diff options
| author | Romain Gonçalves <me@rgoncalves.se> | 2022-12-12 22:51:55 +0100 |
|---|---|---|
| committer | Romain Gonçalves <me@rgoncalves.se> | 2022-12-17 17:02:24 +0100 |
| commit | 970a107492c31a43bb77f6f5e0096b41adc2c2f4 (patch) | |
| tree | 614ee1b08379eb5838aaf004e58f31880127bc9d /roles/sshd | |
| parent | db698b595e7ff088c96d00ef5285a0d634aff1be (diff) | |
| download | rules-970a107492c31a43bb77f6f5e0096b41adc2c2f4.tar.gz | |
refactor: split sshd and ssh key synchronization
Diffstat (limited to 'roles/sshd')
| -rw-r--r-- | roles/sshd/defaults/main.yml | 5 | ||||
| -rw-r--r-- | roles/sshd/tasks/main.yml | 13 | ||||
| -rw-r--r-- | roles/sshd/tasks/synchronize_keys.yml | 20 | ||||
| -rw-r--r-- | roles/sshd/templates/sshd_config.j2 | 7 |
4 files changed, 18 insertions, 27 deletions
diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml new file mode 100644 index 0000000..87933b9 --- /dev/null +++ b/roles/sshd/defaults/main.yml @@ -0,0 +1,5 @@ +--- + +sshd_configuration_file: /etc/ssh/sshd_config +sshd_listen_port: 22 +sshd_enable_x11_forwarding: false diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml index df5d845..b895958 100644 --- a/roles/sshd/tasks/main.yml +++ b/roles/sshd/tasks/main.yml @@ -1,15 +1,18 @@ --- +- name: install openssh + ansible.builtin.package: + name: openssh + state: present + when: ansible_distribution in ["Archlinux"] + - name: generate sshd configuration ansible.builtin.template: src: sshd_config.j2 dest: /etc/ssh/sshd_config owner: 0 group: 0 - mode: 0644 - -- name: include key synchronization tasks - ansible.builtin.include_tasks: synchronize_keys.yml + mode: "0644" - name: enable and restart sshd ansible.builtin.service: @@ -19,6 +22,6 @@ - name: check ssh connection ansible.builtin.wait_for: - port: "{{ ansible_port }}" + port: "{{ sshd_listen_port }}" delay: 1 state: started diff --git a/roles/sshd/tasks/synchronize_keys.yml b/roles/sshd/tasks/synchronize_keys.yml deleted file mode 100644 index 32f6b5a..0000000 --- a/roles/sshd/tasks/synchronize_keys.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- - -- name: get ssh keys for all users - ansible.builtin.find: - paths: files/keys - file_type: link - recurse: true - delegate_to: localhost - run_once: true - register: result - -- name: synchronize ssh keys - ansible.posix.authorized_key: - user: "{{ item.path | dirname | basename }}" - state: present - key: "{{ lookup('file', item.path) }}" - loop_control: - label: "{{ item.path }} -> user: {{ item.path | dirname | basename }}" - loop: "{{ result.files }}" - failed_when: false diff --git a/roles/sshd/templates/sshd_config.j2 b/roles/sshd/templates/sshd_config.j2 index f40e160..b8affa8 100644 --- a/roles/sshd/templates/sshd_config.j2 +++ b/roles/sshd/templates/sshd_config.j2 @@ -1,7 +1,7 @@ # managed by Ansible # network -Port {{ ansible_port }} +Port {{ sshd_listen_port }} # security PermitRootLogin yes @@ -13,13 +13,16 @@ AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no PermitEmptyPasswords no ClientAliveInterval 180 +X11Forwarding {{ "yes" if sshd_enable_x11_forwarding else "no" }} -{% if ansible_facts["os_family"] == "Debian" %} +{% if ansible_distribution == "Debian" %} Subsystem sftp /usr/lib/openssh/sftp-server ChallengeResponseAuthentication no UsePAM yes PrintMotd no UsePrivilegeSeparation sandbox +{% elif ansible_distribution == "Archlinux" %} +Subsystem sftp /usr/lib/ssh/sftp-server {% else %} Subsystem sftp /usr/libexec/sftp-server {% endif %} |