6 files changed, 45 insertions, 8 deletions

diff --git a/ansible/roles/common/handlers/main.yml b/ansible/roles/common/handlers/main.yml
index 68db0ad..2b4beea 100644
--- a/ansible/roles/common/handlers/main.yml
+++ b/ansible/roles/common/handlers/main.yml
@@ -1,10 +1,4 @@
-- name: Reload ssh
-  service:
-    name: ssh
-    state: reloaded
-  tags:
-    - role::common
-
+---
 - name: Restart systemd-timesyncd
   service:
     name: systemd-timesyncd
diff --git a/ansible/roles/common/meta/main.yml b/ansible/roles/common/meta/main.yml
new file mode 100644
index 0000000..5526b6b
--- /dev/null
+++ b/ansible/roles/common/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - ssh
diff --git a/ansible/roles/common/tasks/main.yml b/ansible/roles/common/tasks/main.yml
index 4cfae85..8b5fd19 100644
--- a/ansible/roles/common/tasks/main.yml
+++ b/ansible/roles/common/tasks/main.yml
@@ -14,16 +14,31 @@
   tags:
     - role::common
 
+# Temporary cleanup task. Can be removed later.
+- name: Remove old SSH daemon options file
+  ansible.builtin.file:
+    path: /etc/ssh/sshd_config.d/pydis.conf
+    state: absent
+  tags:
+    - role::common
+
 - name: Configure SSH daemon options
   ansible.builtin.copy:
     content: |
       # Ansible managed
 
+      # Logins
       PasswordAuthentication no
       PermitRootLogin no
+
+      # Forwarding
+      AllowAgentForwarding no
+      X11Forwarding no
+
+      # Connection keepalive
       ClientAliveInterval 300
       ClientAliveCountMax 3
-    dest: /etc/ssh/sshd_config.d/pydis.conf
+    dest: /etc/ssh/sshd_config.d/hardening.conf
     owner: root
     group: root
     mode: "0444"
diff --git a/ansible/roles/pydis-users/meta/main.yml b/ansible/roles/pydis-users/meta/main.yml
new file mode 100644
index 0000000..5526b6b
--- /dev/null
+++ b/ansible/roles/pydis-users/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - ssh
diff --git a/ansible/roles/pydis-users/tasks/main.yml b/ansible/roles/pydis-users/tasks/main.yml
index 8378af8..c9642d7 100644
--- a/ansible/roles/pydis-users/tasks/main.yml
+++ b/ansible/roles/pydis-users/tasks/main.yml
@@ -25,3 +25,18 @@
   loop: "{{ pydis_users__users | dict2items }}"
   tags:
     - role::pydis-users
+
+- name: Allow SSH logins for pydis users
+  ansible.builtin.copy:
+    content: |
+      # Ansible managed
+
+      AllowUsers {{ pydis_users__users | sort | join(' ') }}
+    dest: /etc/ssh/sshd_config.d/pydis-users-login.conf
+    owner: root
+    group: root
+    mode: "0444"
+  notify:
+    - Reload ssh
+  tags:
+    - role::pydis-users
diff --git a/ansible/roles/ssh/handlers/main.yml b/ansible/roles/ssh/handlers/main.yml
new file mode 100644
index 0000000..7b582d9
--- /dev/null
+++ b/ansible/roles/ssh/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+- name: Reload ssh
+  service:
+    name: ssh
+    state: reloaded
+  tags:
+    - role::ssh