From 65be11b3f1bda0a7d91bb8e57ad00f109e6e997a Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Tue, 7 Nov 2023 22:15:20 +0100 Subject: [PATCH] Add sshd_config --- host_vars/sapt-labx-ctl01.yml | 2 +- host_vars/sapt-labx-pve01.yml | 2 +- inventory.ini | 10 +++---- roles/common/tasks/ssh.yml | 29 +++++------------- roles/common/templates/etc/hosts.j2 | 4 +-- roles/common/templates/etc/ssh/sshd_config.j2 | 30 +++++++++++++++++++ 6 files changed, 46 insertions(+), 31 deletions(-) create mode 100644 roles/common/templates/etc/ssh/sshd_config.j2 diff --git a/host_vars/sapt-labx-ctl01.yml b/host_vars/sapt-labx-ctl01.yml index ad46d8e..1ea0cd3 100644 --- a/host_vars/sapt-labx-ctl01.yml +++ b/host_vars/sapt-labx-ctl01.yml @@ -1,4 +1,4 @@ # vim: ft=yaml.ansible # code: language=ansible --- -fqdn: sapt-labx-ctl01.infr.servers.sapti.me +fqdn: sapt-labx-ctl01.infra.servers.sapti.me diff --git a/host_vars/sapt-labx-pve01.yml b/host_vars/sapt-labx-pve01.yml index 1269e43..d17409d 100644 --- a/host_vars/sapt-labx-pve01.yml +++ b/host_vars/sapt-labx-pve01.yml @@ -1,4 +1,4 @@ # vim: ft=yaml.ansible # code: language=ansible --- -fqdn: sapt-labx-pve01.infr.servers.sapti.me +fqdn: sapt-labx-pve01.infra.servers.sapti.me diff --git a/inventory.ini b/inventory.ini index 4689ebb..2bd9404 100644 --- a/inventory.ini +++ b/inventory.ini @@ -19,10 +19,10 @@ sapt-labr-prx02 ansible_host=192.168.17.11 [monitoring_shrd] sapt-labr-mon01 ansible_host=192.168.17.20 -[vmhost_infr] +[vmhost_infra] sapt-labx-pve01 ansible_host=192.168.17.3 -[control_infr] +[control_infra] sapt-labx-ctl01 ansible_host=192.168.17.8 [production:children] @@ -50,6 +50,6 @@ production staging shared -[physicalservers:children] -vmhost_infr -control_infr \ No newline at end of file +[infrastructure:children] +vmhost_infra +control_infra diff --git a/roles/common/tasks/ssh.yml b/roles/common/tasks/ssh.yml index a8f2b39..8b0d0e5 100644 --- a/roles/common/tasks/ssh.yml +++ b/roles/common/tasks/ssh.yml @@ -1,26 +1,11 @@ # vim: ft=yaml.ansible # code: language=ansible --- -- name: Allow SSH login with public keys - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^#?PubkeyAuthentication ' - line: PubkeyAuthentication yes - state: present - notify: Restart sshd - -- name: Disallow SSH login with password - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^#?PasswordAuthentication ' - line: PasswordAuthentication no - state: present - notify: Restart sshd - -- name: Disallow root login over SSH - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^#?PermitRootLogin ' - line: PermitRootLogin no - state: present +- name: Copy sshd_config + ansible.builtin.template: + src: etc/ssh/sshd_config.j2 + dest: /etc/ssh/sshd_config + owner: root + mode: u=rw,g=r,o=r + validate: /usr/sbin/sshd -t -f %s notify: Restart sshd diff --git a/roles/common/templates/etc/hosts.j2 b/roles/common/templates/etc/hosts.j2 index 4ccb670..6551090 100644 --- a/roles/common/templates/etc/hosts.j2 +++ b/roles/common/templates/etc/hosts.j2 @@ -15,9 +15,9 @@ ff02::3 ip6-allhosts {% for host in groups['virtualservers'] %} {{ hostvars[host].private_ip }} {{ hostvars[host].fqdn }} {% endfor %} -{% elif hostname in groups['control_infr'] %} +{% elif hostname in groups['control_infra'] %} # Static hostnames for VM hosts -{% for host in groups['vmhost_infr'] %} +{% for host in groups['vmhost_infra'] %} {{ hostvars[host].ansible_host }} {{ hostvars[host].fqdn }} {% endfor %} diff --git a/roles/common/templates/etc/ssh/sshd_config.j2 b/roles/common/templates/etc/ssh/sshd_config.j2 new file mode 100644 index 0000000..7e812c4 --- /dev/null +++ b/roles/common/templates/etc/ssh/sshd_config.j2 @@ -0,0 +1,30 @@ +# code: language=ansible-jinja +Include /etc/ssh/sshd_config.d/*.conf + +Port 22 +AddressFamily any +ListenAddress 0.0.0.0 +ListenAddress :: + +MaxAuthTries 3 +PubkeyAuthentication yes +{% if hostname in groups['infrastructure'] %} +PermitRootLogin yes +{% else %} +PermitRootLogin no +{% endif %} +PermitEmptyPasswords no +PasswordAuthentication no +IgnoreRhosts yes +UsePAM yes + +AllowAgentForwarding no +X11Forwarding no +PrintMotd no +UseDNS no +AcceptEnv LANG LC_* + +{% if hostname in groups['infrastructure'] %} +Match User root + PasswordAuthentication yes +{% endif %}