serversideup · jaydrogers · May 9, 2024 · May 7, 2024 · May 7, 2024 · May 7, 2024
diff --git a/.spin.example.yml b/.spin.example.yml
@@ -5,7 +5,9 @@
 server_timezone: "Etc/UTC"
 server_contact: [email protected]
 
-# SSH
+# If you the SSH port below, you may need to run `spin provision -p <your-default-ssh-port>`
+# to get a connection on your first provision. Otherwise, SSH will try connecting 
+# to your new port before the SSH server configuration is updated.
 ssh_port: "22"
 
 ## Email Notifications
@@ -58,4 +60,4 @@ docker_user:
 #     groups: ['adm','sudo']
 #     shell: "/bin/bash"
 #     authorized_keys:
-#       - public_key: "ssh-ed25519 AAAAC3NzaC1anotherfakekeyIMVIzwQXBzxxD9b8Erd1FKVvu bob"
+#       - public_key: "ssh-ed25519 AAAAC3NzaC1anotherfakekeyIMVIzwQXBzxxD9b8Erd1FKVvu bob"
diff --git a/.vscode/settings.json b/.vscode/settings.json
diff --git a/playbooks/provision.yml b/playbooks/provision.yml
@@ -1,14 +1,11 @@
 ---
 - name: Setup and provision Docker Swarm servers with Spin.
-  hosts: '{{ target | default("all") }}'
-  remote_user: '{{ remote_user | default("root") }}'
+  hosts: "{{ target | default('all') }}"
+  remote_user: "{{ ansible_user | default('root') }}"
   become: true
   vars:
+    ansible_port: "{{ ssh_port }}"
     ansible_ssh_common_args: "-o IgnoreUnknown=UseKeychain"
-  pre_tasks:
-    - name: Set ansible_ssh_port
-      set_fact:
-        ansible_ssh_port: "{{ ssh_port }}"
   roles:
     - serversideup.spin.linux_common
     - serversideup.spin.swarm
diff --git a/roles/linux_common/defaults/main.yml b/roles/linux_common/defaults/main.yml
@@ -9,6 +9,8 @@ server_contact: [email protected]
 ssh_port: "22"
 ssh_permit_root_login: "no"
 ssh_password_authentication: "no" 
+ssh_allow_tcp_forwarding: "yes"
+ssh_gateway_ports: "yes"
 
 
 ## Email Notifications

diff --git a/roles/linux_common/tasks/security.yml b/roles/linux_common/tasks/security.yml
@@ -1,11 +1,14 @@
-- name: Ensure secure SSH config is up to date.
+- name: Ensure SSH configurations are up to date.
   ansible.builtin.template:
-    src: "etc/ssh/sshd_config.d/spin-secure-ssh.conf.j2"
-    dest: "/etc/ssh/sshd_config.d/spin-secure-ssh.conf"
+    src: "etc/ssh/sshd_config.d/{{ item }}.j2"
+    dest: "/etc/ssh/sshd_config.d/{{ item }}"
     owner: root
     group: root
     mode: 0644
   notify: Restart ssh
+  with_items: 
+    - spin-secure-ssh.conf
+    - spin-ssh-tunnels.conf
 
 - name: Open the firewall port for SSH.
   community.general.ufw:

diff --git a/roles/linux_common/templates/etc/ssh/sshd_config.d/spin-ssh-tunnels.conf.j2 b/roles/linux_common/templates/etc/ssh/sshd_config.d/spin-ssh-tunnels.conf.j2
@@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+AllowTcpForwarding {{ ssh_allow_tcp_forwarding }}
+GatewayPorts {{ ssh_gateway_ports }}
diff --git a/roles/swarm/tasks/configure-docker-user.yml b/roles/swarm/tasks/configure-docker-user.yml
@@ -21,4 +21,12 @@
     state: present
     key: "{{ item }}"
   with_items: "{{ docker_user.authorized_ssh_keys }}"
-  when: docker_user.authorized_ssh_keys is defined
+  when: docker_user.authorized_ssh_keys is defined
+
+- name: Add public keys of admin or sudo users to Docker user
+  ansible.posix.authorized_key:
+    user: "{{ docker_user.username }}"
+    state: present
+    key: "{{ item.authorized_keys.0.public_key }}"
+  loop: "{{ users }}"
+  when: "'adm' in item.groups or 'sudo' in item.groups"