Add explicit base__ssh_authorised_keys: [] default to prevent undefined-var errors in Molecule. Extend verify.yml with sshd drop-in validation, PasswordAuthentication check, and fail2ban jail assertion. Pre-create /run/sshd in ssh.yml so sshd -t works in containers before the service has ever started. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
34 lines
927 B
YAML
34 lines
927 B
YAML
---
|
|
- name: Ensure openssh-server is installed
|
|
ansible.builtin.apt:
|
|
name: openssh-server
|
|
state: present
|
|
update_cache: true
|
|
|
|
- name: Render hardened sshd drop-in
|
|
ansible.builtin.template:
|
|
src: sshd_hardening.conf.j2
|
|
dest: /etc/ssh/sshd_config.d/10-boma.conf
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
notify: reload sshd
|
|
|
|
- name: Ensure sshd privilege-separation directory exists (required for sshd -t)
|
|
ansible.builtin.file:
|
|
path: /run/sshd
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: "0755"
|
|
|
|
- name: Validate the full sshd config (drop-in included)
|
|
ansible.builtin.command: sshd -t
|
|
changed_when: false
|
|
|
|
- name: Authorise control SSH keys for the ansible user
|
|
ansible.posix.authorized_key:
|
|
user: "{{ ansible_user | default('ansible') }}"
|
|
key: "{{ base__ssh_authorised_keys | join('\n') }}"
|
|
exclusive: true
|
|
when: base__ssh_authorised_keys | length > 0
|