blse2-public/common-debian/tasks/ssh.yml

---
- name: install ssh configuration files
  template:
    src: "{{ item }}.j2"
    dest: "/{{ item }}"
    mode: 0644
  notify:
    - restart ssh
  loop:
    - etc/ssh/ssh_config
    - etc/ssh/sshd_config
    - etc/ssh/shosts.equiv
    - etc/ssh/ssh_known_hosts
    - etc/pam.d/sshd

- name: clean up unwanted ssh host keys (DSA and ECDSA)
  file:
    name: "{{ item }}"
    state: absent
  notify:
    - restart ssh
  loop:
    - /etc/ssh/ssh_host_dsa_key
    - /etc/ssh/ssh_host_dsa_key.pub
    - /etc/ssh/ssh_host_ecdsa_key
    - /etc/ssh/ssh_host_ecdsa_key.pub

- name: correct permissions on host keys
  file:
    dest: "{{ item.name }}"
    mode: "{{ item.mode }}"
  loop:
    - name: /etc/ssh/ssh_host_rsa_key
      mode: "0600"
    - name: /etc/ssh/ssh_host_rsa_key.pub
      mode: "0644"
    - name: /etc/ssh/ssh_host_ed25519_key
      mode: "0600"
    - name: /etc/ssh/ssh_host_ed25519_key.pub
      mode: "0644"

- name: install fail2ban configuration files
  template:
    src: "{{ item }}.j2"
    dest: "/{{ item }}"
    mode: 0644
  notify:
    - restart fail2ban
  loop:
    - etc/fail2ban/action.d/route.conf
    - etc/fail2ban/filter.d/sshd.conf
    - etc/fail2ban/jail.d/global.local
    - etc/fail2ban/jail.d/sshd.conf
    - etc/fail2ban/jail.d/sshd.local

- meta: flush_handlers
Add debian common role 2023-05-05 15:47:27 -04:00			`---`
			`- name: install ssh configuration files`
			`template:`
			`src: "{{ item }}.j2"`
			`dest: "/{{ item }}"`
			`mode: 0644`
			`notify:`
			`- restart ssh`
			`loop:`
			`- etc/ssh/ssh_config`
			`- etc/ssh/sshd_config`
			`- etc/ssh/shosts.equiv`
			`- etc/ssh/ssh_known_hosts`
			`- etc/pam.d/sshd`

			`- name: clean up unwanted ssh host keys (DSA and ECDSA)`
			`file:`
			`name: "{{ item }}"`
			`state: absent`
			`notify:`
			`- restart ssh`
			`loop:`
			`- /etc/ssh/ssh_host_dsa_key`
			`- /etc/ssh/ssh_host_dsa_key.pub`
			`- /etc/ssh/ssh_host_ecdsa_key`
			`- /etc/ssh/ssh_host_ecdsa_key.pub`

			`- name: correct permissions on host keys`
			`file:`
			`dest: "{{ item.name }}"`
			`mode: "{{ item.mode }}"`
			`loop:`
			`- name: /etc/ssh/ssh_host_rsa_key`
			`mode: "0600"`
			`- name: /etc/ssh/ssh_host_rsa_key.pub`
			`mode: "0644"`
			`- name: /etc/ssh/ssh_host_ed25519_key`
			`mode: "0600"`
			`- name: /etc/ssh/ssh_host_ed25519_key.pub`
			`mode: "0644"`

			`- name: install fail2ban configuration files`
			`template:`
			`src: "{{ item }}.j2"`
			`dest: "/{{ item }}"`
			`mode: 0644`
			`notify:`
			`- restart fail2ban`
			`loop:`
			`- etc/fail2ban/action.d/route.conf`
			`- etc/fail2ban/filter.d/sshd.conf`
			`- etc/fail2ban/jail.d/global.local`
			`- etc/fail2ban/jail.d/sshd.conf`
			`- etc/fail2ban/jail.d/sshd.local`

			`- meta: flush_handlers`