployment."
|
|
|
|
- name: Assert WeTTY binary exists
|
|
stat:
|
|
path: "{{ courseware_wetty_dir }}/node_modules/.bin/wetty"
|
|
register: courseware_wetty_bin_stat
|
|
|
|
- name: Fail when WeTTY installation is incomplete
|
|
fail:
|
|
msg: "WeTTY was not installed under {{ courseware_wetty_dir }}."
|
|
when: not courseware_wetty_bin_stat.stat.exists
|