vm-ansible/roles/common/tasks/ssh-security-settings.yaml

---
- name: Disable root authentication
  ansible.builtin.replace:
    path: /etc/ssh/sshd_config
    regexp: '#PermitRootLogin prohibit-password'
    replace: 'PermitRootLogin no'

- name: Disable X11 forwarding
  ansible.builtin.replace:
    path: /etc/ssh/sshd_config
    regexp: 'X11Forwarding yes'
    replace: 'X11Forwarding no'

- name: Explicitly only listen on ipv4
  ansible.builtin.replace:
    path: /etc/ssh/sshd_config
    regexp: '#AddressFamily any'
    replace: 'AddressFamily inet'

- name: "Restart sshd"
  ansible.builtin.service:
    name: sshd
    state: restarted
...
v0.1 done: docker webhosts, smtp gateway 2022-01-01 19:24:52 +01:00			`---`
			`- name: Disable root authentication`
always use full name of ansible task 2023-03-05 19:00:38 +01:00			`ansible.builtin.replace:`
v0.1 done: docker webhosts, smtp gateway 2022-01-01 19:24:52 +01:00			`path: /etc/ssh/sshd_config`
			`regexp: '#PermitRootLogin prohibit-password'`
			`replace: 'PermitRootLogin no'`

			`- name: Disable X11 forwarding`
always use full name of ansible task 2023-03-05 19:00:38 +01:00			`ansible.builtin.replace:`
v0.1 done: docker webhosts, smtp gateway 2022-01-01 19:24:52 +01:00			`path: /etc/ssh/sshd_config`
			`regexp: 'X11Forwarding yes'`
			`replace: 'X11Forwarding no'`

			`- name: Explicitly only listen on ipv4`
always use full name of ansible task 2023-03-05 19:00:38 +01:00			`ansible.builtin.replace:`
v0.1 done: docker webhosts, smtp gateway 2022-01-01 19:24:52 +01:00			`path: /etc/ssh/sshd_config`
			`regexp: '#AddressFamily any'`
			`replace: 'AddressFamily inet'`

restart ssh after fucking with config 2022-04-16 21:03:00 +02:00			`- name: "Restart sshd"`
always use full name of ansible task 2023-03-05 19:00:38 +01:00			`ansible.builtin.service:`
restart ssh after fucking with config 2022-04-16 21:03:00 +02:00			`name: sshd`
use right keyword 2022-04-16 21:05:42 +02:00			`state: restarted`
fuck yaml and indentation 2022-04-16 19:55:29 +02:00			`...`