sshd.yml 2.35 KB
Newer Older
Julian Gethmann's avatar
Julian Gethmann committed
1 2 3
---
- name: Installed sshd
  become: yes
4
  package:
julian.gethmann's avatar
julian.gethmann committed
5
    state: present
6 7 8 9 10 11
    name: openssh-server

- name: install firewalld
  become: yes
  package:
    name: python-firewall
julian.gethmann's avatar
julian.gethmann committed
12
    state: present
julian.gethmann's avatar
julian.gethmann committed
13 14
  when: ((ansible_distribution == "Fedora" and (ansible_distribution_major_version|int) < 28) or
         (ansible_distribution == "CentOS" and (ansible_distribution_major_version|int) >= 7))
15 16 17 18

- name: Warn about firewalld not working
  debug:
    msg: Because python3-firewall is not working with the firewalld module, this tasks will not work!
19
  when: (ansible_distribution == "Fedora" and (ansible_distribution_major_version|int) >= 28)
20 21 22 23 24 25 26

- name: Open port 22 on Fedora/CentOS
  become: yes
  firewalld:
    port: 22/tcp
    state: enabled
    permanent: true
27 28
  when: ((ansible_distribution == "Fedora" and (ansible_distribution_major_version|int) < 28) or
         (ansible_distribution == "CentOS" and (ansible_distribution_major_version|int) >= 7))
29 30 31 32 33 34 35 36 37 38 39 40 41
  notify:
    - reload firewalld
    - restart firewalld

- name: Open port 22 on Ubuntu
  become: yes
  ufw:
    name: OpenSSH
    rule: allow
  notify:
    - reload ufw
    - enable ufw
  when: ansible_distribution == "Ubuntu"
Julian Gethmann's avatar
Julian Gethmann committed
42 43 44

- name: Disable empty password login
  become: yes
45 46 47 48 49 50
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: ".*PermitEmptyPasswords.*"
    line: "PermitEmptyPasswords no"
    backup: yes
  notify: restart sshd
Julian Gethmann's avatar
Julian Gethmann committed
51

52
- name: Allow remote root login
Julian Gethmann's avatar
Julian Gethmann committed
53
  become: yes
54 55 56
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: ".*PermitRootLogin.*"
57
    line: "PermitRootLogin without-password"
58 59
    backup: yes
  notify: restart sshd
Julian Gethmann's avatar
Julian Gethmann committed
60

61 62 63 64 65
- name: Add root key
  become: yes
  authorized_key:
    user: root
    state: present
66 67 68
    key: "{{ rootkey }}"
    key_options: 'from="{{ ansible_server }}"'
  notify: restart sshd
69

Julian Gethmann's avatar
Julian Gethmann committed
70
- name: Enable tunnel
71 72 73 74 75
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: ".*PermitTunnel.*"
    line: "PermitTunnel yes"
    backup: yes
Julian Gethmann's avatar
Julian Gethmann committed
76 77 78 79 80 81 82 83 84
  notify:
  - enable sshd
  - restart sshd
  become: yes

# - name: always start sshd
#   command: chkconfig sshd on

- name: Add curves
85 86 87 88 89
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: "HostKey.*ed25519.*"
    line: "HostKey /etc/ssh/ssh_host_ed25519_key"
    backup: yes
Julian Gethmann's avatar
Julian Gethmann committed
90 91 92 93
  notify: restart sshd
  become: yes

- name: enable PAM
94 95 96 97 98
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: ".*UsePAM .*"
    line: "UsePAM yes"
    backup: yes
Julian Gethmann's avatar
Julian Gethmann committed
99 100
  become: yes
  notify: restart sshd