ansible_role_sshd/tasks/main.yml

---
- name: Create directory for versionscheck
  become: true
  file:
    path: '/etc/ansible-version'
    state: directory
    mode: 0755
  when: submodules_versioncheck

- name: check playbook version
  become: true
  slurp:
    src: "{{ playbook_version_path }}"
  register: playbook_version 
  when: submodules_versioncheck
  ignore_errors: yes

- name: Print version
  debug:
    msg: "Remote playbook version: '{{ playbook_version.content | default('Y3VycmVudGx5IG5vdCBkZXBsb3llZAo=') | b64decode | string }}'. Local playbook version: '{{ playbook_version_number|string }}'."
  when: submodules_versioncheck

- name: Check if your version is outdated
  fail:
    msg: "Your current ansible module has the version '{{ playbook_version_number }}' and is outdated. Please update it at least to version '{{ playbook_version.content | default('Y3VycmVudGx5IG5vdCBkZXBsb3llZAo=') | b64decode }}'!"
  when: 
    - playbook_version.content|default("Mgo=")|b64decode|int - 1 >= playbook_version_number|int and submodules_versioncheck 

- name: write new version to remote disk
  become: true
  copy:
    content: "{{ playbook_version_number }}"
    dest: "{{ playbook_version_path }}"
  when: submodules_versioncheck

- name: register os-specific variables
  include_vars: default.yml
  when: 
   - ansible_distribution != 'Fedora'
   - ansible_distribution != 'Archlinux'

- name: register os-specific variables
  include_vars: "{{ ansible_distribution }}.yml"
  when: 
   - ansible_distribution == 'Fedora'
   - ansible_distribution == 'Archlinux'

- name: Collect all users and groups allowed to login via ssh
  set_fact:
    sshd_allow_users:  '{{ sshd_default_allowed_users + users.keys() | default({}) | sort }}'
    sshd_allow_groups: '{{ sshd_default_allowed_groups + users.keys() | default({}) | sort }}'

- name: Copy sshd configuration
  become: yes
  template:
    src: sshd_config.j2
    dest: '/etc/ssh/sshd_config'
    owner: root
    group: root
    mode: 'u=rw,g=r,o=r'
    validate: /usr/sbin/sshd -t -f %s
  notify:
    - restart ssh

- name: Generate new ecdsa ssh host key pair if necessary
  become: yes
  command: ssh-keygen -t ecdsa -f 'ssh_host_ecdsa_key' -P '' -q
  args:
    chdir: '/etc/ssh/'
    creates: 'ssh_host_ecdsa_key.pub'
  notify:
    - restart ssh
  when: generate_ecdsa_too

- name: Generate new ed25519 ssh host key pair if necessary
  become: yes
  command: ssh-keygen -t ed25519 -f 'ssh_host_ed25519_key' -P '' -q
  args:
    chdir: '/etc/ssh/'
    creates: 'ssh_host_ed25519_key.pub'
  notify:
    - restart ssh

- name: Remove unwanted host keys
  become: yes
  file:
    path: '/etc/ssh/ssh_host_{{ item }}_key'
    state: absent
  with_items:
    - rsa
    - dsa
  notify:
    - restart ssh
  when: generate_ecdsa_too 

- name: Remove unwanted host keys
  become: yes
  file:
    path: '/etc/ssh/ssh_host_{{ item }}_key'
    state: absent
  with_items:
    - ecdsa
    - rsa
    - dsa
  notify:
    - restart ssh
  when: generate_ecdsa_too == false

- file:
    path: '/etc/ssh/ssh_host_{{ item }}_key.pub'
    state: absent
  become: yes
  with_items:
    - ecdsa
    - rsa
    - dsa
  notify:
    - restart ssh
  when: generate_ecdsa_too == false

- file:
    path: '/etc/ssh/ssh_host_{{ item }}_key.pub'
    state: absent
  become: yes
  with_items:
    - rsa
    - dsa
  notify:
    - restart ssh
  when: generate_ecdsa_too
Simple and secure openssh server configuration 2018-03-07 03:28:23 +01:00			`---`
Add versioncheck 2019-05-15 11:41:00 +02:00			`- name: Create directory for versionscheck`
			`become: true`
			`file:`
			`path: '/etc/ansible-version'`
			`state: directory`
			`mode: 0755`
			`when: submodules_versioncheck`

			`- name: check playbook version`
			`become: true`
			`slurp:`
			`src: "{{ playbook_version_path }}"`
			`register: playbook_version`
			`when: submodules_versioncheck`
			`ignore_errors: yes`

			`- name: Print version`
			`debug:`
			`msg: "Remote playbook version: '{{ playbook_version.content \| default('Y3VycmVudGx5IG5vdCBkZXBsb3llZAo=') \| b64decode \| string }}'. Local playbook version: '{{ playbook_version_number\|string }}'."`
			`when: submodules_versioncheck`

			`- name: Check if your version is outdated`
			`fail:`
			`msg: "Your current ansible module has the version '{{ playbook_version_number }}' and is outdated. Please update it at least to version '{{ playbook_version.content \| default('Y3VycmVudGx5IG5vdCBkZXBsb3llZAo=') \| b64decode }}'!"`
			`when:`
			`- playbook_version.content\|default("Mgo=")\|b64decode\|int - 1 >= playbook_version_number\|int and submodules_versioncheck`

