alanorth/ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity

Compare commits

base: alanorth:2bb018a40c3a98a8feb61bdf45d1be1d9ad36e66
Branches Tags
alanorth:master alanorth:debian13 alanorth:alpine
..
compare: alanorth:b600141e89a6ea6a2a36309d6a84d98549aa2e0b
Branches Tags
alanorth:debian13 alanorth:master alanorth:alpine

2 Commits
2bb018a40c ... b600141e89

Author SHA1 Message Date
Alan Orth
b600141e89 roles/common: update task syntax for sshd play 2025-09-21 16:51:23 +03:00
Alan Orth
4be98d1a33 roles/common: update task syntax for ssh-keys play 2025-09-21 16:49:32 +03:00
2 changed files with 14 additions and 7 deletions
Expand all files Collapse all files

4
roles/common/tasks/ssh-keys.yml
View File

@@ -1,6 +1,8 @@
---
- name: Zero .ssh/authorized_keys for provisioning user
ansible.builtin.file: dest={{ provisioning_user.home }}/.ssh/authorized_keys state=absent
ansible.builtin.file:
dest: "{{ provisioning_user.home }}/.ssh/authorized_keys"
state: absent
- name: Add public keys to authorized_keys
ansible.posix.authorized_key: { user: "{{ provisioning_user.name }}", key: "{{ lookup('file',item) }}" }

17
roles/common/tasks/sshd.yml
View File

@@ -1,9 +1,12 @@
---
# SSH configs don't change in Debian minor versions
- name: Reconfigure /etc/ssh/sshd_config
ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root
mode=0600
when: ansible_distribution == 'Debian'
ansible.builtin.template:
src: "sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2"
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: 0600
notify: reload sshd
# See: WeakDH (2015): https://weakdh.org/sysadmin.html
@@ -17,23 +20,25 @@
register: check_unsafe_moduli
- name: Extract safe Diffie-Hellman SSH moduli
when: check_unsafe_moduli.stdout | length > 0
ansible.builtin.shell:
cmd: awk '$5 >= 3071' moduli > moduli.safe
chdir: /etc/ssh
creates: moduli.safe
when: check_unsafe_moduli.stdout | length > 0
register: extract_safe_moduli
- name: Replace unsafe Diffie-Hellman SSH moduli
when: extract_safe_moduli is changed
ansible.builtin.command:
cmd: mv moduli.safe moduli
chdir: /etc/ssh
register: replace_small_moduli
when: extract_safe_moduli is changed
notify: reload sshd
- name: Remove DSA and ECDSA host keys
ansible.builtin.file: name=/etc/ssh/{{ item }} state=absent
ansible.builtin.file:
name: "/etc/ssh/{{ item }}"
state: absent
loop:
- ssh_host_dsa_key
- ssh_host_dsa_key.pub