sshd.yml 1.99 KB
Newer Older
julian.gethmann's avatar
julian.gethmann committed
1 2 3
---
- name: Installed sshd
  become: yes
julian.gethmann's avatar
julian.gethmann committed
4
  package:
julian.gethmann's avatar
julian.gethmann committed
5
    state: present
julian.gethmann's avatar
julian.gethmann committed
6 7 8 9 10 11
    name: openssh-server

- name: install firewalld
  become: yes
  package:
    name: python-firewall
julian.gethmann's avatar
julian.gethmann committed
12
    state: present
julian.gethmann's avatar
julian.gethmann committed
13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
  when: ansible_distribution == "Fedora" or
        (ansible_distribution == "CentOS" and ansible_distribution_major_version >= 7)

- name: Open port 22 on Fedora/CentOS
  become: yes
  firewalld:
    port: 22/tcp
    state: enabled
    permanent: true
  when: ansible_distribution == "Fedora" or
        (ansible_distribution == "CentOS" and ansible_distribution_major_version >= 7)
  notify:
    - reload firewalld
    - restart firewalld

- name: Open port 22 on Ubuntu
  become: yes
  ufw:
    name: OpenSSH
    rule: allow
  notify:
    - reload ufw
    - enable ufw
  when: ansible_distribution == "Ubuntu"
julian.gethmann's avatar
julian.gethmann committed
37 38 39

- name: Disable empty password login
  become: yes
julian.gethmann's avatar
julian.gethmann committed
40 41 42 43 44 45
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: ".*PermitEmptyPasswords.*"
    line: "PermitEmptyPasswords no"
    backup: yes
  notify: restart sshd
julian.gethmann's avatar
julian.gethmann committed
46

47
- name: Allow remote root login
julian.gethmann's avatar
julian.gethmann committed
48
  become: yes
julian.gethmann's avatar
julian.gethmann committed
49 50 51
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: ".*PermitRootLogin.*"
52
    line: "PermitRootLogin without-password"
julian.gethmann's avatar
julian.gethmann committed
53 54
    backup: yes
  notify: restart sshd
julian.gethmann's avatar
julian.gethmann committed
55

56 57 58 59 60
- name: Add root key
  become: yes
  authorized_key:
    user: root
    state: present
61 62 63
    key: "{{ rootkey }}"
    key_options: 'from="{{ ansible_server }}"'
  notify: restart sshd
64

julian.gethmann's avatar
julian.gethmann committed
65
- name: Enable tunnel
julian.gethmann's avatar
julian.gethmann committed
66 67 68 69 70
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: ".*PermitTunnel.*"
    line: "PermitTunnel yes"
    backup: yes
julian.gethmann's avatar
julian.gethmann committed
71 72 73 74 75 76 77 78 79
  notify:
  - enable sshd
  - restart sshd
  become: yes

# - name: always start sshd
#   command: chkconfig sshd on

- name: Add curves
julian.gethmann's avatar
julian.gethmann committed
80 81 82 83 84
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: "HostKey.*ed25519.*"
    line: "HostKey /etc/ssh/ssh_host_ed25519_key"
    backup: yes
julian.gethmann's avatar
julian.gethmann committed
85 86 87 88
  notify: restart sshd
  become: yes

- name: enable PAM
julian.gethmann's avatar
julian.gethmann committed
89 90 91 92 93
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: ".*UsePAM .*"
    line: "UsePAM yes"
    backup: yes
julian.gethmann's avatar
julian.gethmann committed
94 95
  become: yes
  notify: restart sshd