ansible-role-system/tasks/sshd_config.yml

---
# vim: set expandtab tabstop=2 shiftwidth=2:

- name: 'check sshd include option'
  command: 'sshd -o "include /dev/null"'
  register: sshd_include_option_check
  failed_when: 'sshd_include_option_check.rc not in [1,255] or sshd_include_option_check.stderr not in ["Include directive not supported as a command-line option", "command-line: line 0: Bad configuration option: include"]'
- set_fact:
    sshd_include_option: '{{sshd_include_option_check.stderr == "Include directive not supported as a command-line option"}}'
- when: 'true == sshd_include_option'
  block:
  - name: '/etc/ssh/sshd_config.d'
    file:
      state: directory
      path: '/etc/ssh/sshd_config.d'
      owner: root
      group: root
      mode: 0644
  - name: 'sshd_config.d/99-default.conf'
    template:
      src:  'sshd-default.conf.j2'
      dest: '/etc/ssh/sshd_config.d/99-default.conf'
      owner:  root
      group:  root
      mode:   0644
  - lineinfile:
      path:         /etc/ssh/sshd_config
      insertbefore: BOF
      regexp:       '^\s*include\s+/etc/ssh/sshd_config.d/'
      line:         'include /etc/ssh/sshd_config.d/*.conf'
      firstmatch:   true
- when: 'false == sshd_include_option'
  block:
  - name: sshd_config
    lineinfile:
      path:        /etc/ssh/sshd_config
      insertafter: '^\s*#\s*{{item.key}}\s+'
      regexp:      '^\s*{{item.key}}\s'
      line:        '{{item.key}} {{item.value}}'
    with_dict:
      Port:                   '{{sshd_port|default(22)}}'
      PermitRootLogin:        '{{sshd_permit_root_login}}'
      StrictModes:            'yes'
      PubkeyAuthentication:   'yes'
      KerberosAuthentication: '{{sshd_kerberos_authentication}}'
      GSSAPIAuthentication:   '{{sshd_gssapi_authentication}}'
      TCPKeepAlive:           'yes'
      Ciphers:                '{{sshd_ciphers}}'
      MACs:                   '{{sshd_macs}}'
      KexAlgorithms:          '{{sshd_kex_algorithms}}'
  - name: sshd_config
    lineinfile:
      path:        /etc/ssh/sshd_config
      insertbefore: '\s*#?\s*HostKey\s+'
      regexp:       '^# HostKeys for protocol'
      line:         '# HostKeys for protocol'
  - name: sshd_config - prefer ed25519
    lineinfile:
      path:        /etc/ssh/sshd_config
      insertafter: '^# HostKeys for protocol'
      regexp:      '^\s*HostKey\s+/etc/ssh/ssh_host_ed25519_key\s*$'
      line:        'HostKey /etc/ssh/ssh_host_ed25519_key'
  - name: sshd_config - fallback rsa
    lineinfile:
      path:        /etc/ssh/sshd_config
      insertafter: '^\s*HostKey\s+/etc/ssh/ssh_host_ed25519_key\s*$'
      regexp:      '^\s*HostKey\s+/etc/ssh/ssh_host_rsa_key\s*$'
      line:        'HostKey /etc/ssh/ssh_host_rsa_key'
  - name: 'sshd_config - absent dsa / ecdsa'
    lineinfile:
      path:   /etc/ssh/sshd_config
      state:  absent
      regexp: '{{item}}'
    with_list:
    - '^\s*HostKey\s+/etc/ssh/ssh_host_dsa_key\s*$'
    - '^\s*HostKey\s+/etc/ssh/ssh_host_ecdsa_key\s*$'
init 2021-04-10 22:11:19 +02:00			`---`
			`# vim: set expandtab tabstop=2 shiftwidth=2:`

sshd_config: checks for include-option, provided => write to 99-default.conf, else to sshd_config and prepend include to sshd_config, if not found. 2024-01-14 22:32:35 +01:00			`- name: 'check sshd include option'`
			`command: 'sshd -o "include /dev/null"'`
			`register: sshd_include_option_check`
			`failed_when: 'sshd_include_option_check.rc not in [1,255] or sshd_include_option_check.stderr not in ["Include directive not supported as a command-line option", "command-line: line 0: Bad configuration option: include"]'`
sshd_config: for checking use template-engine 2024-01-14 22:50:16 +01:00			`- set_fact:`
			`sshd_include_option: '{{sshd_include_option_check.stderr == "Include directive not supported as a command-line option"}}'`
sshd_config: checks for include-option, provided => write to 99-default.conf, else to sshd_config and prepend include to sshd_config, if not found. 2024-01-14 22:32:35 +01:00			`- when: 'true == sshd_include_option'`
			`block:`
			`- name: '/etc/ssh/sshd_config.d'`
			`file:`
sshd_config: fix file-module usage 2024-01-14 22:53:43 +01:00			`state: directory`
			`path: '/etc/ssh/sshd_config.d'`
sshd_config: checks for include-option, provided => write to 99-default.conf, else to sshd_config and prepend include to sshd_config, if not found. 2024-01-14 22:32:35 +01:00			`owner: root`
			`group: root`
			`mode: 0644`
			`- name: 'sshd_config.d/99-default.conf'`
			`template:`
			`src: 'sshd-default.conf.j2'`
			`dest: '/etc/ssh/sshd_config.d/99-default.conf'`
			`owner: root`
			`group: root`
			`mode: 0644`
			`- lineinfile:`
			`path: /etc/ssh/sshd_config`
			`insertbefore: BOF`
			`regexp: '^\s*include\s+/etc/ssh/sshd_config.d/'`
			`line: 'include /etc/ssh/sshd_config.d/*.conf'`
			`firstmatch: true`
			`- when: 'false == sshd_include_option'`
sshd-config: for debian-12: config in /etc/ssh/sshd_config.d/default.conf 2024-01-14 13:13:57 +01:00			`block:`
			`- name: sshd_config`
			`lineinfile:`
sshd_config: non-bookworm uses same vars like bookworm-default.conf.j2; &&/\|\|->and/or 2024-01-14 21:05:02 +01:00			`path: /etc/ssh/sshd_config`
sshd-config: for debian-12: config in /etc/ssh/sshd_config.d/default.conf 2024-01-14 13:13:57 +01:00			`insertafter: '^\s#\s{{item.key}}\s+'`
sshd_config: non-bookworm uses same vars like bookworm-default.conf.j2; &&/\|\|->and/or 2024-01-14 21:05:02 +01:00			`regexp: '^\s*{{item.key}}\s'`
			`line: '{{item.key}} {{item.value}}'`
sshd-config: for debian-12: config in /etc/ssh/sshd_config.d/default.conf 2024-01-14 13:13:57 +01:00			`with_dict:`
sshd-default.conf.j2 fixed {%%}; prefix ssh_ -> sshd_ 2024-01-14 21:49:26 +01:00			`Port: '{{sshd_port\|default(22)}}'`
			`PermitRootLogin: '{{sshd_permit_root_login}}'`
sshd-config: for debian-12: config in /etc/ssh/sshd_config.d/default.conf 2024-01-14 13:13:57 +01:00			`StrictModes: 'yes'`
			`PubkeyAuthentication: 'yes'`
