diff options
| -rw-r--r-- | ansible/roles/common/handlers/main.yml | 8 | ||||
| -rw-r--r-- | ansible/roles/common/meta/main.yml | 3 | ||||
| -rw-r--r-- | ansible/roles/common/tasks/main.yml | 17 | ||||
| -rw-r--r-- | ansible/roles/pydis-users/meta/main.yml | 3 | ||||
| -rw-r--r-- | ansible/roles/pydis-users/tasks/main.yml | 15 | ||||
| -rw-r--r-- | ansible/roles/ssh/handlers/main.yml | 7 |
6 files changed, 45 insertions, 8 deletions
diff --git a/ansible/roles/common/handlers/main.yml b/ansible/roles/common/handlers/main.yml index 68db0ad..2b4beea 100644 --- a/ansible/roles/common/handlers/main.yml +++ b/ansible/roles/common/handlers/main.yml @@ -1,10 +1,4 @@ -- name: Reload ssh - service: - name: ssh - state: reloaded - tags: - - role::common - +--- - name: Restart systemd-timesyncd service: name: systemd-timesyncd diff --git a/ansible/roles/common/meta/main.yml b/ansible/roles/common/meta/main.yml new file mode 100644 index 0000000..5526b6b --- /dev/null +++ b/ansible/roles/common/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - ssh diff --git a/ansible/roles/common/tasks/main.yml b/ansible/roles/common/tasks/main.yml index 4cfae85..8b5fd19 100644 --- a/ansible/roles/common/tasks/main.yml +++ b/ansible/roles/common/tasks/main.yml @@ -14,16 +14,31 @@ tags: - role::common +# Temporary cleanup task. Can be removed later. +- name: Remove old SSH daemon options file + ansible.builtin.file: + path: /etc/ssh/sshd_config.d/pydis.conf + state: absent + tags: + - role::common + - name: Configure SSH daemon options ansible.builtin.copy: content: | # Ansible managed + # Logins PasswordAuthentication no PermitRootLogin no + + # Forwarding + AllowAgentForwarding no + X11Forwarding no + + # Connection keepalive ClientAliveInterval 300 ClientAliveCountMax 3 - dest: /etc/ssh/sshd_config.d/pydis.conf + dest: /etc/ssh/sshd_config.d/hardening.conf owner: root group: root mode: "0444" diff --git a/ansible/roles/pydis-users/meta/main.yml b/ansible/roles/pydis-users/meta/main.yml new file mode 100644 index 0000000..5526b6b --- /dev/null +++ b/ansible/roles/pydis-users/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - ssh diff --git a/ansible/roles/pydis-users/tasks/main.yml b/ansible/roles/pydis-users/tasks/main.yml index 8378af8..c9642d7 100644 --- a/ansible/roles/pydis-users/tasks/main.yml +++ b/ansible/roles/pydis-users/tasks/main.yml @@ -25,3 +25,18 @@ loop: "{{ pydis_users__users | dict2items }}" tags: - role::pydis-users + +- name: Allow SSH logins for pydis users + ansible.builtin.copy: + content: | + # Ansible managed + + AllowUsers {{ pydis_users__users | sort | join(' ') }} + dest: /etc/ssh/sshd_config.d/pydis-users-login.conf + owner: root + group: root + mode: "0444" + notify: + - Reload ssh + tags: + - role::pydis-users diff --git a/ansible/roles/ssh/handlers/main.yml b/ansible/roles/ssh/handlers/main.yml new file mode 100644 index 0000000..7b582d9 --- /dev/null +++ b/ansible/roles/ssh/handlers/main.yml @@ -0,0 +1,7 @@ +--- +- name: Reload ssh + service: + name: ssh + state: reloaded + tags: + - role::ssh |