2 files changed, 19 insertions, 2 deletions

diff --git a/chaos-at-home/ch-jump.yml b/chaos-at-home/ch-jump.yml
index 38d794ab..5c170e07 100644
--- a/chaos-at-home/ch-jump.yml
+++ b/chaos-at-home/ch-jump.yml
@@ -8,3 +8,12 @@
   - role: core/zsh
   - role: core/ntp
   - role: core/admin-users
+  post_tasks:
+  - name: blub
+    blockinfile:
+      marker: "# {mark} ansible jump-host specific config"
+      block: |
+        Match user blub
+          PasswordAuthentication no
+      insertafter: '^### ansible core/sshd config barrier ###'
+      dest: /etc/ssh/sshd_config
diff --git a/roles/core/sshd/tasks/main.yml b/roles/core/sshd/tasks/main.yml
index 88ecf64a..61bd334f 100644
--- a/roles/core/sshd/tasks/main.yml
+++ b/roles/core/sshd/tasks/main.yml
@@ -20,10 +20,10 @@
   loop_control:
     label: "{{ item.key }} = {{ item.value }}"
   lineinfile:
+    dest: /etc/ssh/sshd_config
     regexp: "^#?\\s*{{ item.key }}\\s"
     line: "{{ item.key }} {{ item.value }}"
-    dest: /etc/ssh/sshd_config
-    mode: 0644
+    insertbefore: '^### ansible core/sshd config barrier ###'
   notify: restart ssh
 
 - name: limit allowed users
@@ -32,6 +32,7 @@
     dest: /etc/ssh/sshd_config
     regexp: "^AllowUsers\\s"
     line: "AllowUsers {{ ' '.join([ 'root' ] | union(sshd_allowusers_group) | union(sshd_allowusers_host)) }}"
+    insertbefore: '^### ansible core/sshd config barrier ###'
   notify: restart ssh
 
 - name: allow any user
@@ -42,6 +43,13 @@
     state: absent
   notify: restart ssh
 
+- name: install config barrier for other roles to use
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    line: "### ansible core/sshd config barrier ###"
+    insertafter: EOF
+  notify: restart ssh
+
 - name: install ssh keys for root
   authorized_key:
     user: root