Added cbarts-ssh role
This commit is contained in:
Corbin Bartsch
commit
452bee1cf1
44
defaults/main.yaml
Normal file
44
defaults/main.yaml
Normal file
@ -0,0 +1,44 @@
|
||||
---
|
||||
|
||||
sshd_config_path: /etc/ssh
|
||||
|
||||
ssh_port: 22
|
||||
ssh_address_family: any
|
||||
ssh_listen_addresses:
|
||||
- 0.0.0.0
|
||||
|
||||
ssh_host_key_file: /etc/ssh/ssh_host_ed25519_key
|
||||
|
||||
ssh_allow_groups: ssh
|
||||
ssh_login_grace_time: 20
|
||||
ssh_permit_root_login: 'no'
|
||||
ssh_strict_modes: 'yes'
|
||||
ssh_max_auth_tries: 3
|
||||
ssh_max_sessions: 2
|
||||
|
||||
ssh_pubkey_authentication: 'yes'
|
||||
|
||||
ssh_authorized_keys_file: .ssh/authorized_keys
|
||||
|
||||
ssh_hostbased_authentication: 'no'
|
||||
ssh_password_authentication: 'no'
|
||||
ssh_permit_empty_passwords: 'no'
|
||||
ssh_challenge_response_authentication: 'no'
|
||||
ssh_kerberos_authentication: 'no'
|
||||
ssh_gssapi_authentication: 'no'
|
||||
ssh_use_pam: 'yes'
|
||||
|
||||
ssh_allow_agent_forwarding: 'no'
|
||||
ssh_permit_tunnel: 'no'
|
||||
|
||||
ssh_x11_forwarding: 'no'
|
||||
|
||||
ssh_print_motd: 'no'
|
||||
|
||||
ssh_permit_user_env: False
|
||||
ssh_accept_env:
|
||||
- LANG
|
||||
- 'LC_*'
|
||||
|
||||
ssh_banner: True
|
||||
ssh_banner_file: /etc/issue.net
|
||||
9
tasks/main.yaml
Normal file
9
tasks/main.yaml
Normal file
@ -0,0 +1,9 @@
|
||||
---
|
||||
|
||||
- name: Ensure ssh server is installed
|
||||
package:
|
||||
name: openssh-server
|
||||
state: present
|
||||
|
||||
- name: Create sshd_config file
|
||||
include_tasks: template_config.yaml
|
||||
26
tasks/template_config.yaml
Normal file
26
tasks/template_config.yaml
Normal file
@ -0,0 +1,26 @@
|
||||
---
|
||||
|
||||
- name: Ensure destination for sshd_config exists
|
||||
file:
|
||||
path: "{{ sshd_config_path }}"
|
||||
state: directory
|
||||
|
||||
- name: Write sshd_config file
|
||||
template:
|
||||
src: ../templates/sshd_config.j2
|
||||
dest: "{{ sshd_config_path }}/sshd_config"
|
||||
become: true
|
||||
register: sshd_config_file
|
||||
|
||||
- name: Restart service
|
||||
systemd:
|
||||
name: sshd
|
||||
enabled: yes
|
||||
state: restarted
|
||||
when: sshd_config_file.changed
|
||||
|
||||
- name: Write banner file
|
||||
template:
|
||||
src: ../templates/issue.net.j2
|
||||
dest: "{{ ssh_banner_file }}"
|
||||
when: ssh_banner
|
||||
26
templates/issue.net.j2
Normal file
26
templates/issue.net.j2
Normal file
@ -0,0 +1,26 @@
|
||||
***************************************************************************
|
||||
NOTICE TO USERS
|
||||
|
||||
|
||||
This computer system is the private property of its owner, whether
|
||||
individual, corporate or government. It is for authorized use only.
|
||||
Users (authorized or unauthorized) have no explicit or implicit
|
||||
expectation of privacy.
|
||||
|
||||
Any or all uses of this system and all files on this system may be
|
||||
intercepted, monitored, recorded, copied, audited, inspected, and
|
||||
disclosed to your employer, to authorized site, government, and law
|
||||
enforcement personnel, as well as authorized officials of government
|
||||
agencies, both domestic and foreign.
|
||||
|
||||
By using this system, the user consents to such interception, monitoring,
|
||||
recording, copying, auditing, inspection, and disclosure at the
|
||||
discretion of such personnel or officials. Unauthorized or improper use
|
||||
of this system may result in civil and criminal penalties and
|
||||
administrative or disciplinary action, as appropriate. By continuing to
|
||||
use this system you indicate your awareness of and consent to these terms
|
||||
and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
|
||||
conditions stated in this warning.
|
||||
|
||||
****************************************************************************
|
||||
|
||||
54
templates/sshd_config.j2
Normal file
54
templates/sshd_config.j2
Normal file
@ -0,0 +1,54 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
Port {{ ssh_port }}
|
||||
AddressFamily {{ ssh_address_family }}
|
||||
{% for a in ssh_listen_addresses %}
|
||||
ListenAddress {{ a }}
|
||||
{% endfor %}
|
||||
|
||||
HostKey {{ ssh_host_key_file }}
|
||||
|
||||
AllowGroups {{ ssh_allow_groups }}
|
||||
LoginGraceTime {{ ssh_login_grace_time }}
|
||||
PermitRootLogin {{ ssh_permit_root_login }}
|
||||
StrictModes {{ ssh_strict_modes }}
|
||||
MaxAuthTries {{ ssh_max_auth_tries }}
|
||||
MaxSessions {{ ssh_max_sessions }}
|
||||
|
||||
PubkeyAuthentication {{ ssh_pubkey_authentication }}
|
||||
AuthorizedKeysFile {{ ssh_authorized_keys_file }}
|
||||
|
||||
HostbasedAuthentication {{ ssh_hostbased_authentication }}
|
||||
|
||||
PasswordAuthentication {{ ssh_password_authentication }}
|
||||
PermitEmptyPasswords {{ ssh_permit_empty_passwords }}
|
||||
ChallengeResponseAuthentication {{ ssh_challenge_response_authentication }}
|
||||
KerberosAuthentication {{ ssh_kerberos_authentication }}
|
||||
GSSAPIAuthentication {{ ssh_gssapi_authentication }}
|
||||
UsePAM {{ ssh_use_pam }}
|
||||
|
||||
AllowAgentForwarding {{ ssh_allow_agent_forwarding }}
|
||||
PermitTunnel {{ ssh_permit_tunnel }}
|
||||
|
||||
X11Forwarding {{ ssh_x11_forwarding }}
|
||||
PrintMotd {{ ssh_print_motd }}
|
||||
|
||||
{% if ssh_banner == true %}
|
||||
Banner {{ ssh_banner_file }}
|
||||
{% endif %}
|
||||
|
||||
{% if ssh_permit_user_env == true %}
|
||||
PermitUserEnvironment yes
|
||||
|
||||
{% for e in ssh_accept_env %}
|
||||
AcceptEnv {{ e }}
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
PermitUserEnvironment no
|
||||
{% endif %}
|
||||
|
||||
{% if ansible_facts['os_family'] == 'RedHat' %}
|
||||
Subsystem sftp /usr/libexec/openssh/sftp-server
|
||||
{% elif ansible_facts['os_family'] == 'Debian' %}
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
{% endif %}
|
||||
Loading…
x
Reference in New Issue
Block a user