samsapti/lab-ansible
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Add sshd_config

Browse source
This commit is contained in:
Sam A. 2023-11-07 22:15:20 +01:00
parent bb71e83d23
commit 65be11b3f1
Signed by: samsapti
GPG key ID: CBBBE7371E81C4EA
6 changed files with 46 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
host_vars/sapt-labx-ctl01.yml
View file

@ -1,4 +1,4 @@
# vim: ft=yaml.ansible # vim: ft=yaml.ansible
# code: language=ansible # code: language=ansible
--- ---
fqdn: sapt-labx-ctl01.infr.servers.sapti.me fqdn: sapt-labx-ctl01.infra.servers.sapti.me

2
host_vars/sapt-labx-pve01.yml
View file

@ -1,4 +1,4 @@
# vim: ft=yaml.ansible # vim: ft=yaml.ansible
# code: language=ansible # code: language=ansible
--- ---
fqdn: sapt-labx-pve01.infr.servers.sapti.me fqdn: sapt-labx-pve01.infra.servers.sapti.me

10
inventory.ini
View file

@ -19,10 +19,10 @@ sapt-labr-prx02 ansible_host=192.168.17.11
[monitoring_shrd] [monitoring_shrd]
sapt-labr-mon01 ansible_host=192.168.17.20 sapt-labr-mon01 ansible_host=192.168.17.20
[vmhost_infr] [vmhost_infra]
sapt-labx-pve01 ansible_host=192.168.17.3 sapt-labx-pve01 ansible_host=192.168.17.3
[control_infr] [control_infra]
sapt-labx-ctl01 ansible_host=192.168.17.8 sapt-labx-ctl01 ansible_host=192.168.17.8
[production:children] [production:children]
@ -50,6 +50,6 @@ production
staging staging
shared shared
[physicalservers:children] [infrastructure:children]
vmhost_infr vmhost_infra
control_infr control_infra

29
roles/common/tasks/ssh.yml
View file

@ -1,26 +1,11 @@
# vim: ft=yaml.ansible # vim: ft=yaml.ansible
# code: language=ansible # code: language=ansible
--- ---
- name: Allow SSH login with public keys - name: Copy sshd_config
ansible.builtin.lineinfile: ansible.builtin.template:
path: /etc/ssh/sshd_config src: etc/ssh/sshd_config.j2
regexp: '^#?PubkeyAuthentication ' dest: /etc/ssh/sshd_config
line: PubkeyAuthentication yes owner: root
state: present mode: u=rw,g=r,o=r
notify: Restart sshd validate: /usr/sbin/sshd -t -f %s
- name: Disallow SSH login with password
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#?PasswordAuthentication '
line: PasswordAuthentication no
state: present
notify: Restart sshd
- name: Disallow root login over SSH
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#?PermitRootLogin '
line: PermitRootLogin no
state: present
notify: Restart sshd notify: Restart sshd

4
roles/common/templates/etc/hosts.j2
View file

@ -15,9 +15,9 @@ ff02::3 ip6-allhosts
{% for host in groups['virtualservers'] %} {% for host in groups['virtualservers'] %}
{{ hostvars[host].private_ip }} {{ hostvars[host].fqdn }} {{ hostvars[host].private_ip }} {{ hostvars[host].fqdn }}
{% endfor %} {% endfor %}
{% elif hostname in groups['control_infr'] %} {% elif hostname in groups['control_infra'] %}
# Static hostnames for VM hosts # Static hostnames for VM hosts
{% for host in groups['vmhost_infr'] %} {% for host in groups['vmhost_infra'] %}
{{ hostvars[host].ansible_host }} {{ hostvars[host].fqdn }} {{ hostvars[host].ansible_host }} {{ hostvars[host].fqdn }}
{% endfor %} {% endfor %}

30
roles/common/templates/etc/ssh/sshd_config.j2 Normal file
View file

@ -0,0 +1,30 @@
# code: language=ansible-jinja
Include /etc/ssh/sshd_config.d/*.conf
Port 22
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::
MaxAuthTries 3
PubkeyAuthentication yes
{% if hostname in groups['infrastructure'] %}
PermitRootLogin yes
{% else %}
PermitRootLogin no
{% endif %}
PermitEmptyPasswords no
PasswordAuthentication no
IgnoreRhosts yes
UsePAM yes
AllowAgentForwarding no
X11Forwarding no
PrintMotd no
UseDNS no
AcceptEnv LANG LC_*
{% if hostname in groups['infrastructure'] %}
Match User root
PasswordAuthentication yes
{% endif %}