chore: first commit

roles/sshd/templates/sshd_banner.j2

@@ -0,0 +1,47 @@
+*******************************************
+     GALACTIC EMPIRE SECURE TERMINAL
+*******************************************
+{% if ansible_host == 'andromeda' %}
+        ⣠⣴⣾⣿⣿⣿⣿⣷⣦⣄
+      ⢠⣾⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⡄
+     ⢀⣿⣿⣿⣿⡿⠛⢿⡿⠛⢻⣿⣿⣿⣿⡀  <IMPERIAL SECURITY
+     ⢸⣿⣿⣿⣿⡇ ⢸⣷⣶⣾⣿⣿⣿⣿⡇   IDENTIFICATION DROID
+     ⠈⠉⠉⠉⠉⠁ ⠈⠉⠉⠉⠉⠉⠉⠉⠁
+   ⢀⣤⣀⣾⣿⣿⣿⠟⠛⠛⠛⠛⠻⣿⣿⣿⣷⣀⣤⡀
+   ⢸⣿⣿⣿⣿⣿⣿⣤⣤⣤⣤⣤⣤⣿⣿⣿⣿⣿⣿⡇
+   ⢸⣿⣿⣿⣿⣿⣿⣿⣿⡿⢿⣿⣿⣿⣿⣿⣿⣿⣿⡇
+   ⢸⣿⣿⣿⣿⣿⣿⣿⣿  ⣿⣿⣿⣿⣿⣿⣿⣿⡇
+   ⢸⣿⡟⢿⣿⣿⣿⣿⣿  ⣿⣿⣿⣿⣿⡿⢻⣿⡇
+   ⢸⣿⡇⠈⠙⠛⢛⣿⣿⣤⣤⣿⣿⡛⠛⠋⠁⢸⣿⡇
+  ⣤⣼⣿⣧⣤⡀ ⠙⠛⠛⠛⠛⠛⠛⠋ ⢀⣤⣼⣿⣧⣤
+  ⠛⠛⠛⠛⠛⠁          ⠈⠛⠛⠛⠛⠛
+{% elif ansible_host == 'omega' %}
+         ⣀⣤⣴⣶⣾⣿⣿⣿⣿⣷⡶⠦
+      ⢀⣴⣾⣿⣿⠿⠿⢿⣿⣿⣿⣿⣿⣿⣿⣿⣧⣤⡄
+     ⣰⣿⣿⣿⠋    ⠈⢻⣿⣿⣿⣿⣿⣿⡟⠛⠛⠃
+    ⣼⣿⣿⣿⡇       ⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣧
+   ⢰⣿⣿⣿⣿⣧⡀     ⣠⣿⣿⣿⣿⣿⣿⠿⠟⠛⠁
+   ⣾⣿⣿⣿⣿⣿⣿⣶⣤⣤⣴⣾⣿⣿⣿⣿⣿⣿⣷⣶⣶⣶⣶⣶⣶⣶
+   ⣉⠉⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠉⣉
+   ⢿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣶⣶⣶⣶⣶⣶⣾⣿⣿⣿⣿⣿⣿⣿⠿⠿
+   ⠸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡟⠛⠛⠋⠉
+    ⢻⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣧⣤⣤⣤⣤⡄
+     ⠹⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠏
+      ⠈⠻⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣤⡄
+         ⠉⠛⠻⠿⢿⣿⣿⣿⣿⠟⠉⠉⠉⠉
+{% else %}
+ACCESS DENIED - UNKNOWN STAR SYSTEM
+{% endif %}
+
+You have reached a terminal of the Galactic
+Empire's secure network. Unauthorized access
+will result in tracking and possible Force
+action.
+
+{% if ansible_hostname is defined %}
+Server: {{ ansible_hostname }}
+{% endif %}
+
+*******************************************
+ Beep beep-wooOOoo! Brrrp! Zzt zzt-whirl!
+*******************************************

roles/sshd/templates/sshd_config.j2

@@ -0,0 +1,64 @@
+# Hardened SSH Configuration
+# Protocol version
+Protocol 2
+
+# Address family
+AddressFamily inet
+
+# Supported authentication methods
+AuthenticationMethods publickey
+
+# Authentication
+PermitRootLogin no
+MaxAuthTries 3
+MaxSessions 2
+PubkeyAuthentication yes
+PasswordAuthentication no
+PermitEmptyPasswords no
+ChallengeResponseAuthentication no
+KerberosAuthentication no
+GSSAPIAuthentication no
+UsePAM yes
+
+# Login timeout and grace period
+LoginGraceTime 30s
+ClientAliveInterval 300
+ClientAliveCountMax 2
+MaxStartups 10:30:60
+
+# Forwarding
+AllowAgentForwarding no
+AllowTcpForwarding no
+X11Forwarding no
+PermitTTY yes
+
+# User environment
+PermitUserEnvironment no
+
+# Logging and auditing
+SyslogFacility AUTH
+LogLevel VERBOSE
+
+# Banner
+Banner /etc/ssh/banner
+
+# SFTP
+Subsystem sftp internal-sftp
+
+# Idle timeout (1 hour)
+ClientAliveInterval 300
+ClientAliveCountMax 12
+
+# Restrict access to specific users/groups (customize as needed)
+AllowUsers {{ ssh_users }}
+# AllowGroups sshusers wheel
+
+# Other security settings
+HostbasedAuthentication no
+IgnoreRhosts yes
+PermitUserRC no
+StrictModes yes
+Compression no
+{% if ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' %}
+UsePrivilegeSeparation sandbox
+{% endif %}