mfocko/dotfiles
1
0
Fork 0
Code Issues 6 Pull requests Projects Releases Wiki Activity

roles(system/sshd): create SSH server config

Browse source 
Signed-off-by: Matej Focko <me@mfocko.xyz>
This commit is contained in:
Matej Focko 2023-08-29 11:14:23 +02:00
parent b4a1a63982
commit 2d4cc595e8
Signed by: mfocko
GPG key ID: 7C47D46246790496
8 changed files with 89 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
roles/system/sshd/defaults/main.yml Normal file
View file

@ -0,0 +1,10 @@
---
sshd:
port: 10022
auth:
permit_root_login: "no"
password_authentication: "no"
trusted_ca: true
sign_host_keys: true

1
roles/system/sshd/files/10-ca.conf Normal file
View file

@ -0,0 +1 @@
TrustedUserCAKeys /etc/ssh/sshd_config.d/trusted-user-ca-keys.pem

5
roles/system/sshd/handlers/main.yml Normal file
View file

@ -0,0 +1,5 @@
---
- name: Restart SSH server
ansible.builtin.service:
name: "{{ sshd_unit }}"
state: restarted

15
roles/system/sshd/tasks/install.yml Normal file
View file

@ -0,0 +1,15 @@
---
- name: SSH family packages for Ubuntu
ansible.builtin.set_fact:
ssh_packages: [openssh-client, openssh-server]
when: ansible_distribution == "Ubuntu"
- name: SSH family packages for co-Ubuntu
ansible.builtin.set_fact:
ssh_packages: [openssh, openssh-clients, openssh-server]
when: ansible_distribution != "Ubuntu"
- name: Install the SSH family
ansible.builtin.package:
name: "{{ ssh_packages }}"
state: present

32
roles/system/sshd/tasks/main.yml Normal file
View file

@ -0,0 +1,32 @@
---
- name: Packages
ansible.builtin.include_tasks: install.yml
tags: install
- name: Set sshd systemd unit for Ubuntu
ansible.builtin.set_fact:
sshd_unit: ssh
when: ansible_distribution == "Ubuntu"
- name: Set sshd systemd unit for co-Ubuntu
ansible.builtin.set_fact:
sshd_unit: sshd
when: ansible_distribution != "Ubuntu"
- name: Enable SSH server
ansible.builtin.service:
name: "{{ sshd_unit }}"
enabled: true
- name: Harden the SSH config
ansible.builtin.template:
src: templates/10-harden.conf
dest: /etc/ssh/sshd_config.d/10-harden.conf
mode: 0600
owner: root
group: root
notify: "Restart SSH server"
- name: Set trusted CA
ansible.builtin.include_tasks: trusted_ca.yml
when: sshd.auth.trusted_ca

17
roles/system/sshd/tasks/trusted_ca.yml Normal file
View file

@ -0,0 +1,17 @@
---
- name: Fetch the public key from the HashiCorp Vault
ansible.builtin.get_url:
url: https://hvault.mfocko.xyz/v1/ssh/public_key
dest: /etc/ssh/sshd_config.d/trusted-user-ca-keys.pem
mode: 0600
owner: root
group: root
- name: Add config for trusted user CA keys
ansible.builtin.copy:
src: files/10-ca.conf
dest: /etc/ssh/sshd_config.d/10-ca.conf
mode: 0600
owner: root
group: root
notify: "Restart SSH server"

6
roles/system/sshd/templates/10-harden.conf Normal file
View file

@ -0,0 +1,6 @@
# Port
Port {{ sshd.port }}
# Auth
PermitRootLogin {{ sshd.auth.permit_root_login }}
PasswordAuthentication {{ sshd.auth.password_authentication }}

3
roles/system/sshd/templates/10-signed-host-key.conf Normal file
View file

@ -0,0 +1,3 @@
HostCertificate /etc/ssh/sshd_config.d/ssh_host_rsa_key-cert.pub
HostCertificate /etc/ssh/sshd_config.d/ssh_host_ecdsa_key-cert.pub
HostCertificate /etc/ssh/sshd_config.d/ssh_host_ed25519_key-cert.pub