sshd.yml 1.81 KB
Newer Older
julian.gethmann's avatar
julian.gethmann committed
1
2
3
---
- name: Installed sshd
  become: yes
julian.gethmann's avatar
julian.gethmann committed
4
  package:
julian.gethmann's avatar
julian.gethmann committed
5
    state: present
julian.gethmann's avatar
julian.gethmann committed
6
7
8
9
10
11
    name: openssh-server

- name: install firewalld
  become: yes
  package:
    name: python-firewall
julian.gethmann's avatar
julian.gethmann committed
12
    state: present
julian.gethmann's avatar
julian.gethmann committed
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
  when: ansible_distribution == "Fedora" or
        (ansible_distribution == "CentOS" and ansible_distribution_major_version >= 7)

- name: Open port 22 on Fedora/CentOS
  become: yes
  firewalld:
    port: 22/tcp
    state: enabled
    permanent: true
  when: ansible_distribution == "Fedora" or
        (ansible_distribution == "CentOS" and ansible_distribution_major_version >= 7)
  notify:
    - reload firewalld
    - restart firewalld

- name: Open port 22 on Ubuntu
  become: yes
  ufw:
    name: OpenSSH
    rule: allow
  notify:
    - reload ufw
    - enable ufw
  when: ansible_distribution == "Ubuntu"
julian.gethmann's avatar
julian.gethmann committed
37
38
39

- name: Disable empty password login
  become: yes
julian.gethmann's avatar
julian.gethmann committed
40
41
42
43
44
45
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: ".*PermitEmptyPasswords.*"
    line: "PermitEmptyPasswords no"
    backup: yes
  notify: restart sshd
julian.gethmann's avatar
julian.gethmann committed
46

47
- name: Allow remote root login
julian.gethmann's avatar
julian.gethmann committed
48
  become: yes
julian.gethmann's avatar
julian.gethmann committed
49
50
51
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: ".*PermitRootLogin.*"
52
    line: "PermitRootLogin without-password"
julian.gethmann's avatar
julian.gethmann committed
53
54
    backup: yes
  notify: restart sshd
julian.gethmann's avatar
julian.gethmann committed
55
56

- name: Enable tunnel
julian.gethmann's avatar
julian.gethmann committed
57
58
59
60
61
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: ".*PermitTunnel.*"
    line: "PermitTunnel yes"
    backup: yes
julian.gethmann's avatar
julian.gethmann committed
62
63
64
65
66
67
68
69
70
  notify:
  - enable sshd
  - restart sshd
  become: yes

# - name: always start sshd
#   command: chkconfig sshd on

- name: Add curves
julian.gethmann's avatar
julian.gethmann committed
71
72
73
74
75
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: "HostKey.*ed25519.*"
    line: "HostKey /etc/ssh/ssh_host_ed25519_key"
    backup: yes
julian.gethmann's avatar
julian.gethmann committed
76
77
78
79
  notify: restart sshd
  become: yes

- name: enable PAM
julian.gethmann's avatar
julian.gethmann committed
80
81
82
83
84
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: ".*UsePAM .*"
    line: "UsePAM yes"
    backup: yes
julian.gethmann's avatar
julian.gethmann committed
85
86
  become: yes
  notify: restart sshd