roles/common: sshd overrides for Debian 13

2025-09-21 23:27:28 +03:00
14 changed files with 65 additions and 18 deletions
--- a/roles/caddy/handlers/main.yml
+++ b/roles/caddy/handlers/main.yml
@@ -3,7 +3,7 @@

 # I'm currently not sure when we need to restart versus reload
 - name: reload caddy
-  ansible.builtin.systemd_service:
+  ansible.builtin.systemd:
    name: caddy
    state: reloaded

--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -2,7 +2,7 @@
 # ansible.builtin.file: roles/common/handlers/main.yml

 - name: Reload sshd
-  ansible.builtin.systemd_service:
+  ansible.builtin.systemd:
    name: "{{ sshd_service_name }}"
    state: reloaded

@@ -10,11 +10,11 @@
  ansible.builtin.command: sysctl -p /etc/sysctl.conf

 - name: Reload systemd
-  ansible.builtin.systemd_service:
+  ansible.builtin.systemd:
    daemon_reload: true

 - name: Restart nftables
-  ansible.builtin.systemd_service:
+  ansible.builtin.systemd:
    name: nftables
    state: restarted

@@ -22,6 +22,6 @@
 # in the order they are defined, not in the order they are listed in the task's
 # notify statement and we must restart fail2ban after updating the firewall.
 - name: Restart fail2ban
-  ansible.builtin.systemd_service:
+  ansible.builtin.systemd:
    name: fail2ban
    state: restarted
--- a/roles/common/tasks/fail2ban.yml
+++ b/roles/common/tasks/fail2ban.yml
@@ -47,7 +47,7 @@
    - Restart fail2ban

 - name: Start and enable fail2ban service
-  ansible.builtin.systemd_service:
+  ansible.builtin.systemd:
    name: fail2ban
    state: started
    enabled: true
--- a/roles/common/tasks/nftables.yml
+++ b/roles/common/tasks/nftables.yml
@@ -76,11 +76,11 @@
 # need to reload to pick up service/timer/environment changes
 - name: Reload systemd daemon
  when: nftables_systemd_units is changed
-  ansible.builtin.systemd_service: # noqa no-handler
+  ansible.builtin.systemd: # noqa no-handler
    daemon_reload: true

 - name: Start and enable nftables update timers
-  ansible.builtin.systemd_service:
+  ansible.builtin.systemd:
    name: "{{ item }}"
    state: started
    enabled: true
@@ -88,7 +88,7 @@
    - update-firehol-nftables.timer

 - name: Start and enable nftables
-  ansible.builtin.systemd_service:
+  ansible.builtin.systemd:
    name: nftables
    state: started
    enabled: true
--- a/roles/common/tasks/ntp.yml
+++ b/roles/common/tasks/ntp.yml
@@ -22,7 +22,7 @@

 - name: Start and enable systemd's NTP client
  when: ansible_service_mgr == 'systemd'
-  ansible.builtin.systemd_service:
+  ansible.builtin.systemd:
    name: systemd-timesyncd
    state: started
    enabled: true
--- a/roles/common/tasks/sshd.yml
+++ b/roles/common/tasks/sshd.yml
@@ -1,6 +1,7 @@
 ---
-# SSH configs don't change in Debian minor versions
+# Only override the system sshd configuration on older Debian.
 - name: Reconfigure /etc/ssh/sshd_config
+  when: ansible_distribution_version is version('12', '<=')
  ansible.builtin.template:
    src: "sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2"
    dest: /etc/ssh/sshd_config
@@ -9,6 +10,18 @@
    mode: "0600"
  notify: Reload sshd

