--- - name: Packages ansible.builtin.include_tasks: install.yml tags: install - name: Set sshd systemd unit for Ubuntu ansible.builtin.set_fact: system_sshd_unit: ssh when: ansible_distribution == "Ubuntu" - name: Set sshd systemd unit for co-Ubuntu ansible.builtin.set_fact: system_sshd_unit: sshd when: ansible_distribution != "Ubuntu" - name: Enable SSH server ansible.builtin.service: name: "{{ system_sshd_unit }}" enabled: true - name: Harden the SSH config ansible.builtin.template: src: templates/10-harden.conf dest: /etc/ssh/sshd_config.d/10-harden.conf mode: 0600 owner: root group: root notify: "Restart SSH server" - name: Notify SELinux about new port community.general.seport: ports: "{{ ssh_server_port }}" proto: "tcp" setype: "ssh_port_t" state: "present" when: ansible_facts.selinux.status == 'enabled' - name: Enable the new SSH port on firewall ansible.posix.firewalld: port: "{{ ssh_server_port }}/tcp" immediate: true permanent: true state: enabled when: ansible_facts.services['firewalld'] is defined notify: "Restart SSH server" tags: firewall - name: Disable the default SSH port ansible.posix.firewalld: service: ssh permanent: true state: disabled when: ansible_facts.services['firewalld'] is defined tags: firewall - name: Set trusted CA ansible.builtin.include_tasks: trusted_ca.yml when: sshd_auth_trusted_ca