diff options
Diffstat (limited to 'roles/sshd/tasks/main.yml')
| -rw-r--r-- | roles/sshd/tasks/main.yml | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml index e601969..ff77c40 100644 --- a/roles/sshd/tasks/main.yml +++ b/roles/sshd/tasks/main.yml @@ -3,6 +3,20 @@ [ "{{ sshd_version }}" = "1" ] || \ (echo "Unexpected version {{ sshd_version }}" 1>&2; exit 1) +- name: "sshd role configuration sanity check" + when: not sshd_allow_authorized_keys and sshd_user_ca_pub is not defined + shell: | + echo "You MUST define sshd_allow_authorized_keys OR sshd_user_ca_pub" + exit 1 + +- name: "Configure SSH server to read config files in sshd_config.d" + lineinfile: + path: /etc/ssh/sshd_config + regexp: "Include /etc/ssh/sshd_config.d" + line: "Include /etc/ssh/sshd_config.d/*.conf" + insertbefore: BOF + notify: sshd_restart + - name: "Set SSH host identity" when: sshd_host_key is defined and sshd_host_cert is defined copy: @@ -32,6 +46,30 @@ dest: /etc/ssh/sshd_config.d/host_id.conf notify: sshd_restart +- name: "Remove old host key settings from /etc/ssh/sshd_config" + when: sshd_host_key is defined and sshd_host_cert is defined + lineinfile: + path: /etc/ssh/sshd_config + state: absent + regex: "(?i)hostkey" + notify: sshd_restart + +- name: "Remove old host cert settings from /etc/ssh/sshd_config" + when: sshd_host_key is defined and sshd_host_cert is defined + lineinfile: + path: /etc/ssh/sshd_config + state: absent + regex: "(?i)hostcertificate" + notify: sshd_restart + +- name: "Remove old user CA settings from /etc/ssh/sshd_config" + when: sshd_host_key is defined and sshd_host_cert is defined + lineinfile: + path: /etc/ssh/sshd_config + state: absent + regex: "(?i)trustedusercakeys" + notify: sshd_restart + - name: "Remove obsolete SSH host keys and certificates" when: sshd_host_key is defined and sshd_host_cert is defined shell: | @@ -69,3 +107,6 @@ AuthorizedKeysFile none dest: /etc/ssh/sshd_config.d/authorized_keys.conf notify: sshd_restart + +- name: "Run handlers" + meta: flush_handlers |