+# Newer OpenSSH versions support including extra configuration. The includes
+# happen at the beginning of the file and the first value to be read is used.
+- name: Configure sshd_config.d overrides
+  when: ansible_distribution_version is version('13', '>=')
+  ansible.builtin.template:
+    src: etc/ssh/sshd_config.d/01-{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.conf.j2
+    dest: /etc/ssh/sshd_config.d/01-custom.conf
+    owner: root
+    group: root
+    mode: "0600"
+  notify: Reload sshd
+
 # See: WeakDH (2015): https://weakdh.org/sysadmin.html
 - name: Remove small Diffie-Hellman SSH moduli
  block:
--- a/roles/common/templates/etc/ssh/sshd_config.d/01-Debian-13.conf.j2
+++ b/roles/common/templates/etc/ssh/sshd_config.d/01-Debian-13.conf.j2
@@ -0,0 +1,34 @@
+{{ ansible_managed | comment }}
+
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear
+# audit track of which key was using to log in.
+LogLevel VERBOSE
+
+MaxAuthTries 4
+
+AuthorizedKeysFile	.ssh/authorized_keys
+
+# To disable tunneled clear text passwords, change to no here!
+{% if ssh_password_authentication == 'disabled' %}
+PasswordAuthentication no
+{% else %}
+PasswordAuthentication yes
+{% endif %}
+
+X11Forwarding no
+
+# Based on the ssh-audit profile for Debian 13, but with but with all algos with
+# less than 256 bits removed, as NSA's Suite B removed them years ago and the
+# new (2018) CNSA suite is 256 bits and up.
+#
+# See: ssh-audit.py -P "Hardened Debian 13 (version 1)"
+# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com
+
+{% if ssh_allowed_users is defined and ssh_allowed_users %}
+AllowUsers {{ ssh_allowed_users|join(" ") }} {{ provisioning_user.name }}
+{% endif %}
--- a/roles/mariadb/handlers/main.yml
+++ b/roles/mariadb/handlers/main.yml
@@ -1,6 +1,6 @@
 ---
 - name: restart mariadb
-  ansible.builtin.systemd_service:
+  ansible.builtin.systemd:
    name: mariadb
    state: restarted

--- a/roles/munin/handlers/main.yml
+++ b/roles/munin/handlers/main.yml
@@ -1,4 +1,4 @@
 ---
 # ansible.builtin.file: roles/munin/handlers/main.yml
 - name: restart munin-node
-  ansible.builtin.systemd_service: name=munin-node state=restarted
+  ansible.builtin.systemd: name=munin-node state=restarted
--- a/roles/munin/tasks/munin-node.yml
+++ b/roles/munin/tasks/munin-node.yml
@@ -26,7 +26,7 @@
    - restart munin-node

 - name: Start munin-node
-  ansible.builtin.systemd_service:
+  ansible.builtin.systemd:
    name: munin-node
    state: started
    enabled: true
--- a/roles/nginx/handlers/main.yml
+++ b/roles/nginx/handlers/main.yml
@@ -1,6 +1,6 @@
 ---
 - name: Reload nginx
-  ansible.builtin.systemd_service:
+  ansible.builtin.systemd:
    name: nginx
    state: reloaded

--- a/roles/nginx/tasks/letsencrypt.yml
+++ b/roles/nginx/tasks/letsencrypt.yml
@@ -82,7 +82,7 @@

    # always issues daemon-reload just in case the service/timer changed
    - name: Start and enable systemd timer to renew Let's Encrypt certs
-      ansible.builtin.systemd_service:
+      ansible.builtin.systemd:
        name: renew-letsencrypt.timer
        state: started
        enabled: true
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -119,7 +119,7 @@
  tags: nginx

 - name: Start and enable nginx service
-  ansible.builtin.systemd_service:
+  ansible.builtin.systemd:
    name: nginx
    state: started
    enabled: true
--- a/roles/php_fpm/handlers/main.yml
+++ b/roles/php_fpm/handlers/main.yml
@@ -1,7 +1,7 @@
 ---
 # For Debian 12
 - name: Reload php8.2-fpm
-  ansible.builtin.systemd_service:
+  ansible.builtin.systemd:
    name: php8.2-fpm
    state: reloaded