From 4af7ef3b135af5cf452433150da78a8ce9729a24 Mon Sep 17 00:00:00 2001
From: Egor Tensin <Egor.Tensin@gmail.com>
Date: Mon, 14 Aug 2023 22:28:00 +0200
Subject: add sshd role

---
 roles/sshd/templates/sshd_config | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 roles/sshd/templates/sshd_config

(limited to 'roles/sshd/templates/sshd_config')

diff --git a/roles/sshd/templates/sshd_config b/roles/sshd/templates/sshd_config
new file mode 100644
index 0000000..6963c88
--- /dev/null
+++ b/roles/sshd/templates/sshd_config
@@ -0,0 +1,29 @@
+# Parameters that have sane defaults on Debian 11 are omitted.
+
+{% set ssh_port = hostvars[inventory_hostname].ansible_port %}
+{% set ssh_user = hostvars[inventory_hostname].ansible_user %}
+
+{% set groups = [ssh_user] + ssh_allowed_groups %}
+{% set groups = groups | sort | unique %}
+
+Port {{ ssh_port }}
+
+# Whitelist users:
+PermitRootLogin no
+AllowGroups {{ groups | join(' ') }}
+
+# Only public key authentication:
+PasswordAuthentication no
+ChallengeResponseAuthentication no
+AuthenticationMethods publickey
+
+# Whitelist accepted environment variables:
+AcceptEnv LANG LC_*
+
+# Drop idle sessions:
+ClientAliveCountMax 3
+ClientAliveInterval 15
+
+# Miscellaneous:
+PrintMotd no
+Subsystem sftp /usr/lib/openssh/sftp-server
-- 
cgit v1.2.3