47 lines
1.4 KiB
YAML
47 lines
1.4 KiB
YAML
---
|
|
- debug:
|
|
msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, tasks will be skipped!"
|
|
when: evolinux_ssh_password_auth_addresses == []
|
|
|
|
- name: Security directives for Evolinux
|
|
blockinfile:
|
|
dest: /etc/ssh/sshd_config
|
|
block: |
|
|
Match Group evolinux-sudo
|
|
PasswordAuthentication no
|
|
Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
|
|
PasswordAuthentication yes
|
|
marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS"
|
|
insertafter: EOF
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
notify: reload sshd
|
|
when: not evolinux_ssh_password_auth_addresses == []
|
|
|
|
- name: disable SSH access for root
|
|
replace:
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^PermitRootLogin (yes|without-password)'
|
|
replace: "PermitRootLogin no"
|
|
notify: reload sshd
|
|
when: evolinux_ssh_disable_root
|
|
|
|
# We disable AcceptEnv because it can be a security issue, but also because we
|
|
# do not want clients to push their environment variables like LANG.
|
|
- name: disable AcceptEnv in ssh config
|
|
replace:
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^AcceptEnv'
|
|
replace: "#AcceptEnv"
|
|
notify: reload sshd
|
|
when: evolinux_ssh_disable_acceptenv
|
|
|
|
- name: Set log level to verbose (for Debian >= 9)
|
|
replace:
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^#?LogLevel [A-Z]+'
|
|
replace: "LogLevel VERBOSE"
|
|
notify: reload sshd
|
|
when: ansible_distribution_major_version | version_compare('9', '>=')
|
|
|
|
- meta: flush_handlers
|