From f9e48a438a1ff6c975f88b70cc1dda5c422794a3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torma=20Krist=C3=B3f?= <tormakristof@tormakristof.eu>
Date: Sat, 16 Apr 2022 21:00:08 +0200
Subject: [PATCH] ssh security in backup

---
 roles/backuphost/tasks/main.yaml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/roles/backuphost/tasks/main.yaml b/roles/backuphost/tasks/main.yaml
index 07dd62c..5ca888a 100644
--- a/roles/backuphost/tasks/main.yaml
+++ b/roles/backuphost/tasks/main.yaml
@@ -11,4 +11,26 @@
     state: present
     password_lock: true
     shell: "/sbin/nologin"
+
+- name: Undefine AllowUsers
+  lineinfile:
+    state: absent
+    path: /etc/ssh/sshd_config
+    line: "AllowUsers tormakris ansible service-user"
+
+- name: Check if AllowUsers is defined
+  lineinfile:
+    state: absent
+    path: /etc/ssh/sshd_config
+    regexp: "^AllowUsers"
+  check_mode: true
+  changed_when: false
+  register: checkallowusers
+
+- name: Define AllowUsers if undefined
+  lineinfile:
+    state: present
+    path: /etc/ssh/sshd_config
+    line: "AllowUsers tormakris ansible backup"
+  when: checkallowusers.found == 0
 ...