add sshd role

4 files changed, 48 insertions, 0 deletions

diff --git a/roles/sshd/README.md b/roles/sshd/README.md
new file mode 100644
index 0000000..fa3f736
--- /dev/null
+++ b/roles/sshd/README.md
@@ -0,0 +1,2 @@
+This roles configures OpenSSH server by using slightly saner values in
+/etc/ssh/sshd_config.
diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml
new file mode 100644
index 0000000..8d56863
--- /dev/null
+++ b/roles/sshd/defaults/main.yml
@@ -0,0 +1 @@
+ssh_allowed_groups: []
diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml
new file mode 100644
index 0000000..d31ac79
--- /dev/null
+++ b/roles/sshd/tasks/main.yml
@@ -0,0 +1,16 @@
+- name: Configure sshd
+  become: true
+  ansible.builtin.template:
+    src: sshd_config
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: '644'
+  register: sshd_config
+
+- name: Restart sshd
+  become: true
+  ansible.builtin.systemd_service:
+    name: sshd
+    state: restarted
+  when: sshd_config.changed
diff --git a/roles/sshd/templates/sshd_config b/roles/sshd/templates/sshd_config
new file mode 100644
index 0000000..6963c88
--- /dev/null
+++ b/roles/sshd/templates/sshd_config
@@ -0,0 +1,29 @@
+# Parameters that have sane defaults on Debian 11 are omitted.
+
+{% set ssh_port = hostvars[inventory_hostname].ansible_port %}
+{% set ssh_user = hostvars[inventory_hostname].ansible_user %}
+
+{% set groups = [ssh_user] + ssh_allowed_groups %}
+{% set groups = groups | sort | unique %}
+
+Port {{ ssh_port }}
+
+# Whitelist users:
+PermitRootLogin no
+AllowGroups {{ groups | join(' ') }}
+
+# Only public key authentication:
+PasswordAuthentication no
+ChallengeResponseAuthentication no
+AuthenticationMethods publickey
+
+# Whitelist accepted environment variables:
+AcceptEnv LANG LC_*
+
+# Drop idle sessions:
+ClientAliveCountMax 3
+ClientAliveInterval 15
+
+# Miscellaneous:
+PrintMotd no
+Subsystem sftp /usr/lib/openssh/sftp-server