From a198991d2e3ded6a2f7798b02609a0ba7b189c61 Mon Sep 17 00:00:00 2001 From: Menno van Leeuwen Date: Tue, 11 Mar 2025 21:38:57 +0100 Subject: [PATCH] feat: enhance SSHFS configuration in Ansible tasks for improved security and flexibility --- config/ansible/tasks/servers/sshfs.yml | 52 +++++++++++++------------- 1 file changed, 25 insertions(+), 27 deletions(-) diff --git a/config/ansible/tasks/servers/sshfs.yml b/config/ansible/tasks/servers/sshfs.yml index 87504c5..4cf3e0d 100644 --- a/config/ansible/tasks/servers/sshfs.yml +++ b/config/ansible/tasks/servers/sshfs.yml @@ -1,6 +1,14 @@ --- - name: Configure SSHFS block: + - name: SSHFS Details + ansible.builtin.set_fact: + sshfs_user: "{{ lookup('onepassword', 'op://j7nmhqlsjmp2r6umly5t75hzb4/5j5y5axfjr3f3sn5nixb6htg4y/username') }}" + sshfs_pass: "{{ lookup('onepassword', 'op://j7nmhqlsjmp2r6umly5t75hzb4/5j5y5axfjr3f3sn5nixb6htg4y/new_password') }}" + sshfs_host: "{{ lookup('onepassword', 'op://j7nmhqlsjmp2r6umly5t75hzb4/5j5y5axfjr3f3sn5nixb6htg4y/host') }}" + sshfs_port: 23 + remote_path: /mnt/storage-box + - name: Install SSHFS package become: true ansible.builtin.package: @@ -10,43 +18,33 @@ - name: Create mount point directory become: true ansible.builtin.file: - path: /mnt/storage-box + path: "{{ remote_path }}" state: directory mode: '0755' - - name: Create credentials file + - name: Create credentials file for SSHFS become: true ansible.builtin.copy: - dest: /root/.smbcredentials - content: | - username=u451316 - password={{ lookup('onepassword', 'op://j7nmhqlsjmp2r6umly5t75hzb4/5j5y5axfjr3f3sn5nixb6htg4y/new_password') }} + content: "username={{ sshfs_user }}\npassword={{ sshfs_pass }}" + dest: /etc/sshfs-credentials mode: '0600' + owner: root + group: root - - name: Create password file for SSHFS - become: true - ansible.builtin.copy: - dest: /root/.sshfs_password - content: "{{ lookup('onepassword', 'op://j7nmhqlsjmp2r6umly5t75hzb4/5j5y5axfjr3f3sn5nixb6htg4y/new_password') }}" - mode: '0600' - - - name: Add fstab entry for SSHFS mount + - name: Add fstab entry for SSHFS become: true ansible.builtin.lineinfile: path: /etc/fstab - line: "sshfs#{{ lookup('onepassword', 'op://j7nmhqlsjmp2r6umly5t75hzb4/5j5y5axfjr3f3sn5nixb6htg4y/username') }}@{{ lookup('onepassword', 'op://j7nmhqlsjmp2r6umly5t75hzb4/5j5y5axfjr3f3sn5nixb6htg4y/host') }}: /mnt/storage-box fuse.sshfs defaults,_netdev,port=23,password_stdin,password_file=/root/.sshfs_password,uid=1000,gid=100,reconnect,allow_other,ServerAliveInterval=15 0 0" - regexp: "^sshfs#.*{{ lookup('onepassword', 'op://j7nmhqlsjmp2r6umly5t75hzb4/5j5y5axfjr3f3sn5nixb6htg4y/host') }}:" + line: "sshfs#{{ sshfs_user }}@{{ sshfs_host }}: {{ remote_path }} fuse.sshfs _netdev,credentials=/etc/sshfs-credentials,port={{ sshfs_port }},reconnect,ServerAliveInterval=15,ServerAliveCountMax=3,uid=1000,gid=1000 0 0" state: present - notify: Systemctl daemon-reload + regexp: "^sshfs#.*{{ remote_path }}" + backup: true - - name: Mount SSHFS storage + - name: Mount SSHFS filesystem become: true - ansible.builtin.mount: - path: /mnt/storage-box - src: "sshfs#{{ lookup('onepassword', 'op://j7nmhqlsjmp2r6umly5t75hzb4/5j5y5axfjr3f3sn5nixb6htg4y/username') }}@{{ lookup('onepassword', 'op://j7nmhqlsjmp2r6umly5t75hzb4/5j5y5axfjr3f3sn5nixb6htg4y/host') }}:" - fstype: fuse.sshfs - opts: "defaults,_netdev,port=23,password_stdin,password_file=/root/.sshfs_password,uid=1000,gid=100,reconnect,allow_other,ServerAliveInterval=15" - state: mounted - - - name: Handlers - ansible.builtin.meta: flush_handlers + ansible.builtin.command: + cmd: "sshfs {{ sshfs_user }}@{{ sshfs_host }}:/ {{ remote_path }} -o port={{ sshfs_port }},password_stdin,_netdev,reconnect,ServerAliveInterval=15,ServerAliveCountMax=3" + stdin: "{{ sshfs_pass }}" + register: mount_result + changed_when: mount_result.rc == 0 + failed_when: mount_result.rc != 0 and "already mounted" not in mount_result.stderr