Set up for SSH uploads to ftp.buildbot.net

This involved modifying the ssh role to accept parameters (and invoking
it for service hosts!), and modify the user role to install SSH keys.

group_vars/ftp

@@ -0,0 +1,2 @@
+internal_ip: 192.168.80.243
+

jail-ftp.yml

@@ -12,5 +12,19 @@
   - role: ftp
     ftp_root: "{{ ftp_root }}"
     ftp_hostname: "{{ ftp_hostname }}"
+  # run a specialized SSH daemon to receive uploads from other internal hosts
+  - role: ssh
+    sshd_port: 2200
+    listen_address: "{{ internal_ip }}"
+    extra_config: |
+        Match User buildbot
+            ChrootDirectory /data/ftp/
+            ForceCommand internal-sftp
+  - role: user
+    user_id: buildbot
+    user_name: Buildbot Uploader
+    authorized_key: >
+      ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7YoNGKRZJxVbvxQpGBX1FuhWC0Nq2+fe+wVD16cgaOk4iDjeKdQ4eZACIlcMi5REXfTO+e9Hzmr85DUmy+BAKx0PqzLj6BhmnZnoQbQe3WAsmWSIuUSqKqilM4RnkDUWrDvhdyMGIH4ELfrebJt5ZnNLbOTk6BAQiygF/1xNeYPvcjxfUG1NXUHlKJ9qnf1cph7Pw6YOe8SF8kJTxwDiSJSG0aGsfas4zLVgmcPHdjsFRuOFOxFlVpFKzu3toaZyXPSeTOAaoaIHkfaEahBExXyd7b8L/0fcFumWK6qwIA5dFDWGkIaEMBdX6/giV+gvz9UJQ75gxVtn0y8MbFEMD9iduGbIX5FSOFNmbEkNubW5M74G7igMtqk+dUbVSMOoy4NO2vPnXH0iBMPkkzPEmAro3/q/J5QTEbIB39H99dbGnOR1iwbBhCqVJERAAECteoHsXKHsNhL9IYqDp2KKPVHmxZybqtJo4SKSzNvjfK50ojYcIAAVlBsFZ+9p0Aj8CADA3L0Ont7RPs9Dcoad1la9kkC1v6Bol5O1huRM8qjXRPOT1W01JH+UvM8r1EKNKRgV/uVr+Zl1Ln84GvPMX4cdz+ky2L5mlE9w6RonBqJnJg16i7eQXCE6iwOjQ2XHK+TBeoQDGHmww+ACUmVx9NR+I4Q9cWMjteLx3Q+YMtQ== buildbot@ftp.buildbot.net
+
 
 # vim:ts=2:sw=2:noai:nosi

roles/base-servicehost/meta/main.yml

@@ -1,3 +1,4 @@
 ---
 dependencies:
 - base
+- ssh

roles/ftp/meta/main.yml

@@ -11,3 +11,4 @@ dependencies:
   server_name: "{{ ftp_hostname }}"
   server_root: "{{ ftp_root }}"
   ssl: True
+

roles/ssh/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+# parameters that can be tweaked for running ssh in jails, for example
+sshd_port: 22
+listen_address: "{{ ansible_default_ipv4.address }}"
+extra_config:

roles/ssh/tasks/main.yml

@@ -1,38 +1,9 @@
 ---
-- name: disable root login via SSH
-  lineinfile:
+- name: configure sshd
+  template:
+    src: "sshd_config.j2"
     dest: "/etc/ssh/sshd_config"
-    regexp: "^(?i)PermitRootLogin"
-    line: "PermitRootLogin no"
-    state: present
-
-- name: disable password authentication
-  lineinfile:
-    dest: "/etc/ssh/sshd_config"
-    regexp: "^(?i)PasswordAuthentication"
-    line: "PasswordAuthentication no"
-    state: present
-
-- name: disable challenge-response authentication
-  lineinfile:
-    dest: "/etc/ssh/sshd_config"
-    regexp: "^(?i)ChallengeResponseAuthentication"
-    line: "ChallengeResponseAuthentication no"
-    state: present
-
-- name: enable listening on hosts' default (public) IP only
-  lineinfile:
-    dest: "/etc/ssh/sshd_config"
-    regexp: "^(?i)ListenAddress"
-    line: "ListenAddress {{ ansible_default_ipv4.address }}"
-    state: present
-
-- name: enable sftp subsystem
-  lineinfile:
-    dest: "/etc/ssh/sshd_config"
-    regexp: "^(?i)Subsystem\\s+sftp"
-    line: "Subsystem sftp /usr/libexec/sftp-server"
-    state: present
+  notify: restart sshd
 
 - name: enable sshd
   service:

roles/ssh/templates/sshd_config.j2

@@ -0,0 +1,13 @@
+Port {{ sshd_port }}
+ListenAddress {{ listen_address }}
+
+# these are always disabled
+PermitRootLogin no
+PasswordAuthentication no
+ChallengeResponseAuthentication no
+
+Subsystem sftp /usr/libexec/sftp-server
+
+{% if extra_config %}
+{{ extra_config }}
+{% endif %}

roles/user/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+# set this to the text of a public key to allow that key to authenticate
+# as this user
+authorized_key:

roles/user/tasks/main.yml

@@ -5,6 +5,12 @@
     comment: "{{ user_name }}"
     state: present
 
+- name: add authorized keys
+  authorized_key:
+    user: "{{ user_id }}"
+    key: "{{ authorized_key }}"
+  when: authorized_key
+
 # NOTE: the information will only be available until the next use of `getent`
 - name: get user information
   getent: