From 7b946d91b5ad4107986f36a7a1417e49594b17f5 Mon Sep 17 00:00:00 2001
From: nrb <freifunk@nicoboehr.de>
Date: Sat, 9 Jan 2021 20:20:19 +0100
Subject: [PATCH] add SSH role
This will for now only disable ssh password logins, when the variable
ssh_disable_password_login is set to yes.
---
all.yml | 1 +
host_vars/revproxy-05.freifunk-stuttgart.de/ssh | 2 ++
roles/ssh/defaults/main.yml | 2 ++
roles/ssh/handlers/main.yml | 6 ++++++
roles/ssh/tasks/main.yml | 9 +++++++++
5 files changed, 20 insertions(+)
create mode 100644 host_vars/revproxy-05.freifunk-stuttgart.de/ssh
create mode 100644 roles/ssh/defaults/main.yml
create mode 100644 roles/ssh/handlers/main.yml
create mode 100644 roles/ssh/tasks/main.yml
diff --git a/all.yml b/all.yml
index 29ec5e3..a3e2157 100644
--- a/all.yml
+++ b/all.yml
@@ -4,3 +4,4 @@
- users
- autoupdate
- revproxy
+ - ssh
diff --git a/host_vars/revproxy-05.freifunk-stuttgart.de/ssh b/host_vars/revproxy-05.freifunk-stuttgart.de/ssh
new file mode 100644
index 0000000..a74af17
--- /dev/null
+++ b/host_vars/revproxy-05.freifunk-stuttgart.de/ssh
@@ -0,0 +1,2 @@
+---
+ssh_disable_password_login: yes
diff --git a/roles/ssh/defaults/main.yml b/roles/ssh/defaults/main.yml
new file mode 100644
index 0000000..0b33a81
--- /dev/null
+++ b/roles/ssh/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+ssh_disable_password_login: no
diff --git a/roles/ssh/handlers/main.yml b/roles/ssh/handlers/main.yml
new file mode 100644
index 0000000..5625fb0
--- /dev/null
+++ b/roles/ssh/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: restart ssh
+ service:
+ name: ssh
+ state: restarted
+
diff --git a/roles/ssh/tasks/main.yml b/roles/ssh/tasks/main.yml
new file mode 100644
index 0000000..4c77b63
--- /dev/null
+++ b/roles/ssh/tasks/main.yml
@@ -0,0 +1,9 @@
+---
+- name: Disable SSH password login
+ lineinfile:
+ regexp: "^#?PasswordAuthentication"
+ line: "PasswordAuthentication no"
+ path: /etc/ssh/sshd_config
+ notify:
+ - restart ssh
+ when: ssh_disable_password_login
--
GitLab