sshd_config: defining default for kerberos/gssapi 2024-01-14 23:23:27 +01:00			`KerberosAuthentication: '{{sshd_kerberos_authentication}}'`
			`GSSAPIAuthentication: '{{sshd_gssapi_authentication}}'`
sshd-config: for debian-12: config in /etc/ssh/sshd_config.d/default.conf 2024-01-14 13:13:57 +01:00			`TCPKeepAlive: 'yes'`
sshd-default.conf.j2 fixed {%%}; prefix ssh_ -> sshd_ 2024-01-14 21:49:26 +01:00			`Ciphers: '{{sshd_ciphers}}'`
			`MACs: '{{sshd_macs}}'`
			`KexAlgorithms: '{{sshd_kex_algorithms}}'`
sshd-config: for debian-12: config in /etc/ssh/sshd_config.d/default.conf 2024-01-14 13:13:57 +01:00			`- name: sshd_config`
			`lineinfile:`
sshd_config: non-bookworm uses same vars like bookworm-default.conf.j2; &&/\|\|->and/or 2024-01-14 21:05:02 +01:00			`path: /etc/ssh/sshd_config`
sshd-config: for debian-12: config in /etc/ssh/sshd_config.d/default.conf 2024-01-14 13:13:57 +01:00			`insertbefore: '\s#?\sHostKey\s+'`
sshd_config: non-bookworm uses same vars like bookworm-default.conf.j2; &&/\|\|->and/or 2024-01-14 21:05:02 +01:00			`regexp: '^# HostKeys for protocol'`
			`line: '# HostKeys for protocol'`
sshd-config: for debian-12: config in /etc/ssh/sshd_config.d/default.conf 2024-01-14 13:13:57 +01:00			`- name: sshd_config - prefer ed25519`
			`lineinfile:`
sshd_config: non-bookworm uses same vars like bookworm-default.conf.j2; &&/\|\|->and/or 2024-01-14 21:05:02 +01:00			`path: /etc/ssh/sshd_config`
sshd-config: for debian-12: config in /etc/ssh/sshd_config.d/default.conf 2024-01-14 13:13:57 +01:00			`insertafter: '^# HostKeys for protocol'`
sshd_config: non-bookworm uses same vars like bookworm-default.conf.j2; &&/\|\|->and/or 2024-01-14 21:05:02 +01:00			`regexp: '^\sHostKey\s+/etc/ssh/ssh_host_ed25519_key\s$'`
			`line: 'HostKey /etc/ssh/ssh_host_ed25519_key'`
sshd-config: for debian-12: config in /etc/ssh/sshd_config.d/default.conf 2024-01-14 13:13:57 +01:00			`- name: sshd_config - fallback rsa`
			`lineinfile:`
sshd_config: non-bookworm uses same vars like bookworm-default.conf.j2; &&/\|\|->and/or 2024-01-14 21:05:02 +01:00			`path: /etc/ssh/sshd_config`
sshd-config: for debian-12: config in /etc/ssh/sshd_config.d/default.conf 2024-01-14 13:13:57 +01:00			`insertafter: '^\sHostKey\s+/etc/ssh/ssh_host_ed25519_key\s$'`
sshd_config: non-bookworm uses same vars like bookworm-default.conf.j2; &&/\|\|->and/or 2024-01-14 21:05:02 +01:00			`regexp: '^\sHostKey\s+/etc/ssh/ssh_host_rsa_key\s$'`
			`line: 'HostKey /etc/ssh/ssh_host_rsa_key'`
sshd-config: for debian-12: config in /etc/ssh/sshd_config.d/default.conf 2024-01-14 13:13:57 +01:00			`- name: 'sshd_config - absent dsa / ecdsa'`
			`lineinfile:`
sshd_config: non-bookworm uses same vars like bookworm-default.conf.j2; &&/\|\|->and/or 2024-01-14 21:05:02 +01:00			`path: /etc/ssh/sshd_config`
			`state: absent`
sshd-config: for debian-12: config in /etc/ssh/sshd_config.d/default.conf 2024-01-14 13:13:57 +01:00			`regexp: '{{item}}'`
			`with_list:`
			`- '^\sHostKey\s+/etc/ssh/ssh_host_dsa_key\s$'`
			`- '^\sHostKey\s+/etc/ssh/ssh_host_ecdsa_key\s$'`