aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/roles/sshd/templates
diff options
context:
space:
mode:
authorEgor Tensin <Egor.Tensin@gmail.com>2023-08-14 22:28:00 +0200
committerEgor Tensin <Egor.Tensin@gmail.com>2023-08-14 22:34:34 +0200
commit4af7ef3b135af5cf452433150da78a8ce9729a24 (patch)
tree806435c24531e7d4865f1241c608e06f79c2b5f6 /roles/sshd/templates
parentdocker: add a defaults file (diff)
downloadinfra-ansible-4af7ef3b135af5cf452433150da78a8ce9729a24.tar.gz
infra-ansible-4af7ef3b135af5cf452433150da78a8ce9729a24.zip
add sshd role
Diffstat (limited to 'roles/sshd/templates')
-rw-r--r--roles/sshd/templates/sshd_config29
1 files changed, 29 insertions, 0 deletions
diff --git a/roles/sshd/templates/sshd_config b/roles/sshd/templates/sshd_config
new file mode 100644
index 0000000..6963c88
--- /dev/null
+++ b/roles/sshd/templates/sshd_config
@@ -0,0 +1,29 @@
+# Parameters that have sane defaults on Debian 11 are omitted.
+
+{% set ssh_port = hostvars[inventory_hostname].ansible_port %}
+{% set ssh_user = hostvars[inventory_hostname].ansible_user %}
+
+{% set groups = [ssh_user] + ssh_allowed_groups %}
+{% set groups = groups | sort | unique %}
+
+Port {{ ssh_port }}
+
+# Whitelist users:
+PermitRootLogin no
+AllowGroups {{ groups | join(' ') }}
+
+# Only public key authentication:
+PasswordAuthentication no
+ChallengeResponseAuthentication no
+AuthenticationMethods publickey
+
+# Whitelist accepted environment variables:
+AcceptEnv LANG LC_*
+
+# Drop idle sessions:
+ClientAliveCountMax 3
+ClientAliveInterval 15
+
+# Miscellaneous:
+PrintMotd no
+Subsystem sftp /usr/lib/openssh/sftp-server