From d0b7421c2fe72299dc9b510d51821232cb95054a Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sun, 11 Apr 2021 18:15:17 +0200 Subject: move core/sshd to core/sshd/base --- roles/core/sshd/base/defaults/main.yml | 2 + roles/core/sshd/base/handlers/main.yml | 5 +++ roles/core/sshd/base/tasks/main.yml | 71 ++++++++++++++++++++++++++++++++++ roles/core/sshd/base/vars/Debian.yml | 3 ++ roles/core/sshd/base/vars/OpenBSD.yml | 2 + roles/core/sshd/defaults/main.yml | 2 - roles/core/sshd/handlers/main.yml | 5 --- roles/core/sshd/tasks/main.yml | 63 ------------------------------ roles/core/sshd/vars/Debian.yml | 3 -- roles/core/sshd/vars/OpenBSD.yml | 2 - 10 files changed, 83 insertions(+), 75 deletions(-) create mode 100644 roles/core/sshd/base/defaults/main.yml create mode 100644 roles/core/sshd/base/handlers/main.yml create mode 100644 roles/core/sshd/base/tasks/main.yml create mode 100644 roles/core/sshd/base/vars/Debian.yml create mode 100644 roles/core/sshd/base/vars/OpenBSD.yml delete mode 100644 roles/core/sshd/defaults/main.yml delete mode 100644 roles/core/sshd/handlers/main.yml delete mode 100644 roles/core/sshd/tasks/main.yml delete mode 100644 roles/core/sshd/vars/Debian.yml delete mode 100644 roles/core/sshd/vars/OpenBSD.yml (limited to 'roles/core') diff --git a/roles/core/sshd/base/defaults/main.yml b/roles/core/sshd/base/defaults/main.yml new file mode 100644 index 00000000..50cc0f15 --- /dev/null +++ b/roles/core/sshd/base/defaults/main.yml @@ -0,0 +1,2 @@ +--- +sshd_allow_any_user: false diff --git a/roles/core/sshd/base/handlers/main.yml b/roles/core/sshd/base/handlers/main.yml new file mode 100644 index 00000000..ea76595a --- /dev/null +++ b/roles/core/sshd/base/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart ssh + service: + name: "{{ sshd_service_name }}" + state: restarted diff --git a/roles/core/sshd/base/tasks/main.yml b/roles/core/sshd/base/tasks/main.yml new file mode 100644 index 00000000..d7524ef7 --- /dev/null +++ b/roles/core/sshd/base/tasks/main.yml @@ -0,0 +1,71 @@ +--- +- name: load os/distrubtion/version specific variables + include_vars: "{{ item }}" + with_first_found: + - files: + - "{{ ansible_distribution_release }}.yml" + - "{{ ansible_distribution }}.yml" + - "{{ ansible_os_family }}.yml" + +- name: hardening ssh-server config + vars: + sshd_options: + IgnoreRhosts: "yes" + PermitRootLogin: "without-password" + PubkeyAuthentication: "yes" + HostbasedAuthentication: "no" + PermitEmptyPasswords: "no" + UseDNS: "no" + loop: "{{ sshd_options | dict2items }}" + loop_control: + label: "{{ item.key }} = {{ item.value }}" + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^#?\\s*{{ item.key }}\\s" + line: "{{ item.key }} {{ item.value }}" + insertbefore: '^### ansible core/sshd/base config barrier ###' + notify: restart ssh + +- name: limit allowed users + when: not sshd_allow_any_user | bool + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^AllowUsers\\s" + line: "AllowUsers {{ ' '.join([ 'root' ] | union(sshd_allowusers_group) | union(sshd_allowusers_host)) }}" + insertbefore: '^### ansible core/sshd/base config barrier ###' + notify: restart ssh + +- name: allow any user + when: sshd_allow_any_user | bool + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^AllowUsers\\s" + state: absent + notify: restart ssh + +- name: install config barriers for other roles to use + loop: + - line: "### ansible core/sshd/base config barrier ###" + insertbefore: "### ansible core/sshd config barrier ###" + - line: "### ansible core/sshd config barrier ###" + insertafter: "### ansible core/sshd/base config barrier ###" + loop_control: + label: "{{ item.line }}" + lineinfile: + dest: /etc/ssh/sshd_config + line: "{{ item.line }}" + insertbefore: "{{ item.insertbefore | default(omit) }}" + insertafter: "{{ item.insertafter | default(omit) }}" + notify: restart ssh + +- name: install ssh keys for root + authorized_key: + user: root + key: "{{ ssh_keys_root | union(ssh_keys_root_extra) | join('\n') }}" + exclusive: yes + +- name: delete root password + when: sshd_disabled_password is defined + user: + name: root + password: "{{ sshd_disabled_password }}" diff --git a/roles/core/sshd/base/vars/Debian.yml b/roles/core/sshd/base/vars/Debian.yml new file mode 100644 index 00000000..abbccabc --- /dev/null +++ b/roles/core/sshd/base/vars/Debian.yml @@ -0,0 +1,3 @@ +--- +sshd_service_name: ssh +sshd_disabled_password: '!' diff --git a/roles/core/sshd/base/vars/OpenBSD.yml b/roles/core/sshd/base/vars/OpenBSD.yml new file mode 100644 index 00000000..abdaf180 --- /dev/null +++ b/roles/core/sshd/base/vars/OpenBSD.yml @@ -0,0 +1,2 @@ +--- +sshd_service_name: sshd diff --git a/roles/core/sshd/defaults/main.yml b/roles/core/sshd/defaults/main.yml deleted file mode 100644 index 50cc0f15..00000000 --- a/roles/core/sshd/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -sshd_allow_any_user: false diff --git a/roles/core/sshd/handlers/main.yml b/roles/core/sshd/handlers/main.yml deleted file mode 100644 index ea76595a..00000000 --- a/roles/core/sshd/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: restart ssh - service: - name: "{{ sshd_service_name }}" - state: restarted diff --git a/roles/core/sshd/tasks/main.yml b/roles/core/sshd/tasks/main.yml deleted file mode 100644 index 61bd334f..00000000 --- a/roles/core/sshd/tasks/main.yml +++ /dev/null @@ -1,63 +0,0 @@ ---- -- name: load os/distrubtion/version specific variables - include_vars: "{{ item }}" - with_first_found: - - files: - - "{{ ansible_distribution_release }}.yml" - - "{{ ansible_distribution }}.yml" - - "{{ ansible_os_family }}.yml" - -- name: hardening ssh-server config - vars: - sshd_options: - IgnoreRhosts: "yes" - PermitRootLogin: "without-password" - PubkeyAuthentication: "yes" - HostbasedAuthentication: "no" - PermitEmptyPasswords: "no" - UseDNS: "no" - loop: "{{ sshd_options | dict2items }}" - loop_control: - label: "{{ item.key }} = {{ item.value }}" - lineinfile: - dest: /etc/ssh/sshd_config - regexp: "^#?\\s*{{ item.key }}\\s" - line: "{{ item.key }} {{ item.value }}" - insertbefore: '^### ansible core/sshd config barrier ###' - notify: restart ssh - -- name: limit allowed users - when: not sshd_allow_any_user | bool - lineinfile: - dest: /etc/ssh/sshd_config - regexp: "^AllowUsers\\s" - line: "AllowUsers {{ ' '.join([ 'root' ] | union(sshd_allowusers_group) | union(sshd_allowusers_host)) }}" - insertbefore: '^### ansible core/sshd config barrier ###' - notify: restart ssh - -- name: allow any user - when: sshd_allow_any_user | bool - lineinfile: - dest: /etc/ssh/sshd_config - regexp: "^AllowUsers\\s" - state: absent - notify: restart ssh - -- name: install config barrier for other roles to use - lineinfile: - dest: /etc/ssh/sshd_config - line: "### ansible core/sshd config barrier ###" - insertafter: EOF - notify: restart ssh - -- name: install ssh keys for root - authorized_key: - user: root - key: "{{ ssh_keys_root | union(ssh_keys_root_extra) | join('\n') }}" - exclusive: yes - -- name: delete root password - when: sshd_disabled_password is defined - user: - name: root - password: "{{ sshd_disabled_password }}" diff --git a/roles/core/sshd/vars/Debian.yml b/roles/core/sshd/vars/Debian.yml deleted file mode 100644 index abbccabc..00000000 --- a/roles/core/sshd/vars/Debian.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -sshd_service_name: ssh -sshd_disabled_password: '!' diff --git a/roles/core/sshd/vars/OpenBSD.yml b/roles/core/sshd/vars/OpenBSD.yml deleted file mode 100644 index abdaf180..00000000 --- a/roles/core/sshd/vars/OpenBSD.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -sshd_service_name: sshd -- cgit v1.2.3