summaryrefslogtreecommitdiff
path: root/roles/sshd/tasks/main.yml
blob: ff77c401e07247170ad203fb54870b8852948111 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
- name: "sshd role version"
  shell: |
    [ "{{ sshd_version }}" = "1" ] || \
      (echo "Unexpected version {{ sshd_version }}" 1>&2; exit 1)

- name: "sshd role configuration sanity check"
  when: not sshd_allow_authorized_keys and sshd_user_ca_pub is not defined
  shell: |
    echo "You MUST define sshd_allow_authorized_keys OR sshd_user_ca_pub"
    exit 1

- name: "Configure SSH server to read config files in sshd_config.d"
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: "Include /etc/ssh/sshd_config.d"
    line:   "Include /etc/ssh/sshd_config.d/*.conf"
    insertbefore: BOF
  notify: sshd_restart

- name: "Set SSH host identity"
  when: sshd_host_key is defined and sshd_host_cert is defined
  copy:
    content: |
      {{ sshd_host_key }}
    dest: /etc/ssh/ssh_host_key
    owner: root
    group: root
    mode: 0600
  notify: sshd_restart

- name: "Set SSH host certificate"
  when: sshd_host_key is defined and sshd_host_cert is defined
  copy:
    content: |
      {{ sshd_host_cert }}
    dest: /etc/ssh/ssh_host_key-cert.pub
  notify: sshd_restart

- name: "Configure SSH server host key"
  when: sshd_host_key is defined and sshd_host_cert is defined
  copy:
    content: |
      HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com
      HostKey /etc/ssh/ssh_host_key
      HostCertificate /etc/ssh/ssh_host_key-cert.pub
    dest: /etc/ssh/sshd_config.d/host_id.conf
  notify: sshd_restart

- name: "Remove old host key settings from /etc/ssh/sshd_config"
  when: sshd_host_key is defined and sshd_host_cert is defined
  lineinfile:
    path: /etc/ssh/sshd_config
    state: absent
    regex: "(?i)hostkey"
  notify: sshd_restart

- name: "Remove old host cert settings from /etc/ssh/sshd_config"
  when: sshd_host_key is defined and sshd_host_cert is defined
  lineinfile:
    path: /etc/ssh/sshd_config
    state: absent
    regex: "(?i)hostcertificate"
  notify: sshd_restart

- name: "Remove old user CA settings from /etc/ssh/sshd_config"
  when: sshd_host_key is defined and sshd_host_cert is defined
  lineinfile:
    path: /etc/ssh/sshd_config
    state: absent
    regex: "(?i)trustedusercakeys"
  notify: sshd_restart

- name: "Remove obsolete SSH host keys and certificates"
  when: sshd_host_key is defined and sshd_host_cert is defined
  shell: |
    find /etc/ssh -maxdepth 1 -type f -name "ssh_host_*_key*" -delete
  notify: sshd_restart

- name: "Configure SSH server port"
  when: sshd_port is defined
  copy:
    content: |
      Port {{ sshd_port }}
    dest: /etc/ssh/sshd_config.d/port.conf
  notify: sshd_restart

- name: "Configure user CA for SSH server"
  when: sshd_user_ca_pub is defined
  copy:
    content: |
      {{ sshd_user_ca_pub }}
    dest: /etc/ssh/user_ca_pubs
  notify: sshd_restart

- name: "Configure SSH server to accept user CA"
  when: sshd_user_ca_pub is defined
  copy:
    content: |
      TrustedUserCAKeys /etc/ssh/user_ca_pubs
    dest: /etc/ssh/sshd_config.d/user_ca.conf
  notify: sshd_restart

- name: "Configure SSH server to not use 'authorized_keys' files at all."
  when: not sshd_allow_authorized_keys
  copy:
    content: |
      AuthorizedKeysFile none
    dest: /etc/ssh/sshd_config.d/authorized_keys.conf
  notify: sshd_restart

- name: "Run handlers"
  meta: flush_handlers