dotfiles/roles/ssh_server/tasks/main.yml

59 lines
1.4 KiB
YAML
Raw Normal View History

---
- name: Packages
ansible.builtin.include_tasks: install.yml
tags: install
- name: Set sshd systemd unit for Ubuntu
ansible.builtin.set_fact:
system_sshd_unit: ssh
when: ansible_distribution == "Ubuntu"
- name: Set sshd systemd unit for co-Ubuntu
ansible.builtin.set_fact:
system_sshd_unit: sshd
when: ansible_distribution != "Ubuntu"
- name: Enable SSH server
ansible.builtin.service:
name: "{{ system_sshd_unit }}"
enabled: true
- name: Harden the SSH config
ansible.builtin.template:
src: templates/10-harden.conf
dest: /etc/ssh/sshd_config.d/10-harden.conf
mode: 0600
owner: root
group: root
notify: "Restart SSH server"
- name: Notify SELinux about new port
community.general.seport:
ports: "{{ ssh_server_port }}"
proto: "tcp"
setype: "ssh_port_t"
state: "present"
when: ansible_facts.selinux.status == 'enabled'
- name: Enable the new SSH port on firewall
ansible.posix.firewalld:
port: "{{ ssh_server_port }}/tcp"
immediate: true
permanent: true
state: enabled
when: ansible_facts.services['firewalld'] is defined
notify: "Restart SSH server"
tags: firewall
- name: Disable the default SSH port
ansible.posix.firewalld:
service: ssh
permanent: true
state: disabled
when: ansible_facts.services['firewalld'] is defined
tags: firewall
- name: Set trusted CA
ansible.builtin.include_tasks: trusted_ca.yml
when: sshd_auth_trusted_ca