Skip to content

Commit

Permalink
Merge pull request #16 from punktDe/ssh-hardening
Browse files Browse the repository at this point in the history
Add default ssh settings, ignore key errors in check mode
  • Loading branch information
medanthelinium authored Aug 28, 2024
2 parents 9afe057 + dd59969 commit ff3b778
Show file tree
Hide file tree
Showing 6 changed files with 36 additions and 6 deletions.
5 changes: 5 additions & 0 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,11 @@ jobs:
- name: Checkout
uses: actions/checkout@v3

- name: Create an openssh privilege separation directory
run: |
sudo mkdir -p /run/sshd
sudo chmod 0755 /run/sshd
- name: Set up Python
uses: actions/setup-python@v2
with:
Expand Down
8 changes: 6 additions & 2 deletions defaults/main.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,12 @@ system:
{%- else -%}
wheel
{%- endif -%}
sshd:
config:
PasswordAuthentication: no
PermitRootLogin: no
features:
sshd: no
sshd: yes
proserver_fact: no
hostname: yes
timezone: yes
Expand All @@ -23,7 +27,7 @@ system:
sudoers: yes
authorized_keys: yes
authorized_keys_delete: no
motd: no
motd: yes
prefix:
sudoers: >-
{%- if ansible_system == 'Linux' -%}
Expand Down
7 changes: 7 additions & 0 deletions handlers/main.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,11 @@
---
- name: Restart Postfix
ansible.builtin.service:
name: postfix
state: restarted

- name: Restart sshd
when: (lookup('env', 'GITHUB_ACTIONS') | length) == 0
ansible.builtin.service:
name: sshd
state: restarted
2 changes: 2 additions & 0 deletions molecule/default/converge.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
---
- name: Converge
hosts: all
environment:
GITHUB_ACTIONS: "maybe"
tasks:
- name: "Include ansible-proserver-system"
ansible.builtin.include_role:
Expand Down
2 changes: 2 additions & 0 deletions tasks/authorized_keys.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@
- name: Add authorized keys
loop: "{{ user_authorized_keys }}"
failed_when: "{{ add_authorized_keys.failed and not ansible_check_mode }}"
register: add_authorized_keys
loop_control:
label: '{{ item.user }} public_keys="{{ item.key }}"'
ansible.posix.authorized_key:
Expand Down
18 changes: 14 additions & 4 deletions tasks/sshd.yaml
Original file line number Diff line number Diff line change
@@ -1,8 +1,14 @@
---
- name: Make sure that sshd is installed (Debian-based)
when: ansible_os_family == "Debian"
ansible.builtin.package:
name: openssh-server

- name: Make sure that the custom sshd configuration is included
notify:
- Restart sshd
ansible.builtin.lineinfile:
validate: "sshd -T -f %s"
validate: "{{ 'sshd -T -f %s' if (lookup('env', 'GITHUB_ACTIONS') | length) == 0 else omit }}"
path: /etc/ssh/sshd_config
line: "Include /etc/ssh/sshd_config.d/*"
insertbefore: "BOF"
Expand All @@ -18,11 +24,15 @@
notify:
- Restart sshd
ansible.builtin.copy:
validate: "sshd -T -f %s"
validate: "{{ 'sshd -T -f %s' if (lookup('env', 'GITHUB_ACTIONS') | length) == 0 else omit }}"
dest: /etc/ssh/sshd_config.d/00-ansible.conf
content: |
{% for option, value in system.sshd.config.iteritems() %}
{{ option }} {{ value }}
{% for key, value in system.sshd.config.items() %}
{% if value is boolean %}
{{ key }} {{ value | ternary('yes', 'no') }}
{% else %}
{{ key }} {{ value }}
{% endif %}
{% endfor %}
owner: root
mode: "0644"

0 comments on commit ff3b778

Please sign in to comment.