diff options
author | Christian Pointner <equinox@spreadspace.org> | 2020-05-31 23:12:36 +0200 |
---|---|---|
committer | Christian Pointner <equinox@spreadspace.org> | 2020-05-31 23:12:36 +0200 |
commit | 3a2319c9c58886a7938deabafc66ad4bc128c9f8 (patch) | |
tree | 222b41b5b49633b9156c070df830d5c73617edd7 /roles/core/sshd/tasks/main.yml | |
parent | chaos-at-home: deploy apt-repo/base to some more hosts (diff) |
move core roles to subdir
Diffstat (limited to 'roles/core/sshd/tasks/main.yml')
-rw-r--r-- | roles/core/sshd/tasks/main.yml | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/roles/core/sshd/tasks/main.yml b/roles/core/sshd/tasks/main.yml new file mode 100644 index 00000000..5eb15081 --- /dev/null +++ b/roles/core/sshd/tasks/main.yml @@ -0,0 +1,55 @@ +--- +- name: load os/distrubtion/version specific variables + include_vars: "{{ item }}" + with_first_found: + - files: + - "{{ ansible_distribution_release }}.yml" + - "{{ ansible_distribution }}.yml" + - "{{ ansible_os_family }}.yml" + +- name: hardening ssh-server config + vars: + sshd_options: + IgnoreRhosts: "yes" + PermitRootLogin: "without-password" + PubkeyAuthentication: "yes" + HostbasedAuthentication: "no" + PermitEmptyPasswords: "no" + UseDNS: "no" + loop: "{{ sshd_options | dict2items }}" + loop_control: + label: "{{ item.key }} = {{ item.value }}" + lineinfile: + regexp: "^#?\\s*{{ item.key }}\\s" + line: "{{ item.key }} {{ item.value }}" + dest: /etc/ssh/sshd_config + mode: 0644 + notify: restart ssh + +- name: limit allowed users + when: not ssh_allow_any_user + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^AllowUsers\\s" + line: "AllowUsers {{ ' '.join([ 'root' ] | union(ssh_allowusers_group | default([])) | union(ssh_allowusers_host | default([]))) }}" + notify: restart ssh + +- name: allow any user + when: ssh_allow_any_user + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^AllowUsers\\s" + state: absent + notify: restart ssh + +- name: install ssh keys for root + authorized_key: + user: root + key: "{{ ssh_keys_root | join('\n') }}" + exclusive: yes + +- name: delete root password + when: sshd_disabled_password is defined + user: + name: root + password: "{{ sshd_disabled_password }}" |