Add sshd_config

host_vars/sapt-labx-ctl01.yml

@@ -1,4 +1,4 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
-fqdn: sapt-labx-ctl01.infr.servers.sapti.me
+fqdn: sapt-labx-ctl01.infra.servers.sapti.me

host_vars/sapt-labx-pve01.yml

@@ -1,4 +1,4 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
-fqdn: sapt-labx-pve01.infr.servers.sapti.me
+fqdn: sapt-labx-pve01.infra.servers.sapti.me

inventory.ini

@@ -19,10 +19,10 @@ sapt-labr-prx02     ansible_host=192.168.17.11
 [monitoring_shrd]
 sapt-labr-mon01     ansible_host=192.168.17.20
 
-[vmhost_infr]
+[vmhost_infra]
 sapt-labx-pve01     ansible_host=192.168.17.3
 
-[control_infr]
+[control_infra]
 sapt-labx-ctl01     ansible_host=192.168.17.8
 
 [production:children]
@@ -50,6 +50,6 @@ production
 staging
 shared
 
-[physicalservers:children]
-vmhost_infr
-control_infr
+[infrastructure:children]
+vmhost_infra
+control_infra

roles/common/tasks/ssh.yml

@@ -1,26 +1,11 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
-- name: Allow SSH login with public keys
-  ansible.builtin.lineinfile:
-    path: /etc/ssh/sshd_config
-    regexp: '^#?PubkeyAuthentication '
-    line: PubkeyAuthentication yes
-    state: present
-  notify: Restart sshd
-
-- name: Disallow SSH login with password
-  ansible.builtin.lineinfile:
-    path: /etc/ssh/sshd_config
-    regexp: '^#?PasswordAuthentication '
-    line: PasswordAuthentication no
-    state: present
-  notify: Restart sshd
-
-- name: Disallow root login over SSH
-  ansible.builtin.lineinfile:
-    path: /etc/ssh/sshd_config
-    regexp: '^#?PermitRootLogin '
-    line: PermitRootLogin no
-    state: present
+- name: Copy sshd_config
+  ansible.builtin.template:
+    src: etc/ssh/sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    owner: root
+    mode: u=rw,g=r,o=r
+    validate: /usr/sbin/sshd -t -f %s
   notify: Restart sshd

roles/common/templates/etc/hosts.j2

@@ -15,9 +15,9 @@ ff02::3 ip6-allhosts
 {% for host in groups['virtualservers'] %}
 {{ hostvars[host].private_ip }} {{ hostvars[host].fqdn }}
 {% endfor %}
-{% elif hostname in groups['control_infr'] %}
+{% elif hostname in groups['control_infra'] %}
 # Static hostnames for VM hosts
-{% for host in groups['vmhost_infr'] %}
+{% for host in groups['vmhost_infra'] %}
 {{ hostvars[host].ansible_host }} {{ hostvars[host].fqdn }}
 {% endfor %}
 

roles/common/templates/etc/ssh/sshd_config.j2

@@ -0,0 +1,30 @@
+# code: language=ansible-jinja
+Include /etc/ssh/sshd_config.d/*.conf
+
+Port 22
+AddressFamily any
+ListenAddress 0.0.0.0
+ListenAddress ::
+
+MaxAuthTries 3
+PubkeyAuthentication yes
+{% if hostname in groups['infrastructure'] %}
+PermitRootLogin yes
+{% else %}
+PermitRootLogin no
+{% endif %}
+PermitEmptyPasswords no
+PasswordAuthentication no
+IgnoreRhosts yes
+UsePAM yes
+
+AllowAgentForwarding no
+X11Forwarding no
+PrintMotd no
+UseDNS no
+AcceptEnv LANG LC_*
+
+{% if hostname in groups['infrastructure'] %}
+Match User root
+    PasswordAuthentication yes
+{% endif %}