You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
68 lines
1.6 KiB
68 lines
1.6 KiB
---
|
|
- import_role: name='service'
|
|
vars:
|
|
service_name: 'ssh'
|
|
service_packages:
|
|
- 'openssh-server'
|
|
- 'openssh-sftp-server'
|
|
|
|
- name: 'upload user and server ca'
|
|
copy:
|
|
content: |
|
|
{% for ca in item.1 %}
|
|
{{ ca }}
|
|
{% endfor %}
|
|
dest: '/etc/ssh/{{ item.0 }}_ca.pub'
|
|
vars:
|
|
cas: '{{ item.1 }}'
|
|
notify: 'restart ssh'
|
|
loop:
|
|
- [ 'user', '{{ ssh_user_ca }}' ]
|
|
- [ 'server', '{{ ssh_server_ca }}' ]
|
|
tags:
|
|
- 'ssh_certs'
|
|
|
|
- name: 'generate and sign host certificate'
|
|
import_role: name='ca_cert'
|
|
vars:
|
|
ca_cert_common_name: '{{ host_fqdn }}'
|
|
ca_cert_proto: 'ssh'
|
|
ca_cert_ssh_ca_path: '/etc/ssh/server_ca.pub'
|
|
ca_cert_ssh_key_path: '/etc/ssh/ssh_host_ed25519_key'
|
|
tags:
|
|
- 'ssh_certs'
|
|
|
|
- name: 'add host certificate to sshd config'
|
|
lineinfile:
|
|
line: 'HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub'
|
|
dest: '/etc/ssh/sshd_config'
|
|
regexp: '^HostCertificate *'
|
|
notify: 'restart ssh'
|
|
tags:
|
|
- 'ssh_certs'
|
|
|
|
- name: 'add user ca to sshd config'
|
|
lineinfile:
|
|
line: 'TrustedUserCAKeys /etc/ssh/user_ca.pub'
|
|
dest: '/etc/ssh/sshd_config'
|
|
regexp: '^TrustedUserCAKeys *'
|
|
notify: 'restart ssh'
|
|
tags:
|
|
- 'ssh_certs'
|
|
|
|
- name: 'permit root login only with certificate'
|
|
lineinfile:
|
|
line: 'PermitRootLogin without-password'
|
|
dest: '/etc/ssh/sshd_config'
|
|
regexp: '^PermitRootLogin *'
|
|
notify: 'restart ssh'
|
|
|
|
- meta: 'flush_handlers'
|
|
|
|
- name: 'waiting for ssh on {{ inventory_hostname }} to start'
|
|
wait_for:
|
|
host: '{{ hostvars | ip_from_inventory(inventory_hostname) }}'
|
|
port: 22
|
|
timeout: 30
|
|
delegate_to: 'localhost'
|
|
delegate_facts: true
|