Provided is a tiny RESTful API that generates SSH certificates with specific limitations. See the work sample instructions for more details.
The application is pre-bundled for usage with docker-compose to make running the application easier.
To start the application, run docker-compose up.
test_app.py contains a basic test, which may help in
understanding how to interact with the API. Tests can
be run using docker-compose run web pytest -rA --disable-warnings.
The included Makefile contains most of the commands needed to set up the local and remote environments, and deploy the docker containers (locally and remotely).
-
In the
hostsfile, either replace the value ofansible_ssh_hostwith a real hostname, IP address, or a name that is registered in your.ssh/configfile. Ideally, you should add aaptible-work-sampleentry to.ssh/config. -
Also, replace the path to the ssh key you want to use in
hostsfile. -
In
docker-compose, replace theTODOplaceholders with real domain names and email addresses. -
Run
make playbook-setup. -
Run
make docker-context. -
Run
make compose-pull. -
Run
make compose-up.
Your remote host will now run an nginx proxy with letsencrypt certificates, proxying all traffic to flask on port 3000.
I would also enable the server's firewall (can be done with ansible) to close all ports except for 80, 443 and 22. For ssh, we would even listen on a port other than 22 (e.g. 2222) for security-by-obscurity and close 22. I would make sure that the following items are configured in /etc/ssh/sshd_config:
- PermitEmptyPasswords no
- PasswordAuthentication no (we only want to allow key-pair authentication on ssh).