roles(system/sshd): create SSH server config
Signed-off-by: Matej Focko <me@mfocko.xyz>
This commit is contained in:
parent
b4a1a63982
commit
2d4cc595e8
8 changed files with 89 additions and 0 deletions
10
roles/system/sshd/defaults/main.yml
Normal file
10
roles/system/sshd/defaults/main.yml
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
---
|
||||||
|
sshd:
|
||||||
|
port: 10022
|
||||||
|
|
||||||
|
auth:
|
||||||
|
permit_root_login: "no"
|
||||||
|
password_authentication: "no"
|
||||||
|
trusted_ca: true
|
||||||
|
|
||||||
|
sign_host_keys: true
|
1
roles/system/sshd/files/10-ca.conf
Normal file
1
roles/system/sshd/files/10-ca.conf
Normal file
|
@ -0,0 +1 @@
|
||||||
|
TrustedUserCAKeys /etc/ssh/sshd_config.d/trusted-user-ca-keys.pem
|
5
roles/system/sshd/handlers/main.yml
Normal file
5
roles/system/sshd/handlers/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
- name: Restart SSH server
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: "{{ sshd_unit }}"
|
||||||
|
state: restarted
|
15
roles/system/sshd/tasks/install.yml
Normal file
15
roles/system/sshd/tasks/install.yml
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
---
|
||||||
|
- name: SSH family packages for Ubuntu
|
||||||
|
ansible.builtin.set_fact:
|
||||||
|
ssh_packages: [openssh-client, openssh-server]
|
||||||
|
when: ansible_distribution == "Ubuntu"
|
||||||
|
|
||||||
|
- name: SSH family packages for co-Ubuntu
|
||||||
|
ansible.builtin.set_fact:
|
||||||
|
ssh_packages: [openssh, openssh-clients, openssh-server]
|
||||||
|
when: ansible_distribution != "Ubuntu"
|
||||||
|
|
||||||
|
- name: Install the SSH family
|
||||||
|
ansible.builtin.package:
|
||||||
|
name: "{{ ssh_packages }}"
|
||||||
|
state: present
|
32
roles/system/sshd/tasks/main.yml
Normal file
32
roles/system/sshd/tasks/main.yml
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
---
|
||||||
|
- name: Packages
|
||||||
|
ansible.builtin.include_tasks: install.yml
|
||||||
|
tags: install
|
||||||
|
|
||||||
|
- name: Set sshd systemd unit for Ubuntu
|
||||||
|
ansible.builtin.set_fact:
|
||||||
|
sshd_unit: ssh
|
||||||
|
when: ansible_distribution == "Ubuntu"
|
||||||
|
|
||||||
|
- name: Set sshd systemd unit for co-Ubuntu
|
||||||
|
ansible.builtin.set_fact:
|
||||||
|
sshd_unit: sshd
|
||||||
|
when: ansible_distribution != "Ubuntu"
|
||||||
|
|
||||||
|
- name: Enable SSH server
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: "{{ sshd_unit }}"
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
- name: Harden the SSH config
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: templates/10-harden.conf
|
||||||
|
dest: /etc/ssh/sshd_config.d/10-harden.conf
|
||||||
|
mode: 0600
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
notify: "Restart SSH server"
|
||||||
|
|
||||||
|
- name: Set trusted CA
|
||||||
|
ansible.builtin.include_tasks: trusted_ca.yml
|
||||||
|
when: sshd.auth.trusted_ca
|
17
roles/system/sshd/tasks/trusted_ca.yml
Normal file
17
roles/system/sshd/tasks/trusted_ca.yml
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
---
|
||||||
|
- name: Fetch the public key from the HashiCorp Vault
|
||||||
|
ansible.builtin.get_url:
|
||||||
|
url: https://hvault.mfocko.xyz/v1/ssh/public_key
|
||||||
|
dest: /etc/ssh/sshd_config.d/trusted-user-ca-keys.pem
|
||||||
|
mode: 0600
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
|
||||||
|
- name: Add config for trusted user CA keys
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: files/10-ca.conf
|
||||||
|
dest: /etc/ssh/sshd_config.d/10-ca.conf
|
||||||
|
mode: 0600
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
notify: "Restart SSH server"
|
6
roles/system/sshd/templates/10-harden.conf
Normal file
6
roles/system/sshd/templates/10-harden.conf
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
# Port
|
||||||
|
Port {{ sshd.port }}
|
||||||
|
|
||||||
|
# Auth
|
||||||
|
PermitRootLogin {{ sshd.auth.permit_root_login }}
|
||||||
|
PasswordAuthentication {{ sshd.auth.password_authentication }}
|
3
roles/system/sshd/templates/10-signed-host-key.conf
Normal file
3
roles/system/sshd/templates/10-signed-host-key.conf
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
HostCertificate /etc/ssh/sshd_config.d/ssh_host_rsa_key-cert.pub
|
||||||
|
HostCertificate /etc/ssh/sshd_config.d/ssh_host_ecdsa_key-cert.pub
|
||||||
|
HostCertificate /etc/ssh/sshd_config.d/ssh_host_ed25519_key-cert.pub
|
Loading…
Reference in a new issue