1 files changed, 55 insertions, 0 deletions

diff --git a/roles/core/sshd/tasks/main.yml b/roles/core/sshd/tasks/main.yml
new file mode 100644
index 00000000..5eb15081
--- /dev/null
+++ b/roles/core/sshd/tasks/main.yml
@@ -0,0 +1,55 @@
+---
+- name: load os/distrubtion/version specific variables
+  include_vars: "{{ item }}"
+  with_first_found:
+    - files:
+        - "{{ ansible_distribution_release }}.yml"
+        - "{{ ansible_distribution }}.yml"
+        - "{{ ansible_os_family }}.yml"
+
+- name: hardening ssh-server config
+  vars:
+    sshd_options:
+      IgnoreRhosts: "yes"
+      PermitRootLogin: "without-password"
+      PubkeyAuthentication: "yes"
+      HostbasedAuthentication: "no"
+      PermitEmptyPasswords: "no"
+      UseDNS: "no"
+  loop: "{{ sshd_options | dict2items }}"
+  loop_control:
+    label: "{{ item.key }} = {{ item.value }}"
+  lineinfile:
+    regexp: "^#?\\s*{{ item.key }}\\s"
+    line: "{{ item.key }} {{ item.value }}"
+    dest: /etc/ssh/sshd_config
+    mode: 0644
+  notify: restart ssh
+
+- name: limit allowed users
+  when: not ssh_allow_any_user
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: "^AllowUsers\\s"
+    line: "AllowUsers {{ ' '.join([ 'root' ] | union(ssh_allowusers_group | default([])) | union(ssh_allowusers_host | default([]))) }}"
+  notify: restart ssh
+
+- name: allow any user
+  when: ssh_allow_any_user
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: "^AllowUsers\\s"
+    state: absent
+  notify: restart ssh
+
+- name: install ssh keys for root
+  authorized_key:
+    user: root
+    key: "{{ ssh_keys_root | join('\n') }}"
+    exclusive: yes
+
+- name: delete root password
+  when: sshd_disabled_password is defined
+  user:
+    name: root
+    password: "{{ sshd_disabled_password }}"