jokester/ansible-playbooks
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
e1a1518cb8
ansible-playbooks/roles/sshd/tasks/main.yml
Clément Désiles e1a1518cb8 feat: enhance sshd fallback over missing $HOME
2025-08-26 01:02:53 +02:00

91 lines
2.1 KiB
YAML
Raw Blame History

---
- include_vars: "{{ item }}"
with_first_found:
- "vars/{{ ansible_facts['os_family'] }}.yml"
- "vars/debian.yml"
- name: Install OpenSSH
package:
name: "{{ ssh_package_name }}"
state: present
- name: Install UFW
package:
name: ufw
state: present
- name: Enable SSH
service:
name: "{{ ssh_service_name }}"
enabled: yes
- name: Allow local network incoming connection
ufw:
rule: allow
port: "{{ ssh_port }}"
proto: tcp
from: "{{ ssh_allowed_network }}"
direction: in
- name: Allow SSH VPN incoming connection
ufw:
rule: allow
port: "{{ ssh_port }}"
proto: tcp
from: "{{ ssh_allowed_vpn_network }}"
direction: in
- name: Add SSH public key to authorized_keys
authorized_key:
user: "{{ item }}"
state: present
key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
comment: "{{ lookup('env', 'USER') | default('ansible') }}@{{ lookup('pipe', 'hostname -s') }}"
loop: "{{ ssh_users.split() }}"
- name: Authorized keys fallback
block:
- name: Create the directory
file:
path: "{{ssh_authorized_keys_fallback_dir}}"
state: directory
- name: Backup authorized_keys out of HOME dir (if unavailable at startup)
command: "cp /home/{{ item }}/.ssh/authorized_keys {{ssh_authorized_keys_fallback_dir}}/{{ item }}"
loop: "{{ ssh_users.split() }}"
when: ssh_authorized_keys_fallback_enabled
- name: Create an SSH banner
template:
src: templates/sshd_banner.j2
dest: "{{ sshd_banner }}"
owner: root
group: root
mode: "0644"
- name: Remove motd on Debian
file:
path: /etc/motd
state: absent
when: ansible_facts['os_family'] == 'Debian'
- name: Hardening sshd_config
template:
src: templates/sshd_config.j2
dest: "{{ sshd_config }}"
owner: root
group: root
mode: "0600"
validate: "{{ sshd_binary }} -t -f %s"
register: ssh_hardening_task
- name: Restart SSH service
service:
name: "{{ ssh_service_name }}"
state: restarted
when: ssh_hardening_task.changed
- name: Enable UFW
community.general.ufw:
state: enabled
Reference in New Issue View Git Blame Copy Permalink