From c054d22c4818d916ac6dd9c8d7a7a2c614408e17 Mon Sep 17 00:00:00 2001 From: Egor Tensin Date: Sun, 20 Aug 2023 23:02:06 +0200 Subject: append .j2 extension to templates I saw a good point somewhere that it should help with syntax highlighting. --- roles/sshd/tasks/main.yml | 2 +- roles/sshd/templates/sshd_config | 31 ------------------------------- roles/sshd/templates/sshd_config.j2 | 31 +++++++++++++++++++++++++++++++ 3 files changed, 32 insertions(+), 32 deletions(-) delete mode 100644 roles/sshd/templates/sshd_config create mode 100644 roles/sshd/templates/sshd_config.j2 (limited to 'roles/sshd') diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml index d31ac79..ed60e75 100644 --- a/roles/sshd/tasks/main.yml +++ b/roles/sshd/tasks/main.yml @@ -1,7 +1,7 @@ - name: Configure sshd become: true ansible.builtin.template: - src: sshd_config + src: sshd_config.j2 dest: /etc/ssh/sshd_config owner: root group: root diff --git a/roles/sshd/templates/sshd_config b/roles/sshd/templates/sshd_config deleted file mode 100644 index abcf0d7..0000000 --- a/roles/sshd/templates/sshd_config +++ /dev/null @@ -1,31 +0,0 @@ -{{ ansible_managed | comment }} - -# Parameters that have sane defaults on Debian 11 are omitted. - -{% set ssh_port = hostvars[inventory_hostname].ansible_port %} -{% set ssh_user = hostvars[inventory_hostname].ansible_user %} - -{% set groups = [ssh_user] + ssh_allowed_groups %} -{% set groups = groups | sort | unique %} - -Port {{ ssh_port }} - -# Whitelist users: -PermitRootLogin no -AllowGroups {{ groups | join(' ') }} - -# Only public key authentication: -PasswordAuthentication no -ChallengeResponseAuthentication no -AuthenticationMethods publickey - -# Whitelist accepted environment variables: -AcceptEnv LANG LC_* - -# Drop idle sessions: -ClientAliveCountMax 3 -ClientAliveInterval 15 - -# Miscellaneous: -PrintMotd no -Subsystem sftp /usr/lib/openssh/sftp-server diff --git a/roles/sshd/templates/sshd_config.j2 b/roles/sshd/templates/sshd_config.j2 new file mode 100644 index 0000000..abcf0d7 --- /dev/null +++ b/roles/sshd/templates/sshd_config.j2 @@ -0,0 +1,31 @@ +{{ ansible_managed | comment }} + +# Parameters that have sane defaults on Debian 11 are omitted. + +{% set ssh_port = hostvars[inventory_hostname].ansible_port %} +{% set ssh_user = hostvars[inventory_hostname].ansible_user %} + +{% set groups = [ssh_user] + ssh_allowed_groups %} +{% set groups = groups | sort | unique %} + +Port {{ ssh_port }} + +# Whitelist users: +PermitRootLogin no +AllowGroups {{ groups | join(' ') }} + +# Only public key authentication: +PasswordAuthentication no +ChallengeResponseAuthentication no +AuthenticationMethods publickey + +# Whitelist accepted environment variables: +AcceptEnv LANG LC_* + +# Drop idle sessions: +ClientAliveCountMax 3 +ClientAliveInterval 15 + +# Miscellaneous: +PrintMotd no +Subsystem sftp /usr/lib/openssh/sftp-server -- cgit v1.2.3