67 lines
1.8 KiB
YAML
67 lines
1.8 KiB
YAML
---
|
|
- block:
|
|
|
|
- name: install openssh-server
|
|
apt:
|
|
name: openssh-server
|
|
state: present
|
|
update_cache: true
|
|
cache_valid_time: 3600
|
|
|
|
- name: ensure openssh-server is running
|
|
systemd:
|
|
state: started
|
|
name: sshd
|
|
|
|
- name: set the sshd port
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "^#?Port"
|
|
line: "Port {{ sshd_port }}"
|
|
notify: systemctl restart sshd
|
|
|
|
- name: harden openssh-server
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "{{ item.regexp }}"
|
|
line: "{{ item.line }}"
|
|
state: present
|
|
with_items:
|
|
- regexp: "^#?AllowAgentForwarding"
|
|
line: "AllowAgentForwarding no"
|
|
- regexp: "^#?AllowTcpForwarding"
|
|
line: "AllowTcpForwarding {{ sshd_allow_tcp_forwarding }}"
|
|
- regexp: "^#?MaxAuthTries"
|
|
line: "MaxAuthTries 3"
|
|
- regexp: "^#?MaxSessions"
|
|
line: "MaxSessions {{ sshd_max_sessions }}"
|
|
- regexp: "^#?PasswordAuthentication"
|
|
line: "PasswordAuthentication no"
|
|
- regexp: "^#?PermitRootLogin"
|
|
line: "PermitRootLogin no"
|
|
- regexp: "^#?PubkeyAuthentication"
|
|
line: "PubkeyAuthentication yes"
|
|
- regexp: "^#?TCPKeepAlive"
|
|
line: "TCPKeepAlive no"
|
|
- regexp: "^#?UseDNS"
|
|
line: "UseDNS no"
|
|
- regexp: "^#?X11Forwarding"
|
|
line: "X11Forwarding no"
|
|
notify: systemctl restart sshd
|
|
|
|
# TODO: make an ansible module to perform knocking.
|
|
# - name: flush handlers
|
|
# meta: flush_handlers
|
|
|
|
# - name: check that openssh-server is listening
|
|
# wait_for:
|
|
# host: "{{ inventory_hostname }}"
|
|
# port: "{{ sshd_port }}"
|
|
# timeout: 5
|
|
# search_regex: OpenSSH
|
|
# delay: 2
|
|
# delegate_to: localhost
|
|
|
|
become: "{{ sshd_become }}"
|
|
become_user: "{{ sshd_become_user }}"
|