commit 452bee1cf1775e2654567f9f64132468a4e6690b
Author: Corbin Bartsch <me@cbarts.net>
Date:   Mon Apr 4 00:28:09 2022 -0400

    Added cbarts-ssh role

diff --git a/defaults/main.yaml b/defaults/main.yaml
new file mode 100644
index 0000000..d342715
--- /dev/null
+++ b/defaults/main.yaml
@@ -0,0 +1,44 @@
+---
+
+sshd_config_path: /etc/ssh
+
+ssh_port: 22
+ssh_address_family: any
+ssh_listen_addresses: 
+  - 0.0.0.0
+
+ssh_host_key_file: /etc/ssh/ssh_host_ed25519_key
+
+ssh_allow_groups: ssh
+ssh_login_grace_time: 20
+ssh_permit_root_login: 'no'
+ssh_strict_modes: 'yes'
+ssh_max_auth_tries: 3
+ssh_max_sessions: 2
+
+ssh_pubkey_authentication: 'yes'
+
+ssh_authorized_keys_file: .ssh/authorized_keys
+
+ssh_hostbased_authentication: 'no'
+ssh_password_authentication: 'no'
+ssh_permit_empty_passwords: 'no'
+ssh_challenge_response_authentication: 'no'
+ssh_kerberos_authentication: 'no'
+ssh_gssapi_authentication: 'no'
+ssh_use_pam: 'yes'
+
+ssh_allow_agent_forwarding: 'no'
+ssh_permit_tunnel: 'no'
+
+ssh_x11_forwarding: 'no'
+
+ssh_print_motd: 'no'
+
+ssh_permit_user_env: False
+ssh_accept_env:
+  - LANG
+  - 'LC_*'
+
+ssh_banner: True
+ssh_banner_file: /etc/issue.net
diff --git a/tasks/main.yaml b/tasks/main.yaml
new file mode 100644
index 0000000..ef7e14c
--- /dev/null
+++ b/tasks/main.yaml
@@ -0,0 +1,9 @@
+---
+
+- name: Ensure ssh server is installed
+  package:
+    name: openssh-server
+    state: present
+
+- name: Create sshd_config file
+  include_tasks: template_config.yaml
diff --git a/tasks/template_config.yaml b/tasks/template_config.yaml
new file mode 100644
index 0000000..33ca2f3
--- /dev/null
+++ b/tasks/template_config.yaml
@@ -0,0 +1,26 @@
+---
+
+- name: Ensure destination for sshd_config exists
+  file:
+    path: "{{ sshd_config_path }}"
+    state: directory
+
+- name: Write sshd_config file
+  template:
+    src: ../templates/sshd_config.j2
+    dest: "{{ sshd_config_path }}/sshd_config"
+  become: true
+  register: sshd_config_file
+
+- name: Restart service
+  systemd:
+    name: sshd
+    enabled: yes
+    state: restarted
+  when: sshd_config_file.changed
+
+- name: Write banner file
+  template:
+    src: ../templates/issue.net.j2
+    dest: "{{ ssh_banner_file }}"
+  when: ssh_banner
diff --git a/templates/issue.net.j2 b/templates/issue.net.j2
new file mode 100644
index 0000000..90a838c
--- /dev/null
+++ b/templates/issue.net.j2
@@ -0,0 +1,26 @@
+***************************************************************************
+                            NOTICE TO USERS
+
+
+This computer system is the private property of its owner, whether
+individual, corporate or government.  It is for authorized use only.
+Users (authorized or unauthorized) have no explicit or implicit
+expectation of privacy.
+
+Any or all uses of this system and all files on this system may be
+intercepted, monitored, recorded, copied, audited, inspected, and
+disclosed to your employer, to authorized site, government, and law
+enforcement personnel, as well as authorized officials of government
+agencies, both domestic and foreign.
+
+By using this system, the user consents to such interception, monitoring,
+recording, copying, auditing, inspection, and disclosure at the
+discretion of such personnel or officials.  Unauthorized or improper use
+of this system may result in civil and criminal penalties and
+administrative or disciplinary action, as appropriate. By continuing to
+use this system you indicate your awareness of and consent to these terms
+and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
+conditions stated in this warning.
+
+****************************************************************************
+
diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2
new file mode 100644
index 0000000..ca7fa41
--- /dev/null
+++ b/templates/sshd_config.j2
@@ -0,0 +1,54 @@
+# {{ ansible_managed }}
+
+Port {{ ssh_port }}
+AddressFamily {{ ssh_address_family }}
+{% for a in ssh_listen_addresses %}
+ListenAddress {{ a }}
+{% endfor %}
+
+HostKey {{ ssh_host_key_file }}
+
+AllowGroups {{ ssh_allow_groups }}
+LoginGraceTime {{ ssh_login_grace_time }}
+PermitRootLogin {{ ssh_permit_root_login }}
+StrictModes {{ ssh_strict_modes }}
+MaxAuthTries {{ ssh_max_auth_tries }}
+MaxSessions {{ ssh_max_sessions }}
+
+PubkeyAuthentication {{ ssh_pubkey_authentication }}
+AuthorizedKeysFile {{ ssh_authorized_keys_file }}
+
+HostbasedAuthentication {{ ssh_hostbased_authentication }}
+
+PasswordAuthentication {{ ssh_password_authentication }}
+PermitEmptyPasswords {{ ssh_permit_empty_passwords }}
+ChallengeResponseAuthentication {{ ssh_challenge_response_authentication }}
+KerberosAuthentication {{ ssh_kerberos_authentication }}
+GSSAPIAuthentication {{ ssh_gssapi_authentication }}
+UsePAM {{ ssh_use_pam }}
+
+AllowAgentForwarding {{ ssh_allow_agent_forwarding }}
+PermitTunnel {{ ssh_permit_tunnel }}
+
+X11Forwarding {{ ssh_x11_forwarding }}
+PrintMotd {{ ssh_print_motd }}
+
+{% if ssh_banner == true %}
+Banner {{ ssh_banner_file }}
+{% endif %}
+
+{% if ssh_permit_user_env == true %}
+PermitUserEnvironment yes
+
+{% for e in ssh_accept_env %}
+AcceptEnv {{ e }}
+{% endfor %}
+{% else %}
+PermitUserEnvironment no
+{% endif %}
+
+{% if ansible_facts['os_family'] == 'RedHat' %}
+Subsystem sftp	/usr/libexec/openssh/sftp-server
+{% elif ansible_facts['os_family'] == 'Debian' %}
+Subsystem sftp	/usr/lib/openssh/sftp-server
+{% endif %}