Mirrors/ansible-collection-famedly-base
2
0
Fork 0
mirror of https://github.com/famedly/ansible-collection-base synced 2024-11-10 06:24:17 +00:00
Code Issues Projects Releases Packages Wiki Activity

feat(ssh): support partial execution with prepare and deploy tags

Browse source
This commit is contained in:
transcaffeine 2021-05-26 14:31:24 +02:00
parent 7ae06507c1
commit d7ab89a455
No known key found for this signature in database
GPG key ID: 03624C433676E465
1 changed files with 16 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
roles/ssh/tasks/main.yml
View file

@ -4,6 +4,7 @@
path: "{{ ssh_config_file }}" path: "{{ ssh_config_file }}"
state: present state: present
validate: "sshd -Tf %s" validate: "sshd -Tf %s"
tags: ['prepare', 'prepare-sshd']
- name: Disallow password authentication - name: Disallow password authentication
lineinfile: lineinfile:
@ -11,6 +12,7 @@
regexp: "^#?PasswordAuthentication" regexp: "^#?PasswordAuthentication"
line: "PasswordAuthentication no" line: "PasswordAuthentication no"
notify: reload sshd notify: reload sshd
tags: ['prepare', 'prepare-sshd']
- name: Disallow challenge-response authentication - name: Disallow challenge-response authentication
lineinfile: lineinfile:
@ -18,6 +20,7 @@
regexp: "^#?ChallengeResponseAuthentication" regexp: "^#?ChallengeResponseAuthentication"
line: "ChallengeResponseAuthentication no" line: "ChallengeResponseAuthentication no"
notify: reload sshd notify: reload sshd
tags: ['prepare', 'prepare-sshd']
- name: Allow pubkey authentication - name: Allow pubkey authentication
lineinfile: lineinfile:
@ -26,6 +29,7 @@
line: "PubkeyAuthentication yes" line: "PubkeyAuthentication yes"
firstmatch: yes firstmatch: yes
notify: reload sshd notify: reload sshd
tags: ['prepare', 'prepare-sshd']
- name: Disallow root login - name: Disallow root login
lineinfile: lineinfile:
@ -33,6 +37,7 @@
regexp: "^#?PermitRootLogin" regexp: "^#?PermitRootLogin"
line: "PermitRootLogin no" line: "PermitRootLogin no"
notify: reload sshd notify: reload sshd
tags: ['prepare', 'prepare-sshd']
- name: Do not allow sessions to idle longer than 5 minutes - name: Do not allow sessions to idle longer than 5 minutes
lineinfile: lineinfile:
@ -40,6 +45,7 @@
regexp: "^#?ClientAliveInterval" regexp: "^#?ClientAliveInterval"
line: "ClientAliveInterval 300" line: "ClientAliveInterval 300"
notify: reload sshd notify: reload sshd
tags: ['prepare', 'prepare-sshd']
- name: Only allow SSHv2 - name: Only allow SSHv2
lineinfile: lineinfile:
@ -48,6 +54,7 @@
line: "Protocol 2" line: "Protocol 2"
insertafter: &cipher_after "^# Ciphers and keying" insertafter: &cipher_after "^# Ciphers and keying"
notify: reload sshd notify: reload sshd
tags: ['prepare', 'prepare-sshd']
- name: Disallow X11-Forwarding - name: Disallow X11-Forwarding
lineinfile: lineinfile:
@ -55,6 +62,7 @@
regexp: "^#?X11Forwarding" regexp: "^#?X11Forwarding"
line: "X11Forwarding no" line: "X11Forwarding no"
notify: reload sshd notify: reload sshd
tags: ['prepare', 'prepare-sshd']
- name: Disallow Agent Forwarding - name: Disallow Agent Forwarding
lineinfile: lineinfile:
@ -62,6 +70,7 @@
regexp: "^#?AllowAgentForwarding" regexp: "^#?AllowAgentForwarding"
line: "AllowAgentForwarding no" line: "AllowAgentForwarding no"
notify: reload sshd notify: reload sshd
tags: ['prepare', 'prepare-sshd']
- name: Disallow TCP Forwarding - name: Disallow TCP Forwarding
lineinfile: lineinfile:
@ -69,6 +78,7 @@
regexp: "^#?AllowTcpForwarding" regexp: "^#?AllowTcpForwarding"
line: "AllowTcpForwarding no" line: "AllowTcpForwarding no"
notify: reload sshd notify: reload sshd
tags: ['prepare', 'prepare-sshd']
- name: Only allow reasonably secure KeyExAlgorithms - name: Only allow reasonably secure KeyExAlgorithms
lineinfile: lineinfile:
@ -77,6 +87,7 @@
line: "KexAlgorithms {{ ssh_preset.allowed_kexalgos|join(',') }}" line: "KexAlgorithms {{ ssh_preset.allowed_kexalgos|join(',') }}"
insertafter: *cipher_after insertafter: *cipher_after
notify: reload sshd notify: reload sshd
tags: ['prepare', 'prepare-sshd']
- name: Only allow reasonably secure ciphers - name: Only allow reasonably secure ciphers
lineinfile: lineinfile:
@ -85,6 +96,7 @@
line: "Ciphers {{ ssh_preset.allowed_ciphers|join(',') }}" line: "Ciphers {{ ssh_preset.allowed_ciphers|join(',') }}"
insertafter: *cipher_after insertafter: *cipher_after
notify: reload sshd notify: reload sshd
tags: ['prepare', 'prepare-sshd']
- name: Only allow reasonably secure MACs - name: Only allow reasonably secure MACs
lineinfile: lineinfile:
@ -93,6 +105,7 @@
line: "MACs {{ ssh_preset.allowed_macs|join(',') }}" line: "MACs {{ ssh_preset.allowed_macs|join(',') }}"
insertafter: *cipher_after insertafter: *cipher_after
notify: reload sshd notify: reload sshd
tags: ['prepare', 'prepare-sshd']
- name: Only allow reasonably secure hostkey algorithms - name: Only allow reasonably secure hostkey algorithms
lineinfile: lineinfile:
@ -101,6 +114,7 @@
line: "HostKeyAlgorithms {{ ssh_preset.allowed_hostkey_algos|join(',') }}" line: "HostKeyAlgorithms {{ ssh_preset.allowed_hostkey_algos|join(',') }}"
insertafter: *cipher_after insertafter: *cipher_after
notify: reload sshd notify: reload sshd
tags: ['prepare', 'prepare-sshd']
- name: Only allow reasonably secure publickey algorithms - name: Only allow reasonably secure publickey algorithms
lineinfile: lineinfile:
@ -109,6 +123,7 @@
line: "PubkeyAcceptedKeyTypes {{ ssh_preset.allowed_pubkey_algos|join(',') }}" line: "PubkeyAcceptedKeyTypes {{ ssh_preset.allowed_pubkey_algos|join(',') }}"
insertafter: *cipher_after insertafter: *cipher_after
notify: reload sshd notify: reload sshd
tags: ['prepare', 'prepare-sshd']
- name: Set LogLevel to {{ ssh_loglevel }} - name: Set LogLevel to {{ ssh_loglevel }}
lineinfile: lineinfile:
@ -116,3 +131,4 @@
regexp: '^#?LogLevel' regexp: '^#?LogLevel'
line: "LogLevel {{ ssh_loglevel }}" line: "LogLevel {{ ssh_loglevel }}"
notify: reload sshd notify: reload sshd
tags: ['prepare', 'prepare-sshd']