chore: first commit

roles/sshd/defaults/main.yml

@@ -0,0 +1,8 @@
+ssh_port: 22
+ssh_allowed_network: "192.168.1.0/24"
+ssh_allowed_vpn_network: "192.168.27.0/27"
+ssh_users: "jokester" # space separated if many
+ssh_config_dir: "/etc/ssh"
+sshd_config: "{{ ssh_config_dir}}/sshd_config"
+sshd_banner: "{{ ssh_config_dir}}/banner"
+sshd_binary: "/usr/sbin/sshd"

roles/sshd/tasks/main.yml

@@ -0,0 +1,78 @@
+---
+- include_vars: "{{ item }}"
+  with_first_found:
+    - "vars/{{ ansible_facts['os_family'] }}.yml"
+    - "vars/debian.yml"
+
+- name: Install OpenSSH
+  package:
+    name: "{{ ssh_package_name }}"
+    state: present
+
+- name: Install UFW
+  package:
+    name: ufw
+    state: present
+
+- name: Enable SSH
+  service:
+    name: "{{ ssh_service_name }}"
+    enabled: yes
+
+- name: Allow SSH incoming connection on local network
+  ufw:
+    rule: allow
+    port: "{{ ssh_port }}"
+    proto: tcp
+    from: "{{ ssh_allowed_network }}"
+    direction: in
+
+- name: Allow SSH incoming connection on vpn network
+  ufw:
+    rule: allow
+    port: "{{ ssh_port }}"
+    proto: tcp
+    from: "{{ ssh_allowed_vpn_network }}"
+    direction: in
+
+- name: Add SSH public key to authorized_keys
+  authorized_key:
+    user: "{{ item }}"
+    state: present
+    key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
+    comment: "{{ lookup('env', 'USER') | default('ansible') }}@{{ lookup('pipe', 'hostname -s') }}"
+  loop: "{{ ssh_users.split() }}"
+
+- name: Create an SSH banner
+  template:
+    src: templates/sshd_banner.j2
+    dest: "{{ sshd_banner }}"
+    owner: root
+    group: root
+    mode: "0644"
+
+- name: Remove motd on Debian
+  file:
+    path: /etc/motd
+    state: absent
+  when: ansible_facts['os_family'] == 'Debian'
+
+- name: Hardening sshd_config
+  template:
+    src: templates/sshd_config.j2
+    dest: "{{ sshd_config }}"
+    owner: root
+    group: root
+    mode: "0600"
+    validate: "{{ sshd_binary }} -t -f %s"
+  register: ssh_hardening_task
+
+- name: Restart SSH service
+  service:
+    name: "{{ ssh_service_name }}"
+    state: restarted
+  when: ssh_hardening_task.changed
+
+- name: Enable UFW
+  community.general.ufw:
+    state: enabled

