diff options
author | Egor Tensin <Egor.Tensin@gmail.com> | 2023-08-14 22:28:00 +0200 |
---|---|---|
committer | Egor Tensin <Egor.Tensin@gmail.com> | 2023-08-14 22:34:34 +0200 |
commit | 4af7ef3b135af5cf452433150da78a8ce9729a24 (patch) | |
tree | 806435c24531e7d4865f1241c608e06f79c2b5f6 | |
parent | docker: add a defaults file (diff) | |
download | infra-ansible-4af7ef3b135af5cf452433150da78a8ce9729a24.tar.gz infra-ansible-4af7ef3b135af5cf452433150da78a8ce9729a24.zip |
add sshd role
-rw-r--r-- | roles/sshd/README.md | 2 | ||||
-rw-r--r-- | roles/sshd/defaults/main.yml | 1 | ||||
-rw-r--r-- | roles/sshd/tasks/main.yml | 16 | ||||
-rw-r--r-- | roles/sshd/templates/sshd_config | 29 |
4 files changed, 48 insertions, 0 deletions
diff --git a/roles/sshd/README.md b/roles/sshd/README.md new file mode 100644 index 0000000..fa3f736 --- /dev/null +++ b/roles/sshd/README.md @@ -0,0 +1,2 @@ +This roles configures OpenSSH server by using slightly saner values in +/etc/ssh/sshd_config. diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml new file mode 100644 index 0000000..8d56863 --- /dev/null +++ b/roles/sshd/defaults/main.yml @@ -0,0 +1 @@ +ssh_allowed_groups: [] diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml new file mode 100644 index 0000000..d31ac79 --- /dev/null +++ b/roles/sshd/tasks/main.yml @@ -0,0 +1,16 @@ +- name: Configure sshd + become: true + ansible.builtin.template: + src: sshd_config + dest: /etc/ssh/sshd_config + owner: root + group: root + mode: '644' + register: sshd_config + +- name: Restart sshd + become: true + ansible.builtin.systemd_service: + name: sshd + state: restarted + when: sshd_config.changed diff --git a/roles/sshd/templates/sshd_config b/roles/sshd/templates/sshd_config new file mode 100644 index 0000000..6963c88 --- /dev/null +++ b/roles/sshd/templates/sshd_config @@ -0,0 +1,29 @@ +# Parameters that have sane defaults on Debian 11 are omitted. + +{% set ssh_port = hostvars[inventory_hostname].ansible_port %} +{% set ssh_user = hostvars[inventory_hostname].ansible_user %} + +{% set groups = [ssh_user] + ssh_allowed_groups %} +{% set groups = groups | sort | unique %} + +Port {{ ssh_port }} + +# Whitelist users: +PermitRootLogin no +AllowGroups {{ groups | join(' ') }} + +# Only public key authentication: +PasswordAuthentication no +ChallengeResponseAuthentication no +AuthenticationMethods publickey + +# Whitelist accepted environment variables: +AcceptEnv LANG LC_* + +# Drop idle sessions: +ClientAliveCountMax 3 +ClientAliveInterval 15 + +# Miscellaneous: +PrintMotd no +Subsystem sftp /usr/lib/openssh/sftp-server |