2020-10-08 16:33:19 -05:00
|
|
|
---
|
|
|
|
|
|
2022-11-20 20:03:01 -06:00
|
|
|
- name: SSH (ArchLinux)
|
2020-10-08 16:33:19 -05:00
|
|
|
become: yes
|
2022-11-20 20:03:01 -06:00
|
|
|
when: ansible_os_family == "Archlinux"
|
2020-10-08 16:33:19 -05:00
|
|
|
package:
|
2022-11-20 20:03:01 -06:00
|
|
|
state: present
|
2020-10-08 16:33:19 -05:00
|
|
|
name:
|
2022-11-20 20:03:01 -06:00
|
|
|
- openssh
|
2020-10-08 16:33:19 -05:00
|
|
|
|
2022-11-20 20:03:01 -06:00
|
|
|
- name: SSH (Raspbian)
|
2020-10-08 16:33:19 -05:00
|
|
|
become: yes
|
2022-11-20 20:03:01 -06:00
|
|
|
when: ansible_os_family == "Debian"
|
|
|
|
|
package:
|
|
|
|
|
state: present
|
|
|
|
|
name:
|
|
|
|
|
- openssh-server
|
|
|
|
|
- openssh-client
|
2020-10-08 16:33:19 -05:00
|
|
|
|
2020-12-25 05:40:57 -06:00
|
|
|
- name: Mark SSH keys as immutable
|
|
|
|
|
become: yes
|
|
|
|
|
file:
|
2022-11-20 20:03:01 -06:00
|
|
|
path: "{{ item }}"
|
2020-12-25 05:40:57 -06:00
|
|
|
attributes: i
|
2022-11-20 20:03:01 -06:00
|
|
|
loop:
|
2020-12-25 05:40:57 -06:00
|
|
|
- /etc/ssh/ssh_host_ed25519_key
|
|
|
|
|
- /etc/ssh/ssh_host_ed25519_key.pub
|
|
|
|
|
- /etc/ssh/ssh_host_rsa_key
|
|
|
|
|
- /etc/ssh/ssh_host_rsa_key.pub
|
|
|
|
|
|
|
|
|
|
- name: Add SSH control groups
|
|
|
|
|
become: yes
|
2022-11-20 20:03:01 -06:00
|
|
|
group:
|
2020-12-25 05:40:57 -06:00
|
|
|
name: "{{ item }}"
|
|
|
|
|
state: present
|
2022-11-20 20:03:01 -06:00
|
|
|
loop:
|
2020-12-25 05:40:57 -06:00
|
|
|
- ssh-allow
|
|
|
|
|
- ssh-forward
|
|
|
|
|
- sftp-home-jail
|
|
|
|
|
|
|
|
|
|
- name: Add SSH user to ssh-allow
|
|
|
|
|
become: yes
|
2022-11-20 20:03:01 -06:00
|
|
|
user:
|
2020-12-25 05:40:57 -06:00
|
|
|
name: "{{ ansible_user_id }}"
|
|
|
|
|
groups: ssh-allow
|
|
|
|
|
append: yes
|
2022-11-20 20:03:01 -06:00
|
|
|
|
|
|
|
|
- name: Copy the SSH key
|
|
|
|
|
authorized_key:
|
|
|
|
|
user: "{{ ansible_user_id }}"
|
|
|
|
|
state: present
|
|
|
|
|
key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/deploy.pub') }}"
|
|
|
|
|
|
|
|
|
|
- name: SSH Config
|
|
|
|
|
become: yes
|
|
|
|
|
copy:
|
|
|
|
|
src: ssh_config
|
|
|
|
|
dest: /etc/ssh/ssh_config
|
|
|
|
|
|
2023-07-19 15:41:27 -05:00
|
|
|
- name: Known hosts
|
|
|
|
|
become: yes
|
|
|
|
|
copy:
|
|
|
|
|
src: ssh_known_hosts
|
|
|
|
|
dest: /etc/ssh/ssh_known_hosts
|
|
|
|
|
|
2022-11-20 20:03:01 -06:00
|
|
|
- name: SSHD Config
|
|
|
|
|
become: yes
|
|
|
|
|
register: sshd_config
|
|
|
|
|
copy:
|
|
|
|
|
src: sshd_config
|
|
|
|
|
dest: /etc/ssh/sshd_config
|
|
|
|
|
|
2023-02-20 16:50:10 -06:00
|
|
|
- name: Allow SSHD Includes
|
|
|
|
|
become: yes
|
|
|
|
|
file:
|
|
|
|
|
path: /etc/ssh/includes
|
|
|
|
|
state: directory
|
|
|
|
|
user: root
|
|
|
|
|
group: root
|
|
|
|
|
mode: 0755
|
|
|
|
|
|
2022-11-20 20:03:01 -06:00
|
|
|
- name: Restart SSHD (ArchLinux)
|
|
|
|
|
become: yes
|
|
|
|
|
when: ansible_os_family == "Archlinux" and sshd_config.changed
|
|
|
|
|
service:
|
|
|
|
|
name: sshd
|
|
|
|
|
state: restarted
|
|
|
|
|
enabled: yes
|
|
|
|
|
|
|
|
|
|
- name: Restart SSHD (Raspbian)
|
|
|
|
|
become: yes
|
|
|
|
|
when: ansible_os_family == "Debian" and sshd_config.changed
|
|
|
|
|
service:
|
|
|
|
|
name: ssh
|
|
|
|
|
state: restarted
|
|
|
|
|
enabled: yes
|
