Provided is a tiny RESTful API that generates SSH certificates with specific limitations. See the work sample instructions for more details.
The application is pre-bundled for usage with docker-compose to make running the application easier.
To start the application, run docker-compose up
.
test_app.py
contains a basic test, which may help in
understanding how to interact with the API. Tests can
be run using docker-compose run web pytest -rA --disable-warnings
.
The included Makefile contains most of the commands needed to set up the local and remote environments, and deploy the docker containers (locally and remotely).
-
In the
hosts
file, either replace the value ofansible_ssh_host
with a real hostname, IP address, or a name that is registered in your.ssh/config
file. Ideally, you should add aaptible-work-sample
entry to.ssh/config
. -
Also, replace the path to the ssh key you want to use in
hosts
file. -
In
docker-compose
, replace theTODO
placeholders with real domain names and email addresses. -
Run
make playbook-setup
. -
Run
make docker-context
. -
Run
make compose-pull
. -
Run
make compose-up
.
Your remote host will now run an nginx proxy with letsencrypt certificates, proxying all traffic to flask on port 3000.
I would also enable the server's firewall (can be done with ansible) to close all ports except for 80, 443 and 22. For ssh, we would even listen on a port other than 22 (e.g. 2222) for security-by-obscurity and close 22. I would make sure that the following items are configured in /etc/ssh/sshd_config:
- PermitEmptyPasswords no
- PasswordAuthentication no (we only want to allow key-pair authentication on ssh).