refactoring sshserver role

author: Christian Pointner <equinox@spreadspace.org> 2018-12-09 13:49:00 +0100
committer: Christian Pointner <equinox@spreadspace.org> 2018-12-09 13:49:00 +0100
commit: efaa87a06f6c34d7d8863f1b675176a4b88291b4 (patch)
tree: c8e65326d6ad9b276aa46b62e1e876a68227643b
parent: apt without with_items (diff)
8 files changed, 19 insertions, 17 deletions
diff --git a/inventory/host_vars/calypso.yml b/inventory/host_vars/calypso.yml
index ff853586..8105a76b 100644
--- a/inventory/host_vars/calypso.yml
+++ b/inventory/host_vars/calypso.yml
@@ -7,4 +7,4 @@ base_packages_extra_host:
 admin_user_host:
 - "{{ equinox_user }}"
 
-sshserver_allowusers_host: "{{ admin_user_host | map(attribute='name') | list }}"
+ssh_allowusers_host: "{{ admin_user_host | map(attribute='name') | list }}"
diff --git a/inventory/host_vars/dione.yml b/inventory/host_vars/dione.yml
index 75b289c2..0470b8b7 100644
--- a/inventory/host_vars/dione.yml
+++ b/inventory/host_vars/dione.yml
@@ -7,7 +7,7 @@ base_packages_extra_host:
 admin_user_host:
 - "{{ equinox_user }}"
 
-sshserver_allowusers_host: "{{ admin_user_host | map(attribute='name') | list }}"
+ssh_allowusers_host: "{{ admin_user_host | map(attribute='name') | list }}"
 
 docker_lvm:
   vg: dione
diff --git a/inventory/host_vars/helene.yml b/inventory/host_vars/helene.yml
index b40fb069..3b01b589 100644
--- a/inventory/host_vars/helene.yml
+++ b/inventory/host_vars/helene.yml
@@ -7,7 +7,7 @@ base_packages_extra_host:
 admin_user_host:
 - "{{ equinox_user }}"
 
-sshserver_allowusers_host: "{{ admin_user_host | map(attribute='name') | list }}"
+ssh_allowusers_host: "{{ admin_user_host | map(attribute='name') | list }}"
 
 docker_lvm:
   vg: helene
diff --git a/inventory/host_vars/sk2013.yml b/inventory/host_vars/sk2013.yml
index c1bf2728..21e2b29a 100644
--- a/inventory/host_vars/sk2013.yml
+++ b/inventory/host_vars/sk2013.yml
@@ -1,5 +1,5 @@
 ---
-sshserver_allowusers_host:
+ssh_allowusers_host:
 - backuppc
 - equinox
 - dan
diff --git a/inventory/host_vars/sk2016.yml b/inventory/host_vars/sk2016.yml
index 73e59d75..d6bd5ae5 100644
--- a/inventory/host_vars/sk2016.yml
+++ b/inventory/host_vars/sk2016.yml
@@ -1,5 +1,5 @@
 ---
-sshserver_allowusers_host:
+ssh_allowusers_host:
 - backuppc
 - equinox
 - dan
diff --git a/inventory/host_vars/telesto.yml b/inventory/host_vars/telesto.yml
index ff853586..8105a76b 100644
--- a/inventory/host_vars/telesto.yml
+++ b/inventory/host_vars/telesto.yml
@@ -7,4 +7,4 @@ base_packages_extra_host:
 admin_user_host:
 - "{{ equinox_user }}"
 
-sshserver_allowusers_host: "{{ admin_user_host | map(attribute='name') | list }}"
+ssh_allowusers_host: "{{ admin_user_host | map(attribute='name') | list }}"
diff --git a/inventory/host_vars/thetys.yml b/inventory/host_vars/thetys.yml
index ff853586..8105a76b 100644
--- a/inventory/host_vars/thetys.yml
+++ b/inventory/host_vars/thetys.yml
@@ -7,4 +7,4 @@ base_packages_extra_host:
 admin_user_host:
 - "{{ equinox_user }}"
 
-sshserver_allowusers_host: "{{ admin_user_host | map(attribute='name') | list }}"
+ssh_allowusers_host: "{{ admin_user_host | map(attribute='name') | list }}"
diff --git a/roles/sshserver/tasks/main.yml b/roles/sshserver/tasks/main.yml
index cd4c5043..e638905b 100644
--- a/roles/sshserver/tasks/main.yml
+++ b/roles/sshserver/tasks/main.yml
@@ -6,24 +6,26 @@
 
 - name: hardening ssh-server config
   lineinfile:
-    regexp: "{{ item.regexp }}"
-    line: "{{ item.line }}"
+    regexp: "^#?\\s*{{ item.key }}"
+    line: "{{ item.key }} {{ item.value }}"
     dest: /etc/ssh/sshd_config
     mode: 0644
-  with_items:
-  - { regexp: "^#?\\s*IgnoreRhosts", line: "IgnoreRhosts yes" }
-  - { regexp: "^#?\\s*PermitRootLogin", line: "PermitRootLogin without-password" }
-  - { regexp: "^#?\\s*PubkeyAuthentication", line: "PubkeyAuthentication yes" }
-  - { regexp: "^#?\\s*HostbasedAuthentication", line: "HostbasedAuthentication no"  }
-  - { regexp: "^#?\\s*PermitEmptyPasswords", line: "PermitEmptyPasswords no" }
-  - { regexp: "^#?\\s*UseDNS", line: "UseDNS no" }
+  with_dict:
+    IgnoreRhosts: "yes"
+    PermitRootLogin: "without-password"
+    PubkeyAuthentication: "yes"
+    HostbasedAuthentication: "no"
+    PermitEmptyPasswords: "no"
+    UseDNS: "no"
+  loop_control:
+    label: "{{ item.key }}"
   notify: restart ssh
 
 - name: limit allowed users
   lineinfile:
     dest: /etc/ssh/sshd_config
     regexp: "^AllowUsers"
-    line: "AllowUsers {{ ' '.join([ 'root' ] | union(sshserver_allowusers_group | default([])) | union(sshserver_allowusers_host | default([]))) }}"
+    line: "AllowUsers {{ ' '.join([ 'root' ] | union(ssh_allowusers_group | default([])) | union(ssh_allowusers_host | default([]))) }}"
   notify: restart ssh
 
 - name: install ssh keys for root
author	Christian Pointner <equinox@spreadspace.org>	2018-12-09 13:49:00 +0100
committer	Christian Pointner <equinox@spreadspace.org>	2018-12-09 13:49:00 +0100
commit	efaa87a06f6c34d7d8863f1b675176a4b88291b4 (patch)
tree	c8e65326d6ad9b276aa46b62e1e876a68227643b
parent	apt without with_items (diff)