2022-02-27 03:19:20 +00:00
|
|
|
---
|
|
|
|
|
- name: Ensure SSH server is installed
|
2022-03-28 05:01:23 +00:00
|
|
|
ansible.builtin.package:
|
2022-02-27 03:19:20 +00:00
|
|
|
name: openssh-server
|
|
|
|
|
state: present
|
|
|
|
|
|
|
|
|
|
- name: Ensure SSH daemon is enabled
|
2022-03-28 05:01:23 +00:00
|
|
|
ansible.builtin.service:
|
2022-02-27 03:19:20 +00:00
|
|
|
name: sshd
|
|
|
|
|
enabled: true
|
|
|
|
|
|
|
|
|
|
# TODO: Prepare for /etc/ssh/sshd_config.d/* style of configuration
|
|
|
|
|
- name: SSH daemon configuration - global
|
|
|
|
|
block:
|
|
|
|
|
- name: SSH daemon configuration - base
|
2022-03-28 05:01:23 +00:00
|
|
|
ansible.builtin.template:
|
2022-02-27 03:19:20 +00:00
|
|
|
src: "etc/ssh/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-sshd_config.j2"
|
|
|
|
|
dest: "/etc/ssh/sshd_config"
|
|
|
|
|
owner: root
|
|
|
|
|
group: root
|
|
|
|
|
mode: '0600'
|
|
|
|
|
validate: /usr/sbin/sshd -t -f %s
|
|
|
|
|
backup: true
|
|
|
|
|
notify: restart_sshd
|
2022-07-08 22:02:50 +00:00
|
|
|
when:
|
|
|
|
|
- ansible_distribution_major_version == '8'
|
|
|
|
|
|
2022-07-09 06:44:00 +00:00
|
|
|
- name: Ensure sshd_config.d dir exists
|
|
|
|
|
ansible.builtin.file:
|
|
|
|
|
state: directory
|
|
|
|
|
path: "/etc/ssh/sshd_config.d"
|
|
|
|
|
owner: root
|
|
|
|
|
group: root
|
|
|
|
|
mode: '0700'
|
|
|
|
|
notify: restart_sshd
|
|
|
|
|
|
2022-07-08 22:02:50 +00:00
|
|
|
- name: Ensure an empty file exists
|
2023-08-14 07:14:33 +00:00
|
|
|
ansible.builtin.file:
|
2022-07-08 22:02:50 +00:00
|
|
|
state: touch
|
|
|
|
|
path: "/etc/ssh/sshd_config.d/99-end.conf"
|
|
|
|
|
owner: root
|
|
|
|
|
group: root
|
|
|
|
|
mode: '0600'
|
|
|
|
|
notify: restart_sshd
|
|
|
|
|
when:
|
|
|
|
|
- ansible_distribution_major_version == '8'
|
2022-06-02 21:47:36 +00:00
|
|
|
|
|
|
|
|
- name: Default Modular Configuration
|
|
|
|
|
when:
|
|
|
|
|
- (ansible_facts['distribution'] == 'Fedora') or
|
|
|
|
|
(ansible_facts['distribution'] in el_distro_name and ansible_facts['distribution_major_version']|int >= 9)
|
|
|
|
|
block:
|
2022-07-08 22:02:50 +00:00
|
|
|
#- name: Modular configuration (redhat)
|
|
|
|
|
# template:
|
|
|
|
|
# src: "etc/ssh/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-50-redhat.conf.j2"
|
|
|
|
|
# dest: "{{ ssh_modular_config }}"
|
|
|
|
|
# owner: root
|
|
|
|
|
# group: root
|
|
|
|
|
# mode: '0600'
|
|
|
|
|
# validate: /usr/sbin/sshd -t -f %s
|
|
|
|
|
# backup: yes
|
|
|
|
|
# notify: restart_sshd
|
2022-06-02 21:47:36 +00:00
|
|
|
|
|
|
|
|
- name: Custom Modular Configuration
|
2023-04-22 01:28:46 +00:00
|
|
|
ansible.builtin.template:
|
2024-03-13 19:02:50 +00:00
|
|
|
src: "etc/ssh/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-02-infra.conf.j2"
|
|
|
|
|
dest: "/etc/ssh/sshd_config.d/02-infra.conf"
|
2022-06-02 21:47:36 +00:00
|
|
|
owner: root
|
|
|
|
|
group: root
|
|
|
|
|
mode: '0600'
|
|
|
|
|
validate: /usr/sbin/sshd -t -f %s
|
2023-04-22 01:28:46 +00:00
|
|
|
backup: true
|
2022-06-02 21:47:36 +00:00
|
|
|
notify: restart_sshd
|
|
|
|
|
|
2022-02-27 03:19:20 +00:00
|
|
|
rescue:
|
|
|
|
|
- name: Print errors for configuration and validation
|
2023-04-22 01:28:46 +00:00
|
|
|
ansible.builtin.debug:
|
2022-02-27 03:19:20 +00:00
|
|
|
msg: "Error in SSH daemon configuration or template"
|
|
|
|
|
|
|
|
|
|
- name: SSH banner
|
2022-03-28 05:01:23 +00:00
|
|
|
ansible.builtin.copy:
|
2022-02-27 03:19:20 +00:00
|
|
|
src: "etc/rockybanner"
|
2022-07-08 22:07:40 +00:00
|
|
|
dest: "/etc/banner"
|
2022-02-27 03:19:20 +00:00
|
|
|
owner: root
|
|
|
|
|
group: root
|
|
|
|
|
mode: '0644'
|
|
|
|
|
notify: restart_sshd
|
|
|
|
|
|
|
|
|
|
- name: Remove DSA keys
|
2022-03-28 05:01:23 +00:00
|
|
|
ansible.builtin.file:
|
2022-02-27 03:19:20 +00:00
|
|
|
path: "{{ item }}"
|
|
|
|
|
state: absent
|
|
|
|
|
with_items:
|
|
|
|
|
- /etc/ssh/ssh_host_dsa_key.pub
|
|
|
|
|
- /etc/ssh/ssh_host_dsa_key
|
|
|
|
|
...
|
