From 5700ab7c64f5c776198cec33f671a91655b150f7 Mon Sep 17 00:00:00 2001
From: Eesaan Atluri <atlurie@uab.edu>
Date: Wed, 27 Nov 2024 13:56:10 -0600
Subject: [PATCH] feat: Add runtime config for ssh proxy

---
 ansible/cluster.yml                           |  1 +
 ansible/group_vars/all                        |  4 +++
 ansible/group_vars/prod                       |  5 ++++
 ansible/roles/ssh_proxy_config/tasks/main.yml | 13 +++++++++
 .../templates/sshpiperd.yaml.j2               | 28 +++++++++++++++++++
 5 files changed, 51 insertions(+)
 create mode 100644 ansible/roles/ssh_proxy_config/tasks/main.yml
 create mode 100644 ansible/roles/ssh_proxy_config/templates/sshpiperd.yaml.j2

diff --git a/ansible/cluster.yml b/ansible/cluster.yml
index 609d2fa..a84fec6 100644
--- a/ansible/cluster.yml
+++ b/ansible/cluster.yml
@@ -8,3 +8,4 @@
     - { name: 'ldap_config', tags: 'ldap_config' }
     - { name: 'slurm_client', tags: 'slurm_client', when: enable_slurm_client }
     - { name: 'ssh_host_keys', tags: 'ssh_host_keys' }
+    - { name: 'ssh_proxy_config', tags: 'ssh_proxy_config', when: enable_ssh_proxy_config }
diff --git a/ansible/group_vars/all b/ansible/group_vars/all
index 78a9c64..2e8fa6c 100644
--- a/ansible/group_vars/all
+++ b/ansible/group_vars/all
@@ -42,3 +42,7 @@
 # AWS credentials
   LTS_ACCESS_KEY: ""
   LTS_SECRET_KEY: ""
+
+# ssh proxy
+  enable_ssh_proxy_config: false
+  sshpiper_dest_dir: "/opt/sshpiper"
diff --git a/ansible/group_vars/prod b/ansible/group_vars/prod
index 7c7964e..5c694d2 100644
--- a/ansible/group_vars/prod
+++ b/ansible/group_vars/prod
@@ -17,3 +17,8 @@
   bright_openldap_path: "/cm/local/apps/openldap"
   ldap_cert_path: "{{bright_openldap_path}}/etc/certs"
   ldap_uri: "ldaps://ldapserver"
+
+  # proxy_config
+  target_groups:
+    - {"name": "gpfs5", "host": "login002", "default": False, "authorized_keys":"/gpfs5/data/user/home/$DOWNSTREAM_USER/.ssh/authorized_keys", "private_key":"/gpfs5/data/user/home/$DOWNSTREAM_USER/.ssh/id_ecdsa"}
+    - {"name": "gpfs4", "host": "login001", "default": True, "authorized_keys":"/gpfs4/data/user/home/$DOWNSTREAM_USER/.ssh/authorized_keys", "private_key":"/gpfs4/data/user/home/$DOWNSTREAM_USER/.ssh/id_ecdsa"}
diff --git a/ansible/roles/ssh_proxy_config/tasks/main.yml b/ansible/roles/ssh_proxy_config/tasks/main.yml
new file mode 100644
index 0000000..d3ec3bd
--- /dev/null
+++ b/ansible/roles/ssh_proxy_config/tasks/main.yml
@@ -0,0 +1,13 @@
+---
+- name: Configure sshpiper yaml plugin
+  ansible.builtin.template:
+    src: sshpiperd.yaml.j2
+    dest: "{{ sshpiper_dest_dir }}/sshpiperd.yaml"
+    backup: true
+
+- name: Enable and start sshpiper service
+  ansible.builtin.service:
+    name: sshpiperd
+    enabled: true
+    state: restarted
+
diff --git a/ansible/roles/ssh_proxy_config/templates/sshpiperd.yaml.j2 b/ansible/roles/ssh_proxy_config/templates/sshpiperd.yaml.j2
new file mode 100644
index 0000000..4597108
--- /dev/null
+++ b/ansible/roles/ssh_proxy_config/templates/sshpiperd.yaml.j2
@@ -0,0 +1,28 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/tg123/sshpiper/master/plugin/yaml/schema.json
+version: "1.0"
+pipes:
+{% for group in target_groups %}
+{% if not group.default %}
+- from:
+    - groupname: "{{ group.name }}"
+      authorized_keys: "{{ group.authorized_keys }}"
+  to:
+    host: "{{ group.host }}"
+    ignore_hostkey: true
+    private_key: "{{ group.private_key }}"
+- from:
+    - groupname: "{{ group.name }}"
+  to:
+    host: "{{ group.host }}"
+    ignore_hostkey: true
+{% else %}
+- from:
+    - username: ".*" # catch all
+      username_regex_match: true
+      authorized_keys: "{{ group.authorized_keys }}"
+  to:
+    host: "{{ group.host }}"
+    ignore_hostkey: true
+    private_key: "{{ group.private_key }}"
+{% endif %}
+{% endfor %}
-- 
GitLab