diff --git a/roles/system/sshd/defaults/main.yml b/roles/system/sshd/defaults/main.yml new file mode 100644 index 0000000..f353109 --- /dev/null +++ b/roles/system/sshd/defaults/main.yml @@ -0,0 +1,10 @@ +--- +sshd: + port: 10022 + + auth: + permit_root_login: "no" + password_authentication: "no" + trusted_ca: true + + sign_host_keys: true diff --git a/roles/system/sshd/files/10-ca.conf b/roles/system/sshd/files/10-ca.conf new file mode 100644 index 0000000..3ebd8f9 --- /dev/null +++ b/roles/system/sshd/files/10-ca.conf @@ -0,0 +1 @@ +TrustedUserCAKeys /etc/ssh/sshd_config.d/trusted-user-ca-keys.pem diff --git a/roles/system/sshd/handlers/main.yml b/roles/system/sshd/handlers/main.yml new file mode 100644 index 0000000..8737df8 --- /dev/null +++ b/roles/system/sshd/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart SSH server + ansible.builtin.service: + name: "{{ sshd_unit }}" + state: restarted diff --git a/roles/system/sshd/tasks/install.yml b/roles/system/sshd/tasks/install.yml new file mode 100644 index 0000000..ed3d811 --- /dev/null +++ b/roles/system/sshd/tasks/install.yml @@ -0,0 +1,15 @@ +--- +- name: SSH family packages for Ubuntu + ansible.builtin.set_fact: + ssh_packages: [openssh-client, openssh-server] + when: ansible_distribution == "Ubuntu" + +- name: SSH family packages for co-Ubuntu + ansible.builtin.set_fact: + ssh_packages: [openssh, openssh-clients, openssh-server] + when: ansible_distribution != "Ubuntu" + +- name: Install the SSH family + ansible.builtin.package: + name: "{{ ssh_packages }}" + state: present diff --git a/roles/system/sshd/tasks/main.yml b/roles/system/sshd/tasks/main.yml new file mode 100644 index 0000000..24d3e5e --- /dev/null +++ b/roles/system/sshd/tasks/main.yml @@ -0,0 +1,32 @@ +--- +- name: Packages + ansible.builtin.include_tasks: install.yml + tags: install + +- name: Set sshd systemd unit for Ubuntu + ansible.builtin.set_fact: + sshd_unit: ssh + when: ansible_distribution == "Ubuntu" + +- name: Set sshd systemd unit for co-Ubuntu + ansible.builtin.set_fact: + sshd_unit: sshd + when: ansible_distribution != "Ubuntu" + +- name: Enable SSH server + ansible.builtin.service: + name: "{{ sshd_unit }}" + enabled: true + +- name: Harden the SSH config + ansible.builtin.template: + src: templates/10-harden.conf + dest: /etc/ssh/sshd_config.d/10-harden.conf + mode: 0600 + owner: root + group: root + notify: "Restart SSH server" + +- name: Set trusted CA + ansible.builtin.include_tasks: trusted_ca.yml + when: sshd.auth.trusted_ca diff --git a/roles/system/sshd/tasks/trusted_ca.yml b/roles/system/sshd/tasks/trusted_ca.yml new file mode 100644 index 0000000..0f96ed1 --- /dev/null +++ b/roles/system/sshd/tasks/trusted_ca.yml @@ -0,0 +1,17 @@ +--- +- name: Fetch the public key from the HashiCorp Vault + ansible.builtin.get_url: + url: https://hvault.mfocko.xyz/v1/ssh/public_key + dest: /etc/ssh/sshd_config.d/trusted-user-ca-keys.pem + mode: 0600 + owner: root + group: root + +- name: Add config for trusted user CA keys + ansible.builtin.copy: + src: files/10-ca.conf + dest: /etc/ssh/sshd_config.d/10-ca.conf + mode: 0600 + owner: root + group: root + notify: "Restart SSH server" diff --git a/roles/system/sshd/templates/10-harden.conf b/roles/system/sshd/templates/10-harden.conf new file mode 100644 index 0000000..9369da9 --- /dev/null +++ b/roles/system/sshd/templates/10-harden.conf @@ -0,0 +1,6 @@ +# Port +Port {{ sshd.port }} + +# Auth +PermitRootLogin {{ sshd.auth.permit_root_login }} +PasswordAuthentication {{ sshd.auth.password_authentication }} diff --git a/roles/system/sshd/templates/10-signed-host-key.conf b/roles/system/sshd/templates/10-signed-host-key.conf new file mode 100644 index 0000000..64caebd --- /dev/null +++ b/roles/system/sshd/templates/10-signed-host-key.conf @@ -0,0 +1,3 @@ +HostCertificate /etc/ssh/sshd_config.d/ssh_host_rsa_key-cert.pub +HostCertificate /etc/ssh/sshd_config.d/ssh_host_ecdsa_key-cert.pub +HostCertificate /etc/ssh/sshd_config.d/ssh_host_ed25519_key-cert.pub