feat: configure sudo with ssh-agent

01-configure/01-services.yaml

@@ -29,6 +29,9 @@
     - role: devsec.hardening.ssh_hardening
       tags: setup
       become: true
+    - role: sudo_with_ssh_agent
+      become: true
+      tags: ssh
     - role: andrewrothstein.starship
       tags: setup
     - role: nextcloud

01-configure/02-photos.yaml

@@ -31,9 +31,11 @@
     - role: devsec.hardening.ssh_hardening
       tags: setup
       become: true
-#    - role: andrewrothstein.starship
-#      tags: setup
-
+    - role: sudo_with_ssh_agent
+      become: true
+      tags: ssh
+    - role: andrewrothstein.starship
+      tags: setup,starship
     - role: escalate.swap
       become: true
       tags: app

01-configure/group_vars/all/devsec.ssh_hardening.yml

@@ -1,2 +1,3 @@
 ---
 network_ipv6_enable: false
+ssh_allow_agent_forwarding: true

01-configure/host_vars/pi/00-vars.yml

@@ -9,3 +9,7 @@ swap_config:
   CONF_SWAPFILE: /var/swap
   CONF_MAXSWAP: 4096
   # CONF_SWAPFACTOR: 2
+
+# Fix because pi4 os name is detected as unknown-linux-gnu otherwise
+starship_os_map:
+  Linux: unknown-linux-musl

01-configure/host_vars/pi/sylvainmetayer.workstation.hostname.yml

@@ -1,3 +1,3 @@
 ---
-hostname_name: finch
+hostname_name: reese
 hostname_fqdn: photos.sylvain.cloud

01-configure/roles/sudo_with_ssh_agent/tasks/main.yaml

@@ -0,0 +1,21 @@
+---
+# Source : https://unix.stackexchange.com/questions/520098/sudo-authentication-when-using-ssh-key-auth-with-keepassputty
+- name: Install required packages
+  ansible.builtin.package:
+    name: libpam-ssh-agent-auth
+    state: present
+
+- name: Enable PAM module
+  lineinfile:
+    insertafter: "#%PAM-1.0"
+    path: /etc/pam.d/sudo
+    state: present
+    line: "auth sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys"
+
+- name: Ensure SSH agent is forwarded to sudo
+  lineinfile:
+    insertbefore: BOF
+    path: /etc/sudoers
+    state: present
+    line: 'Defaults env_keep += "SSH_AUTH_SOCK"'
+    validate: /usr/sbin/visudo -cf %s