26 lines
731 B
YAML
26 lines
731 B
YAML
---
|
|
- name: Ensure openssh-server is installed
|
|
ansible.builtin.apt:
|
|
name: openssh-server
|
|
state: present
|
|
update_cache: true
|
|
|
|
- name: Render hardened sshd drop-in
|
|
ansible.builtin.template:
|
|
src: sshd_hardening.conf.j2
|
|
dest: /etc/ssh/sshd_config.d/10-boma.conf
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
notify: reload sshd
|
|
|
|
- name: Validate the full sshd config (drop-in included)
|
|
ansible.builtin.command: sshd -t
|
|
changed_when: false
|
|
|
|
- name: Authorise control SSH keys for the ansible user
|
|
ansible.posix.authorized_key:
|
|
user: "{{ ansible_user | default('ansible') }}"
|
|
key: "{{ base__ssh_authorised_keys | join('\n') }}"
|
|
exclusive: true
|
|
when: base__ssh_authorised_keys | length > 0
|