sshd.yml 1.8 KB
Newer Older
Julian Gethmann's avatar
Julian Gethmann committed
1 2 3
---
- name: Installed sshd
  become: yes
julian.gethmann's avatar
julian.gethmann committed
4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
  package:
    state: installed
    name: openssh-server

- name: install firewalld
  become: yes
  package:
    name: python-firewall
    state: installed
  when: ansible_distribution == "Fedora" or
        (ansible_distribution == "CentOS" and ansible_distribution_major_version >= 7)

- name: Open port 22 on Fedora/CentOS
  become: yes
  firewalld:
    port: 22/tcp
    state: enabled
    permanent: true
  when: ansible_distribution == "Fedora" or
        (ansible_distribution == "CentOS" and ansible_distribution_major_version >= 7)
  notify:
    - reload firewalld
    - restart firewalld

- name: Open port 22 on Ubuntu
  become: yes
  ufw:
    name: OpenSSH
    rule: allow
  notify:
    - reload ufw
    - enable ufw
  when: ansible_distribution == "Ubuntu"
Julian Gethmann's avatar
Julian Gethmann committed
37 38 39

- name: Disable empty password login
  become: yes
julian.gethmann's avatar
julian.gethmann committed
40 41 42 43 44 45
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: ".*PermitEmptyPasswords.*"
    line: "PermitEmptyPasswords no"
    backup: yes
  notify: restart sshd
Julian Gethmann's avatar
Julian Gethmann committed
46 47 48

- name: Disable remote root login
  become: yes
julian.gethmann's avatar
julian.gethmann committed
49 50 51 52 53 54
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: ".*PermitRootLogin.*"
    line: "PermitRootLogin no"
    backup: yes
  notify: restart sshd
Julian Gethmann's avatar
Julian Gethmann committed
55 56

- name: Enable tunnel
julian.gethmann's avatar
julian.gethmann committed
57 58 59 60 61
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: ".*PermitTunnel.*"
    line: "PermitTunnel yes"
    backup: yes
Julian Gethmann's avatar
Julian Gethmann committed
62 63 64 65 66 67 68 69 70
  notify:
  - enable sshd
  - restart sshd
  become: yes

# - name: always start sshd
#   command: chkconfig sshd on

- name: Add curves
julian.gethmann's avatar
julian.gethmann committed
71 72 73 74 75
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: "HostKey.*ed25519.*"
    line: "HostKey /etc/ssh/ssh_host_ed25519_key"
    backup: yes
Julian Gethmann's avatar
Julian Gethmann committed
76 77 78 79
  notify: restart sshd
  become: yes

- name: enable PAM
julian.gethmann's avatar
julian.gethmann committed
80 81 82 83 84
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: ".*UsePAM .*"
    line: "UsePAM yes"
    backup: yes
Julian Gethmann's avatar
Julian Gethmann committed
85 86
  become: yes
  notify: restart sshd