2023-08-29 11:14:23 +02:00
|
|
|
---
|
|
|
|
- name: Packages
|
|
|
|
ansible.builtin.include_tasks: install.yml
|
|
|
|
tags: install
|
|
|
|
|
|
|
|
- name: Set sshd systemd unit for Ubuntu
|
|
|
|
ansible.builtin.set_fact:
|
2024-05-06 23:47:25 +02:00
|
|
|
system_sshd_unit: ssh
|
2023-08-29 11:14:23 +02:00
|
|
|
when: ansible_distribution == "Ubuntu"
|
|
|
|
|
|
|
|
- name: Set sshd systemd unit for co-Ubuntu
|
|
|
|
ansible.builtin.set_fact:
|
2024-05-06 23:47:25 +02:00
|
|
|
system_sshd_unit: sshd
|
2023-08-29 11:14:23 +02:00
|
|
|
when: ansible_distribution != "Ubuntu"
|
|
|
|
|
|
|
|
- name: Enable SSH server
|
|
|
|
ansible.builtin.service:
|
2024-05-06 23:47:25 +02:00
|
|
|
name: "{{ system_sshd_unit }}"
|
2023-08-29 11:14:23 +02:00
|
|
|
enabled: true
|
|
|
|
|
|
|
|
- name: Harden the SSH config
|
|
|
|
ansible.builtin.template:
|
|
|
|
src: templates/10-harden.conf
|
|
|
|
dest: /etc/ssh/sshd_config.d/10-harden.conf
|
|
|
|
mode: 0600
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
notify: "Restart SSH server"
|
|
|
|
|
2024-07-10 15:00:56 +02:00
|
|
|
- name: Notify SELinux about new port
|
|
|
|
community.general.seport:
|
2024-07-12 21:19:42 +02:00
|
|
|
ports: "{{ sshd_port }}"
|
2024-07-10 15:00:56 +02:00
|
|
|
proto: "tcp"
|
|
|
|
setype: "ssh_port_t"
|
|
|
|
state: "present"
|
|
|
|
when: ansible_facts.selinux.status == 'enabled'
|
|
|
|
|
2024-07-10 15:16:47 +02:00
|
|
|
- name: Enable the new SSH port on firewall
|
|
|
|
ansible.posix.firewalld:
|
2024-07-12 21:19:42 +02:00
|
|
|
port: "{{ sshd_port }}/tcp"
|
2024-07-10 15:16:47 +02:00
|
|
|
immediate: true
|
|
|
|
permanent: true
|
|
|
|
state: enabled
|
|
|
|
notify: "Restart SSH server"
|
|
|
|
tags: firewall
|
|
|
|
|
|
|
|
- name: Disable the default SSH port
|
|
|
|
ansible.posix.firewalld:
|
|
|
|
service: ssh
|
|
|
|
permanent: true
|
|
|
|
state: disabled
|
|
|
|
tags: firewall
|
|
|
|
|
2023-08-29 11:14:23 +02:00
|
|
|
- name: Set trusted CA
|
|
|
|
ansible.builtin.include_tasks: trusted_ca.yml
|
2024-07-12 21:19:42 +02:00
|
|
|
when: sshd_auth_trusted_ca
|