* Provide granular noop for shh configuration
We would like to have more fine grained options on applying or not specific configurations.
This commit let the user choose to noop some configuration with a few new
boolean variables.
Motivation for theses options are we may configure ourselves some (ssh host key
regeneration in a templating system) or we are not ready for others (ssh_kex
will break dist-upgrades, letting the operator without ssh).
Signed-off-by: seven beep <ebn@entreparentheses.xyz>
* Provide granula noop for ssh configuration
We would like to have more fine grained options on applying or not specific configurations.
This commit let the user choose to disable configurations for `ssh_host_key_config`,
`ssh_ciphers_config`, `ssh_host_key_config`, `ssh_macs_config` by setting them
to False.
Motivation for theses options are we may configure ourselves some (ssh host key
regeneration in a templating system) or we are not ready for others (ssh_kex
will break dist-upgrades, letting the operator without ssh).
Signed-off-by: seven beep <ebn@entreparentheses.xyz>
---------
Signed-off-by: seven beep <ebn@entreparentheses.xyz>
ssh_permit_tunnel needs quotes otherwise we will end up with an error:
```
TASK [devsec.hardening.ssh_hardening : Create sshd_config and set permissions to root/600] **********************************************************************************************************************
fatal: [vampdock02]: FAILED! => {"changed": false, "checksum": "fe6b74e30b1a653f83c2cbe1dd1332c14bd55833", "exit_status": 255, "msg": "failed to validate", "stderr": "/home/debian/.ansible/tmp/ansible-tmp-1728530891.493071-72386-149151737175948/source line 123: bad PermitTunnel argument True\r\n", "stderr_lines": ["/home/debian/.ansible/tmp/ansible-tmp-1728530891.493071-72386-149151737175948/source line 123: bad PermitTunnel argument True"], "stdout": "", "stdout_lines": []}
```
* Update Ubuntu compatability
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* reload systemd when disabling ssh socket
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* manage systemd files
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* Create privsep directory for Debian
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* Use working Ubuntu 24.04 image for vm tests
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* Remove deprecated Debian 10
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
---------
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* disable systemd socket activation
Signed-off-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
* move start to after deactivation so it can start
---------
Signed-off-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
* do not force type of gatewayports-var
this way it can be a bool or a string. we also now test for it
Signed-off-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
* replace yum with dnf
Signed-off-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
---------
Signed-off-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
* centos7 is eol, remove it
Signed-off-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
* change workflow to update readmes when meta/main.yml is changed
Signed-off-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
* remove mention of centos 7 from readme
Signed-off-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
---------
Signed-off-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
