5 files changed, 175 insertions, 0 deletions
diff --git a/roles/sshd/README b/roles/sshd/README
new file mode 100644
index 0000000..4b155c8
--- /dev/null
+++ b/roles/sshd/README
@@ -0,0 +1,23 @@
+This role, sshd, configures an SSH server on a Debian. Specifically
+may:
+
+- set host key and certificate
+- set user CA
+- set port on which server listens
+
+To use, define variables below:
+
+- `sshd_version`---must match the current version for the role
+- `sshd_host_key` and `sshd_host_cert`---the host key and
+  corresponding certificate
+  - note that you must define both for either to work
+  - rationale: there's little point in just setting the host key, as
+    it will still force people to accept it the first time; a host
+    certificate removes that need and allows the key to change at will
+- `sshd_port`---the port where the SSH server should listen
+  - rationale: on public-facing servers, the default port gets tons of
+    login attempts by attackers trying to guess passwords
+- `sshd_user_ca_pub`---the public keys of the SSH CAs trusted to
+  certify users
+  - rationale: using a user CA removes the need to maintain, or have,
+    `authorized_keys` files
diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml
new file mode 100644
index 0000000..20c9563
--- /dev/null
+++ b/roles/sshd/defaults/main.yml
@@ -0,0 +1,9 @@
+# The user of the role MUST define the version they want to use. If
+# it's not what the version of unix_users being used actually
+# provides, the role will fail.
+sshd_version: null
+
+
+# Allow SSH server to use `authorized_keys` files? 
+sshd_allow_authorized_keys: yes
+
diff --git a/roles/sshd/handlers/main.yml b/roles/sshd/handlers/main.yml
new file mode 100644
index 0000000..c4898c0
--- /dev/null
+++ b/roles/sshd/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: sshd_restart
+  systemd:
+    name: ssh
+    state: restarted
diff --git a/roles/sshd/subplot.md b/roles/sshd/subplot.md
new file mode 100644
index 0000000..e86e513
--- /dev/null
+++ b/roles/sshd/subplot.md
@@ -0,0 +1,27 @@
+# Role `sshd` &ndash; configure an SSH server
+
+This role sets up a Debian system so that it can be managed with
+Ansible in a reasonable way.
+
+## Version history
+
+### Version 1
+
+First version. Supports `sshd_version`, `sshd_port`, `sshd_host_key`,
+`sshd_host_cert`, and `sshd_user_ca_pub`.
+
+# Configure SSH
+
+~~~scenario
+given a host running Debian
+when I use role sshd
+and I use variables from sshd.yml
+and I run the playbook
+then stdout contains "sshd role version"
+~~~
+
+~~~{#sshd.yml .file .yaml}
+ansible_python_interpreter: /usr/bin/python3
+
+sshd_version: 1
+~~~
diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml
new file mode 100644
index 0000000..ff77c40
--- /dev/null
+++ b/roles/sshd/tasks/main.yml
@@ -0,0 +1,112 @@
+- name: "sshd role version"
+  shell: |
+    [ "{{ sshd_version }}" = "1" ] || \
+      (echo "Unexpected version {{ sshd_version }}" 1>&2; exit 1)
+
+- name: "sshd role configuration sanity check"
+  when: not sshd_allow_authorized_keys and sshd_user_ca_pub is not defined
+  shell: |
+    echo "You MUST define sshd_allow_authorized_keys OR sshd_user_ca_pub"
+    exit 1
+
+- name: "Configure SSH server to read config files in sshd_config.d"
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "Include /etc/ssh/sshd_config.d"
+    line:   "Include /etc/ssh/sshd_config.d/*.conf"
+    insertbefore: BOF
+  notify: sshd_restart
+
+- name: "Set SSH host identity"
+  when: sshd_host_key is defined and sshd_host_cert is defined
+  copy:
+    content: |
+      {{ sshd_host_key }}
+    dest: /etc/ssh/ssh_host_key
+    owner: root
+    group: root
+    mode: 0600
+  notify: sshd_restart
+
+- name: "Set SSH host certificate"
+  when: sshd_host_key is defined and sshd_host_cert is defined
+  copy:
+    content: |
+      {{ sshd_host_cert }}
+    dest: /etc/ssh/ssh_host_key-cert.pub
+  notify: sshd_restart
+
+- name: "Configure SSH server host key"
+  when: sshd_host_key is defined and sshd_host_cert is defined
+  copy:
+    content: |
+      HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com
+      HostKey /etc/ssh/ssh_host_key
+      HostCertificate /etc/ssh/ssh_host_key-cert.pub
+    dest: /etc/ssh/sshd_config.d/host_id.conf
+  notify: sshd_restart
+
+- name: "Remove old host key settings from /etc/ssh/sshd_config"
+  when: sshd_host_key is defined and sshd_host_cert is defined
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    state: absent
+    regex: "(?i)hostkey"
+  notify: sshd_restart
+
+- name: "Remove old host cert settings from /etc/ssh/sshd_config"
+  when: sshd_host_key is defined and sshd_host_cert is defined
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    state: absent
+    regex: "(?i)hostcertificate"
+  notify: sshd_restart
+
+- name: "Remove old user CA settings from /etc/ssh/sshd_config"
+  when: sshd_host_key is defined and sshd_host_cert is defined
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    state: absent
+    regex: "(?i)trustedusercakeys"
+  notify: sshd_restart
+
+- name: "Remove obsolete SSH host keys and certificates"
+  when: sshd_host_key is defined and sshd_host_cert is defined
+  shell: |
+    find /etc/ssh -maxdepth 1 -type f -name "ssh_host_*_key*" -delete
+  notify: sshd_restart
+
+- name: "Configure SSH server port"
+  when: sshd_port is defined
+  copy:
+    content: |
+      Port {{ sshd_port }}
+    dest: /etc/ssh/sshd_config.d/port.conf
+  notify: sshd_restart
+
+- name: "Configure user CA for SSH server"
+  when: sshd_user_ca_pub is defined
+  copy:
+    content: |
+      {{ sshd_user_ca_pub }}
+    dest: /etc/ssh/user_ca_pubs
+  notify: sshd_restart
+
+- name: "Configure SSH server to accept user CA"
+  when: sshd_user_ca_pub is defined
+  copy:
+    content: |
+      TrustedUserCAKeys /etc/ssh/user_ca_pubs
+    dest: /etc/ssh/sshd_config.d/user_ca.conf
+  notify: sshd_restart
+
+- name: "Configure SSH server to not use 'authorized_keys' files at all."
+  when: not sshd_allow_authorized_keys
+  copy:
+    content: |
+      AuthorizedKeysFile none
+    dest: /etc/ssh/sshd_config.d/authorized_keys.conf
+  notify: sshd_restart
+
+- name: "Run handlers"
+  meta: flush_handlers