roles/sshd/templates/sshd_banner.j2

@@ -0,0 +1,47 @@
+*******************************************
+     GALACTIC EMPIRE SECURE TERMINAL
+*******************************************
+{% if ansible_host == 'andromeda' %}
+        ⣠⣴⣾⣿⣿⣿⣿⣷⣦⣄
+      ⢠⣾⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⡄
+     ⢀⣿⣿⣿⣿⡿⠛⢿⡿⠛⢻⣿⣿⣿⣿⡀  <IMPERIAL SECURITY
+     ⢸⣿⣿⣿⣿⡇ ⢸⣷⣶⣾⣿⣿⣿⣿⡇   IDENTIFICATION DROID
+     ⠈⠉⠉⠉⠉⠁ ⠈⠉⠉⠉⠉⠉⠉⠉⠁
+   ⢀⣤⣀⣾⣿⣿⣿⠟⠛⠛⠛⠛⠻⣿⣿⣿⣷⣀⣤⡀
+   ⢸⣿⣿⣿⣿⣿⣿⣤⣤⣤⣤⣤⣤⣿⣿⣿⣿⣿⣿⡇
+   ⢸⣿⣿⣿⣿⣿⣿⣿⣿⡿⢿⣿⣿⣿⣿⣿⣿⣿⣿⡇
+   ⢸⣿⣿⣿⣿⣿⣿⣿⣿  ⣿⣿⣿⣿⣿⣿⣿⣿⡇
+   ⢸⣿⡟⢿⣿⣿⣿⣿⣿  ⣿⣿⣿⣿⣿⡿⢻⣿⡇
+   ⢸⣿⡇⠈⠙⠛⢛⣿⣿⣤⣤⣿⣿⡛⠛⠋⠁⢸⣿⡇
+  ⣤⣼⣿⣧⣤⡀ ⠙⠛⠛⠛⠛⠛⠛⠋ ⢀⣤⣼⣿⣧⣤
+  ⠛⠛⠛⠛⠛⠁          ⠈⠛⠛⠛⠛⠛
+{% elif ansible_host == 'omega' %}
+         ⣀⣤⣴⣶⣾⣿⣿⣿⣿⣷⡶⠦
+      ⢀⣴⣾⣿⣿⠿⠿⢿⣿⣿⣿⣿⣿⣿⣿⣿⣧⣤⡄
+     ⣰⣿⣿⣿⠋    ⠈⢻⣿⣿⣿⣿⣿⣿⡟⠛⠛⠃
+    ⣼⣿⣿⣿⡇       ⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣧
+   ⢰⣿⣿⣿⣿⣧⡀     ⣠⣿⣿⣿⣿⣿⣿⠿⠟⠛⠁
+   ⣾⣿⣿⣿⣿⣿⣿⣶⣤⣤⣴⣾⣿⣿⣿⣿⣿⣿⣷⣶⣶⣶⣶⣶⣶⣶
+   ⣉⠉⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠉⣉
+   ⢿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣶⣶⣶⣶⣶⣶⣾⣿⣿⣿⣿⣿⣿⣿⠿⠿
+   ⠸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡟⠛⠛⠋⠉
+    ⢻⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣧⣤⣤⣤⣤⡄
+     ⠹⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠏
+      ⠈⠻⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣤⡄
+         ⠉⠛⠻⠿⢿⣿⣿⣿⣿⠟⠉⠉⠉⠉
+{% else %}
+ACCESS DENIED - UNKNOWN STAR SYSTEM
+{% endif %}
+
+You have reached a terminal of the Galactic
+Empire's secure network. Unauthorized access
+will result in tracking and possible Force
+action.
+
+{% if ansible_hostname is defined %}
+Server: {{ ansible_hostname }}
+{% endif %}
+
+*******************************************
+ Beep beep-wooOOoo! Brrrp! Zzt zzt-whirl!
+*******************************************

roles/sshd/templates/sshd_config.j2

@@ -0,0 +1,64 @@
+# Hardened SSH Configuration
+# Protocol version
+Protocol 2
+
+# Address family
+AddressFamily inet
+
+# Supported authentication methods
+AuthenticationMethods publickey
+
+# Authentication
+PermitRootLogin no
+MaxAuthTries 3
+MaxSessions 2
+PubkeyAuthentication yes
+PasswordAuthentication no
+PermitEmptyPasswords no
+ChallengeResponseAuthentication no
+KerberosAuthentication no
+GSSAPIAuthentication no
+UsePAM yes
+
+# Login timeout and grace period
+LoginGraceTime 30s
+ClientAliveInterval 300
+ClientAliveCountMax 2
+MaxStartups 10:30:60
+
+# Forwarding
+AllowAgentForwarding no
+AllowTcpForwarding no
+X11Forwarding no
+PermitTTY yes
+
+# User environment
+PermitUserEnvironment no
+
+# Logging and auditing
+SyslogFacility AUTH
+LogLevel VERBOSE
+
+# Banner
+Banner /etc/ssh/banner
+
+# SFTP
+Subsystem sftp internal-sftp
+
+# Idle timeout (1 hour)
+ClientAliveInterval 300
+ClientAliveCountMax 12
+
+# Restrict access to specific users/groups (customize as needed)
+AllowUsers {{ ssh_users }}
+# AllowGroups sshusers wheel
+
+# Other security settings
+HostbasedAuthentication no
+IgnoreRhosts yes
+PermitUserRC no
+StrictModes yes
+Compression no
+{% if ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' %}
+UsePrivilegeSeparation sandbox
+{% endif %}

roles/sshd/vars/archlinux.yml

@@ -0,0 +1,2 @@
+ssh_package_name: "openssh"
+ssh_service_name: "sshd"

roles/sshd/vars/debian.yml

@@ -0,0 +1,2 @@
+ssh_package_name: "openssh-server"
+ssh_service_name: "ssh"