From efaa87a06f6c34d7d8863f1b675176a4b88291b4 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sun, 9 Dec 2018 13:49:00 +0100
Subject: refactoring sshserver role

---
 roles/sshserver/tasks/main.yml | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

(limited to 'roles')

diff --git a/roles/sshserver/tasks/main.yml b/roles/sshserver/tasks/main.yml
index cd4c5043..e638905b 100644
--- a/roles/sshserver/tasks/main.yml
+++ b/roles/sshserver/tasks/main.yml
@@ -6,24 +6,26 @@
 
 - name: hardening ssh-server config
   lineinfile:
-    regexp: "{{ item.regexp }}"
-    line: "{{ item.line }}"
+    regexp: "^#?\\s*{{ item.key }}"
+    line: "{{ item.key }} {{ item.value }}"
     dest: /etc/ssh/sshd_config
     mode: 0644
-  with_items:
-  - { regexp: "^#?\\s*IgnoreRhosts", line: "IgnoreRhosts yes" }
-  - { regexp: "^#?\\s*PermitRootLogin", line: "PermitRootLogin without-password" }
-  - { regexp: "^#?\\s*PubkeyAuthentication", line: "PubkeyAuthentication yes" }
-  - { regexp: "^#?\\s*HostbasedAuthentication", line: "HostbasedAuthentication no"  }
-  - { regexp: "^#?\\s*PermitEmptyPasswords", line: "PermitEmptyPasswords no" }
-  - { regexp: "^#?\\s*UseDNS", line: "UseDNS no" }
+  with_dict:
+    IgnoreRhosts: "yes"
+    PermitRootLogin: "without-password"
+    PubkeyAuthentication: "yes"
+    HostbasedAuthentication: "no"
+    PermitEmptyPasswords: "no"
+    UseDNS: "no"
+  loop_control:
+    label: "{{ item.key }}"
   notify: restart ssh
 
 - name: limit allowed users
   lineinfile:
     dest: /etc/ssh/sshd_config
     regexp: "^AllowUsers"
-    line: "AllowUsers {{ ' '.join([ 'root' ] | union(sshserver_allowusers_group | default([])) | union(sshserver_allowusers_host | default([]))) }}"
+    line: "AllowUsers {{ ' '.join([ 'root' ] | union(ssh_allowusers_group | default([])) | union(ssh_allowusers_host | default([]))) }}"
   notify: restart ssh
 
 - name: install ssh keys for root
-- 
cgit v1.2.3