From f9397ad38cdac1fa034fb3f8641e2e603b404c7b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20D=C3=A9siles?=
 <1536672+cdesiles@users.noreply.github.com>
Date: Sat, 11 Apr 2026 22:54:35 +0200
Subject: [PATCH] feat: allow sshd to bind on multiple networks

---
 roles/sshd/defaults/main.yml |  5 +++--
 roles/sshd/tasks/main.yml    | 21 ++++-----------------
 2 files changed, 7 insertions(+), 19 deletions(-)

diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml
index 8bba0b1..9854b2c 100644
--- a/roles/sshd/defaults/main.yml
+++ b/roles/sshd/defaults/main.yml
@@ -1,7 +1,8 @@
 ---
 ssh_port: 22
-ssh_allowed_network: "192.168.1.0/24"
-ssh_allowed_vpn_network: "192.168.27.0/27"
+ssh_allowed_networks:
+  - { src: "192.168.1.0/24", comment: "SSH from LAN" }
+  - { src: "192.168.27.0/27", comment: "SSH from VPN" }
 ssh_users: "jokester" # space separated if many
 ssh_config_dir: "/etc/ssh"
 sshd_config: "{{ ssh_config_dir }}/sshd_config"
diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml
index 5a78a3c..2cc5ba8 100644
--- a/roles/sshd/tasks/main.yml
+++ b/roles/sshd/tasks/main.yml
@@ -20,23 +20,15 @@
     name: "{{ ssh_service_name }}"
     enabled: true
 
-- name: Allow local network incoming connection
+- name: Allow SSH incoming connections
   community.general.ufw:
     rule: allow
     port: "{{ ssh_port }}"
     proto: tcp
-    from: "{{ ssh_allowed_network }}"
+    from: "{{ item.src }}"
     direction: in
-    comment: "SSH from local network"
-
-- name: Allow SSH VPN incoming connection
-  community.general.ufw:
-    rule: allow
-    port: "{{ ssh_port }}"
-    proto: tcp
-    from: "{{ ssh_allowed_vpn_network }}"
-    direction: in
-    comment: "SSH from VPN network"
+    comment: "{{ item.comment }}"
+  loop: "{{ ssh_allowed_networks }}"
 
 # TODO
 # - name: Add SSH public key to authorized_keys
@@ -105,8 +97,3 @@
     enabled: true
     state: started
 
-- name: Start and enable fail2ban
-  ansible.builtin.service:
-    name: fail2ban
-    state: started
-    enabled: true