aboutsummaryrefslogtreecommitdiffstatshomepage
diff options
context:
space:
mode:
authorEgor Tensin <Egor.Tensin@gmail.com>2023-08-14 22:28:00 +0200
committerEgor Tensin <Egor.Tensin@gmail.com>2023-08-14 22:34:34 +0200
commit4af7ef3b135af5cf452433150da78a8ce9729a24 (patch)
tree806435c24531e7d4865f1241c608e06f79c2b5f6
parentdocker: add a defaults file (diff)
downloadinfra-ansible-4af7ef3b135af5cf452433150da78a8ce9729a24.tar.gz
infra-ansible-4af7ef3b135af5cf452433150da78a8ce9729a24.zip
add sshd role
-rw-r--r--roles/sshd/README.md2
-rw-r--r--roles/sshd/defaults/main.yml1
-rw-r--r--roles/sshd/tasks/main.yml16
-rw-r--r--roles/sshd/templates/sshd_config29
4 files changed, 48 insertions, 0 deletions
diff --git a/roles/sshd/README.md b/roles/sshd/README.md
new file mode 100644
index 0000000..fa3f736
--- /dev/null
+++ b/roles/sshd/README.md
@@ -0,0 +1,2 @@
+This roles configures OpenSSH server by using slightly saner values in
+/etc/ssh/sshd_config.
diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml
new file mode 100644
index 0000000..8d56863
--- /dev/null
+++ b/roles/sshd/defaults/main.yml
@@ -0,0 +1 @@
+ssh_allowed_groups: []
diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml
new file mode 100644
index 0000000..d31ac79
--- /dev/null
+++ b/roles/sshd/tasks/main.yml
@@ -0,0 +1,16 @@
+- name: Configure sshd
+ become: true
+ ansible.builtin.template:
+ src: sshd_config
+ dest: /etc/ssh/sshd_config
+ owner: root
+ group: root
+ mode: '644'
+ register: sshd_config
+
+- name: Restart sshd
+ become: true
+ ansible.builtin.systemd_service:
+ name: sshd
+ state: restarted
+ when: sshd_config.changed
diff --git a/roles/sshd/templates/sshd_config b/roles/sshd/templates/sshd_config
new file mode 100644
index 0000000..6963c88
--- /dev/null
+++ b/roles/sshd/templates/sshd_config
@@ -0,0 +1,29 @@
+# Parameters that have sane defaults on Debian 11 are omitted.
+
+{% set ssh_port = hostvars[inventory_hostname].ansible_port %}
+{% set ssh_user = hostvars[inventory_hostname].ansible_user %}
+
+{% set groups = [ssh_user] + ssh_allowed_groups %}
+{% set groups = groups | sort | unique %}
+
+Port {{ ssh_port }}
+
+# Whitelist users:
+PermitRootLogin no
+AllowGroups {{ groups | join(' ') }}
+
+# Only public key authentication:
+PasswordAuthentication no
+ChallengeResponseAuthentication no
+AuthenticationMethods publickey
+
+# Whitelist accepted environment variables:
+AcceptEnv LANG LC_*
+
+# Drop idle sessions:
+ClientAliveCountMax 3
+ClientAliveInterval 15
+
+# Miscellaneous:
+PrintMotd no
+Subsystem sftp /usr/lib/openssh/sftp-server