Feat(init-system2): Setup `sshd`

diff --git a/playbooks/debian/init-system2.yml b/playbooks/debian/init-system2.yml
index 1db16fdb7a30b2b58be993c020f7bbaa9e60034f..866cbf2c36215b42398b920f2a56b797ef35428f 100644 (file)
--- a/playbooks/debian/init-system2.yml
+++ b/playbooks/debian/init-system2.yml
@@ -6,3 +6,4 @@
     - root
     - firewall
     - logcheck
+    - sshd

diff --git a/playbooks/debian/roles/sshd/README.txt b/playbooks/debian/roles/sshd/README.txt
new file mode 100644 (file)
index 0000000..f1ea9db
--- /dev/null
+++ b/playbooks/debian/roles/sshd/README.txt
@@ -0,0 +1 @@
+Init new Debian system: configure sshd.

diff --git a/playbooks/debian/roles/sshd/handlers/main.yml b/playbooks/debian/roles/sshd/handlers/main.yml
new file mode 100644 (file)
index 0000000..4d75e71
--- /dev/null
+++ b/playbooks/debian/roles/sshd/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: Reload sshd
+  service:
+    name: ssh
+    state: reloaded

diff --git a/playbooks/debian/roles/sshd/tasks/main.yml b/playbooks/debian/roles/sshd/tasks/main.yml
new file mode 100644 (file)
index 0000000..9f76108
--- /dev/null
+++ b/playbooks/debian/roles/sshd/tasks/main.yml
@@ -0,0 +1,24 @@
+- name: Check sshd
+  shell: "grep -c '^PermitRootLogin' /etc/ssh/sshd_config || :"
+  register: sshd
+  changed_when: sshd.stdout == "0"
+
+- debug:
+    msg: "sshd has already been configured"
+  when: sshd.stdout != "0"
+
+- name: Configure sshd
+  become: true
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^{{ item }}"
+    line: "{{ item }}"
+  loop: [
+    'PermitRootLogin prohibit-password',
+    '# See http://www.openssh.com/txt/cbc.adv',
+    'Ciphers aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc',
+    'PermitTunnel point-to-point',
+
+  ]
+  notify: Reload sshd
+  when: sshd.stdout == "0"