test(base): Molecule coverage for ssh hardening + fail2ban

Add explicit base__ssh_authorised_keys: [] default to prevent
undefined-var errors in Molecule. Extend verify.yml with sshd
drop-in validation, PasswordAuthentication check, and fail2ban
jail assertion. Pre-create /run/sshd in ssh.yml so sshd -t
works in containers before the service has ever started.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

roles/base/defaults/main.yml

@@ -19,3 +19,4 @@ base__fail2ban_maxretry: 5
 base__fail2ban_bantime: 1h
 base__fail2ban_findtime: 10m
 # base__ssh_authorised_keys lives in group_vars/all/vars.yml (per-person control keys).
+base__ssh_authorised_keys: []

roles/base/molecule/default/verify.yml

@@ -47,3 +47,18 @@
     - name: Syntax-check the rendered ruleset (no apply)
       ansible.builtin.command: nft -c -f /etc/nftables.conf
       changed_when: false
+
+    - name: Sshd drop-in present and config valid
+      ansible.builtin.command: sshd -t
+      changed_when: false
+      tags: [verify]
+
+    - name: PasswordAuthentication is disabled
+      ansible.builtin.command: grep -q '^PasswordAuthentication no' /etc/ssh/sshd_config.d/10-boma.conf
+      changed_when: false
+      tags: [verify]
+
+    - name: Fail2ban sshd jail configured
+      ansible.builtin.command: grep -q '^\[sshd\]' /etc/fail2ban/jail.d/sshd.local
+      changed_when: false
+      tags: [verify]

roles/base/tasks/ssh.yml

@@ -14,6 +14,14 @@
     mode: "0644"
   notify: reload sshd
 
+- name: Ensure sshd privilege-separation directory exists (required for sshd -t)
+  ansible.builtin.file:
+    path: /run/sshd
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+
 - name: Validate the full sshd config (drop-in included)
   ansible.builtin.command: sshd -t
   changed_when: false