From 4d94f52fdb488f7b7b8328212824df69c66424d6 Mon Sep 17 00:00:00 2001
From: Oleg Broytman <phd@phdru.name>
Date: Wed, 24 Jul 2019 19:16:43 +0300
Subject: [PATCH] Feat(init-system2): Setup `sshd`

---
 playbooks/debian/init-system2.yml             |  1 +
 playbooks/debian/roles/sshd/README.txt        |  1 +
 playbooks/debian/roles/sshd/handlers/main.yml |  4 ++++
 playbooks/debian/roles/sshd/tasks/main.yml    | 24 +++++++++++++++++++
 4 files changed, 30 insertions(+)
 create mode 100644 playbooks/debian/roles/sshd/README.txt
 create mode 100644 playbooks/debian/roles/sshd/handlers/main.yml
 create mode 100644 playbooks/debian/roles/sshd/tasks/main.yml

diff --git a/playbooks/debian/init-system2.yml b/playbooks/debian/init-system2.yml
index 1db16fd..866cbf2 100644
--- a/playbooks/debian/init-system2.yml
+++ b/playbooks/debian/init-system2.yml
@@ -6,3 +6,4 @@
     - root
     - firewall
     - logcheck
+    - sshd
diff --git a/playbooks/debian/roles/sshd/README.txt b/playbooks/debian/roles/sshd/README.txt
new file mode 100644
index 0000000..f1ea9db
--- /dev/null
+++ b/playbooks/debian/roles/sshd/README.txt
@@ -0,0 +1 @@
+Init new Debian system: configure sshd.
diff --git a/playbooks/debian/roles/sshd/handlers/main.yml b/playbooks/debian/roles/sshd/handlers/main.yml
new file mode 100644
index 0000000..4d75e71
--- /dev/null
+++ b/playbooks/debian/roles/sshd/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: Reload sshd
+  service:
+    name: ssh
+    state: reloaded
diff --git a/playbooks/debian/roles/sshd/tasks/main.yml b/playbooks/debian/roles/sshd/tasks/main.yml
new file mode 100644
index 0000000..9f76108
--- /dev/null
+++ b/playbooks/debian/roles/sshd/tasks/main.yml
@@ -0,0 +1,24 @@
+- name: Check sshd
+  shell: "grep -c '^PermitRootLogin' /etc/ssh/sshd_config || :"
+  register: sshd
+  changed_when: sshd.stdout == "0"
+
+- debug:
+    msg: "sshd has already been configured"
+  when: sshd.stdout != "0"
+
+- name: Configure sshd
+  become: true
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^{{ item }}"
+    line: "{{ item }}"
+  loop: [
+    'PermitRootLogin prohibit-password',
+    '# See http://www.openssh.com/txt/cbc.adv',
+    'Ciphers aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc',
+    'PermitTunnel point-to-point',
+
+  ]
+  notify: Reload sshd
+  when: sshd.stdout == "0"
-- 
2.39.2