113 lines
2.8 KiB
YAML
113 lines
2.8 KiB
YAML
---
|
|
- name: Load OS-specific variables
|
|
ansible.builtin.include_vars: "{{ item }}"
|
|
with_first_found:
|
|
- "vars/{{ ansible_facts['os_family'] }}.yml"
|
|
- "vars/debian.yml"
|
|
|
|
- name: Install OpenSSH
|
|
ansible.builtin.package:
|
|
name: "{{ ssh_package_name }}"
|
|
state: present
|
|
|
|
- name: Install UFW
|
|
ansible.builtin.package:
|
|
name: ufw
|
|
state: present
|
|
|
|
- name: Enable SSH
|
|
ansible.builtin.service:
|
|
name: "{{ ssh_service_name }}"
|
|
enabled: true
|
|
|
|
- name: Allow local network incoming connection
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: "{{ ssh_port }}"
|
|
proto: tcp
|
|
from: "{{ ssh_allowed_network }}"
|
|
direction: in
|
|
comment: "SSH from local network"
|
|
|
|
- name: Allow SSH VPN incoming connection
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: "{{ ssh_port }}"
|
|
proto: tcp
|
|
from: "{{ ssh_allowed_vpn_network }}"
|
|
direction: in
|
|
comment: "SSH from VPN network"
|
|
|
|
# TODO
|
|
# - name: Add SSH public key to authorized_keys
|
|
# authorized_key:
|
|
# user: "{{ item }}"
|
|
# state: present
|
|
# key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
|
|
# comment: "{{ lookup('env', 'USER') | default('ansible') }}@{{ lookup('pipe', 'hostname -s') }}"
|
|
# loop: "{{ ssh_users.split() }}"
|
|
|
|
- name: Authorized keys fallback (when home cannot be mounted)
|
|
when: ssh_authorized_keys_fallback_enabled
|
|
block:
|
|
- name: Create the directory
|
|
ansible.builtin.file:
|
|
path: "{{ ssh_authorized_keys_fallback_dir }}"
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: "0755"
|
|
|
|
- name: Backup authorized_keys out of HOME dir (if unavailable at startup)
|
|
ansible.builtin.command: "cp /home/{{ item }}/.ssh/authorized_keys {{ ssh_authorized_keys_fallback_dir }}/{{ item }}"
|
|
loop: "{{ ssh_users.split() }}"
|
|
changed_when: false
|
|
|
|
- name: Fix ownership
|
|
ansible.builtin.file:
|
|
path: "{{ ssh_authorized_keys_fallback_dir }}/{{ item }}"
|
|
owner: "{{ item }}"
|
|
group: "{{ item }}"
|
|
mode: "0600"
|
|
loop: "{{ ssh_users.split() }}"
|
|
|
|
- name: Create an SSH banner
|
|
ansible.builtin.template:
|
|
src: templates/sshd_banner.j2
|
|
dest: "{{ sshd_banner }}"
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
|
|
- name: Remove motd on Debian
|
|
ansible.builtin.file:
|
|
path: /etc/motd
|
|
state: absent
|
|
when: ansible_facts['os_family'] == 'Debian'
|
|
|
|
- name: Hardening sshd_config
|
|
ansible.builtin.template:
|
|
src: templates/sshd_config.j2
|
|
dest: "{{ sshd_config }}"
|
|
owner: root
|
|
group: root
|
|
mode: "0600"
|
|
validate: "{{ sshd_binary }} -t -f %s"
|
|
notify: Restart SSH service
|
|
|
|
- name: Enable UFW
|
|
community.general.ufw:
|
|
state: enabled
|
|
|
|
- name: Enable UFW service at startup
|
|
ansible.builtin.systemd:
|
|
name: ufw
|
|
enabled: true
|
|
state: started
|
|
|
|
- name: Start and enable fail2ban
|
|
ansible.builtin.service:
|
|
name: fail2ban
|
|
state: started
|
|
enabled: true
|