summaryrefslogtreecommitdiff
path: root/roles/sshd/tasks/main.yml
blob: e6019698566efaae636edbce1cb240f95a846675 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
- name: "sshd role version"
  shell: |
    [ "{{ sshd_version }}" = "1" ] || \
      (echo "Unexpected version {{ sshd_version }}" 1>&2; exit 1)

- name: "Set SSH host identity"
  when: sshd_host_key is defined and sshd_host_cert is defined
  copy:
    content: |
      {{ sshd_host_key }}
    dest: /etc/ssh/ssh_host_key
    owner: root
    group: root
    mode: 0600
  notify: sshd_restart

- name: "Set SSH host certificate"
  when: sshd_host_key is defined and sshd_host_cert is defined
  copy:
    content: |
      {{ sshd_host_cert }}
    dest: /etc/ssh/ssh_host_key-cert.pub
  notify: sshd_restart

- name: "Configure SSH server host key"
  when: sshd_host_key is defined and sshd_host_cert is defined
  copy:
    content: |
      HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com
      HostKey /etc/ssh/ssh_host_key
      HostCertificate /etc/ssh/ssh_host_key-cert.pub
    dest: /etc/ssh/sshd_config.d/host_id.conf
  notify: sshd_restart

- name: "Remove obsolete SSH host keys and certificates"
  when: sshd_host_key is defined and sshd_host_cert is defined
  shell: |
    find /etc/ssh -maxdepth 1 -type f -name "ssh_host_*_key*" -delete
  notify: sshd_restart

- name: "Configure SSH server port"
  when: sshd_port is defined
  copy:
    content: |
      Port {{ sshd_port }}
    dest: /etc/ssh/sshd_config.d/port.conf
  notify: sshd_restart

- name: "Configure user CA for SSH server"
  when: sshd_user_ca_pub is defined
  copy:
    content: |
      {{ sshd_user_ca_pub }}
    dest: /etc/ssh/user_ca_pubs
  notify: sshd_restart

- name: "Configure SSH server to accept user CA"
  when: sshd_user_ca_pub is defined
  copy:
    content: |
      TrustedUserCAKeys /etc/ssh/user_ca_pubs
    dest: /etc/ssh/sshd_config.d/user_ca.conf
  notify: sshd_restart

- name: "Configure SSH server to not use 'authorized_keys' files at all."
  when: not sshd_allow_authorized_keys
  copy:
    content: |
      AuthorizedKeysFile none
    dest: /etc/ssh/sshd_config.d/authorized_keys.conf
  notify: sshd_restart