diff options
author | Christian Pointner <equinox@spreadspace.org> | 2021-04-11 18:15:17 +0200 |
---|---|---|
committer | Christian Pointner <equinox@spreadspace.org> | 2021-04-11 18:15:17 +0200 |
commit | d0b7421c2fe72299dc9b510d51821232cb95054a (patch) | |
tree | 5cd324184ce694e9cadeab3c767038ad147b7a9a /roles/core/sshd/base/tasks | |
parent | add new config file barrier for core/sshd (diff) |
move core/sshd to core/sshd/base
Diffstat (limited to 'roles/core/sshd/base/tasks')
-rw-r--r-- | roles/core/sshd/base/tasks/main.yml | 71 |
1 files changed, 71 insertions, 0 deletions
diff --git a/roles/core/sshd/base/tasks/main.yml b/roles/core/sshd/base/tasks/main.yml new file mode 100644 index 00000000..d7524ef7 --- /dev/null +++ b/roles/core/sshd/base/tasks/main.yml @@ -0,0 +1,71 @@ +--- +- name: load os/distrubtion/version specific variables + include_vars: "{{ item }}" + with_first_found: + - files: + - "{{ ansible_distribution_release }}.yml" + - "{{ ansible_distribution }}.yml" + - "{{ ansible_os_family }}.yml" + +- name: hardening ssh-server config + vars: + sshd_options: + IgnoreRhosts: "yes" + PermitRootLogin: "without-password" + PubkeyAuthentication: "yes" + HostbasedAuthentication: "no" + PermitEmptyPasswords: "no" + UseDNS: "no" + loop: "{{ sshd_options | dict2items }}" + loop_control: + label: "{{ item.key }} = {{ item.value }}" + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^#?\\s*{{ item.key }}\\s" + line: "{{ item.key }} {{ item.value }}" + insertbefore: '^### ansible core/sshd/base config barrier ###' + notify: restart ssh + +- name: limit allowed users + when: not sshd_allow_any_user | bool + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^AllowUsers\\s" + line: "AllowUsers {{ ' '.join([ 'root' ] | union(sshd_allowusers_group) | union(sshd_allowusers_host)) }}" + insertbefore: '^### ansible core/sshd/base config barrier ###' + notify: restart ssh + +- name: allow any user + when: sshd_allow_any_user | bool + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^AllowUsers\\s" + state: absent + notify: restart ssh + +- name: install config barriers for other roles to use + loop: + - line: "### ansible core/sshd/base config barrier ###" + insertbefore: "### ansible core/sshd config barrier ###" + - line: "### ansible core/sshd config barrier ###" + insertafter: "### ansible core/sshd/base config barrier ###" + loop_control: + label: "{{ item.line }}" + lineinfile: + dest: /etc/ssh/sshd_config + line: "{{ item.line }}" + insertbefore: "{{ item.insertbefore | default(omit) }}" + insertafter: "{{ item.insertafter | default(omit) }}" + notify: restart ssh + +- name: install ssh keys for root + authorized_key: + user: root + key: "{{ ssh_keys_root | union(ssh_keys_root_extra) | join('\n') }}" + exclusive: yes + +- name: delete root password + when: sshd_disabled_password is defined + user: + name: root + password: "{{ sshd_disabled_password }}" |