			`- name: write new version to remote disk`
			`become: true`
			`copy:`
			`content: "{{ playbook_version_number }}"`
			`dest: "{{ playbook_version_path }}"`
			`when: submodules_versioncheck`
On Fedora it is sshd 2018-11-16 11:44:36 +01:00
			`- name: register os-specific variables`
			`include_vars: default.yml`
Arch support and use become: yes 2019-02-20 11:54:02 +01:00			`when:`
			`- ansible_distribution != 'Fedora'`
			`- ansible_distribution != 'Archlinux'`
On Fedora it is sshd 2018-11-16 11:44:36 +01:00
			`- name: register os-specific variables`
			`include_vars: "{{ ansible_distribution }}.yml"`
Arch support and use become: yes 2019-02-20 11:54:02 +01:00			`when:`
			`- ansible_distribution == 'Fedora'`
			`- ansible_distribution == 'Archlinux'`
On Fedora it is sshd 2018-11-16 11:44:36 +01:00
Automatically compose allowed users and groups lists 2018-03-16 04:54:02 +01:00			`- name: Collect all users and groups allowed to login via ssh`
			`set_fact:`
allow dynamic user configuration 2019-03-27 14:23:41 +01:00			`sshd_allow_users: '{{ sshd_default_allowed_users + users.keys() \| default({}) \| sort }}'`
Add ssh group variable 2019-03-27 15:16:55 +01:00			`sshd_allow_groups: '{{ sshd_default_allowed_groups + users.keys() \| default({}) \| sort }}'`
Automatically compose allowed users and groups lists 2018-03-16 04:54:02 +01:00
Simple and secure openssh server configuration 2018-03-07 03:28:23 +01:00			`- name: Copy sshd configuration`
forece sudo 2019-03-06 10:06:08 +01:00			`become: yes`
Simple and secure openssh server configuration 2018-03-07 03:28:23 +01:00			`template:`
Improve SSHD config 2019-04-09 22:13:59 +02:00			`src: sshd_config.j2`
Simple and secure openssh server configuration 2018-03-07 03:28:23 +01:00			`dest: '/etc/ssh/sshd_config'`
			`owner: root`
			`group: root`
			`mode: 'u=rw,g=r,o=r'`
			`validate: /usr/sbin/sshd -t -f %s`
Generate new ed25519 host key if necessary 2018-03-08 18:48:33 +01:00			`notify:`
			`- restart ssh`

Make sure ssh is more secure and more customizable 2019-04-09 22:03:00 +02:00			`- name: Generate new ecdsa ssh host key pair if necessary`
			`become: yes`
			`command: ssh-keygen -t ecdsa -f 'ssh_host_ecdsa_key' -P '' -q`
			`args:`
			`chdir: '/etc/ssh/'`
			`creates: 'ssh_host_ecdsa_key.pub'`
			`notify:`
			`- restart ssh`
			`when: generate_ecdsa_too`
Generate new ed25519 host key if necessary 2018-03-08 18:48:33 +01:00
			`- name: Generate new ed25519 ssh host key pair if necessary`
forece sudo 2019-03-06 10:06:08 +01:00			`become: yes`
Generate new ed25519 host key if necessary 2018-03-08 18:48:33 +01:00			`command: ssh-keygen -t ed25519 -f 'ssh_host_ed25519_key' -P '' -q`
			`args:`
			`chdir: '/etc/ssh/'`
			`creates: 'ssh_host_ed25519_key.pub'`
			`notify:`
			`- restart ssh`
Simple and secure openssh server configuration 2018-03-07 03:28:23 +01:00
Make sure ssh is more secure and more customizable 2019-04-09 22:03:00 +02:00			`- name: Remove unwanted host keys`
			`become: yes`
			`file:`
			`path: '/etc/ssh/ssh_host_{{ item }}_key'`
			`state: absent`
			`with_items:`
			`- rsa`
			`- dsa`
			`notify:`
			`- restart ssh`
			`when: generate_ecdsa_too`

Simple and secure openssh server configuration 2018-03-07 03:28:23 +01:00			`- name: Remove unwanted host keys`
forece sudo 2019-03-06 10:06:08 +01:00			`become: yes`
Simple and secure openssh server configuration 2018-03-07 03:28:23 +01:00			`file:`
			`path: '/etc/ssh/ssh_host_{{ item }}_key'`
			`state: absent`
			`with_items:`
			`- ecdsa`
			`- rsa`
			`- dsa`
Generate new ed25519 host key if necessary 2018-03-08 18:48:33 +01:00			`notify:`
			`- restart ssh`
Make sure ssh is more secure and more customizable 2019-04-09 22:03:00 +02:00			`when: generate_ecdsa_too == false`
Minor changes 2019-01-08 14:12:27 +01:00
Simple and secure openssh server configuration 2018-03-07 03:28:23 +01:00			`- file:`
			`path: '/etc/ssh/ssh_host_{{ item }}_key.pub'`
			`state: absent`
forece sudo 2019-03-06 10:06:08 +01:00			`become: yes`
Simple and secure openssh server configuration 2018-03-07 03:28:23 +01:00			`with_items:`
			`- ecdsa`
			`- rsa`
			`- dsa`
Generate new ed25519 host key if necessary 2018-03-08 18:48:33 +01:00			`notify:`
			`- restart ssh`
Make sure ssh is more secure and more customizable 2019-04-09 22:03:00 +02:00			`when: generate_ecdsa_too == false`
On Fedora it is sshd 2018-11-16 11:44:36 +01:00
Make sure ssh is more secure and more customizable 2019-04-09 22:03:00 +02:00			`- file:`
			`path: '/etc/ssh/ssh_host_{{ item }}_key.pub'`
			`state: absent`
			`become: yes`
			`with_items:`
			`- rsa`
			`- dsa`
			`notify:`
			`- restart ssh`
			`when: generate_ecdsa_too`