40 lines
1.2 KiB
YAML
40 lines
1.2 KiB
YAML
---
|
|
- name: Harden SSH Configuration
|
|
hosts: all
|
|
become: true
|
|
vars:
|
|
# Set this to true in Semaphore to allow key-based root login
|
|
# If ALLOW_ROOT_SSH isn't in Semaphore, it defaults to 'false'
|
|
allow_root_ssh: "{{ ALLOW_ROOT__SSH | default(false) | bool }}"
|
|
|
|
|
|
tasks:
|
|
- name: Backup SSH config
|
|
ansible.builtin.copy:
|
|
src: /etc/ssh/sshd_config
|
|
dest: /etc/ssh/sshd_config.bak
|
|
remote_src: true
|
|
mode: '0600'
|
|
|
|
- name: Configure SSH Hardening
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "{{ item.regexp }}"
|
|
line: "{{ item.line }}"
|
|
state: present
|
|
validate: '/usr/sbin/sshd -t -f %s'
|
|
loop:
|
|
# Disables all password logins
|
|
- { regexp: '^#?PasswordAuthentication', line: "PasswordAuthentication no" }
|
|
# Allows root ONLY if they have a key
|
|
- { regexp: '^#?PermitRootLogin', line: "PermitRootLogin {{ 'prohibit-password' if allow_root_ssh else 'no' }}" }
|
|
# Ensures PubKey is definitely on
|
|
- { regexp: '^#?PubkeyAuthentication', line: "PubkeyAuthentication yes" }
|
|
notify: Restart SSH
|
|
|
|
handlers:
|
|
- name: Restart SSH
|
|
ansible.builtin.service:
|
|
name: ssh
|
|
state: restarted
|