47 lines
1.2 KiB
YAML
47 lines
1.2 KiB
YAML
---
|
|
- name: Disable password authentication
|
|
ansible.builtin.replace:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: 'PasswordAuthentication yes'
|
|
replace: 'PasswordAuthentication no'
|
|
|
|
- name: Disable root authentication
|
|
ansible.builtin.replace:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '#PermitRootLogin prohibit-password'
|
|
replace: 'PermitRootLogin no'
|
|
|
|
- name: Disable X11 forwarding
|
|
ansible.builtin.replace:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: 'X11Forwarding yes'
|
|
replace: 'X11Forwarding no'
|
|
|
|
- name: Explicitly only listen on ipv4
|
|
ansible.builtin.replace:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '#AddressFamily any'
|
|
replace: 'AddressFamily inet'
|
|
|
|
- name: Check if AllowUsers is defined
|
|
ansible.builtin.lineinfile:
|
|
state: absent
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "^AllowUsers"
|
|
check_mode: true
|
|
changed_when: false
|
|
register: checkallowusers
|
|
|
|
- name: Define AllowUsers if undefined
|
|
ansible.builtin.lineinfile:
|
|
state: present
|
|
path: /etc/ssh/sshd_config
|
|
line: "AllowUsers tormakris ansible service-user"
|
|
when: checkallowusers.found == 0
|
|
|
|
- name: "Restart sshd"
|
|
ansible.builtin.service:
|
|
name: sshd
|
|
state: restarted
|
|
...
|