Merge pull request #85 from richlamdev/fix-ssh-config

richlamdev · web-flow · commit f958ee6255ca · 2025-01-17T21:29:55.000-08:00
fix ssh configuration deployment
diff --git a/main.yml b/main.yml
@@ -9,26 +9,26 @@
     - vars.yml
 
   roles:
-    # - auto-update
-    # - base
-    # - aws
-    # - brave
-    # - chrome
-    # # - docker-cli-only
-    # - docker-desktop-dependency
-    # - gh_cli
-    # - hashicorp
-    # - keepassxc
-    # - kubectl
-    # - microsoft
+    - auto-update
+    - base
+    - aws
+    - brave
+    - chrome
+    # - docker-cli-only
+    - docker-desktop-dependency
+    - gh_cli
+    - hashicorp
+    - keepassxc
+    - kubectl
+    - microsoft
     - mullvad
-    # - opera
-    # - signal-desktop
-    # - sublime-text
-    # - trivy
+    - opera
+    - signal-desktop
+    - sublime-text
+    - trivy
     - role: vim
       become: false
     - role: env
       become: false
-    # - disable-local-dns
+    - disable-local-dns
     # - yubico
diff --git a/roles/base/files/ssh_config.conf b/roles/base/files/ssh_config.conf
@@ -0,0 +1,8 @@
+Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
+HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa
+KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+PubkeyAuthentication yes
+TCPKeepAlive yes
+ServerAliveInterval 600
+ServerAliveCountMax 5
diff --git a/roles/base/files/sshd_config.conf b/roles/base/files/sshd_config.conf
@@ -0,0 +1,39 @@
+Port 22
+Protocol 2
+PermitRootLogin no
+PermitUserEnvironment yes
+UseDNS no
+
+Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
+HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa
+KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+
+AllowTcpForwarding no
+AllowStreamLocalForwarding no
+GatewayPorts no
+PermitTunnel no
+AddressFamily inet
+
+HostBasedAuthentication no
+IgnoreUserKnownHosts yes
+GSSAPIAuthentication no
+KerberosAuthentication no
+
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+TCPKeepAlive yes
+ClientAliveInterval 600
+ClientAliveCountMax 5
+
+X11Forwarding no
+
+# Logging
+SyslogFacility AUTHPRIV
+LogLevel VERBOSE
+
+PubkeyAuthentication yes
+
+# Change below to "yes" to enable password auth
+ChallengeResponseAuthentication no
+PasswordAuthentication no
diff --git a/roles/base/tasks/authentication.yml b/roles/base/tasks/authentication.yml
@@ -1,18 +1,58 @@
 ---
-# SSH server and client config changes
-- name: authentication | sshd_config
-  template:
-    src: "sshd_config.j2"
-    dest: "/etc/ssh/sshd_config"
-    mode: 0644
+- name: Find all files in /etc/ssh/sshd_config.d/
+  ansible.builtin.find:
+    paths: /etc/ssh/sshd_config.d/
+    file_type: file
+  register: sshd_config_files
+
+- name: Remove all files in /etc/ssh/sshd_config.d/
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: absent
+  loop: "{{ sshd_config_files.files }}"
+  when: sshd_config_files.matched > 0
+
+- name: Ensure /etc/ssh/sshd_config.d/ directory exists
+  ansible.builtin.file:
+    path: /etc/ssh/sshd_config.d/
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+
+- name: Copy custom sshd_config.conf to /etc/ssh/sshd_config.d/
+  ansible.builtin.copy:
+    src: "sshd_config.conf"
+    dest: /etc/ssh/sshd_config.d/
+    owner: root
+    group: root
+    mode: '0644'
+
+
+- name: Remove all files in /etc/ssh/ssh_config.d but keep the directory
+  ansible.builtin.find:
+    paths: /etc/ssh/ssh_config.d/
+    file_type: file
+  register: files_to_remove
+
+- name: Delete files in /etc/ssh/ssh_config.d
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: absent
+  loop: "{{ files_to_remove.files }}"
+
+- name: Ensure /etc/ssh/ssh_config.d/ directory exists
+  ansible.builtin.file:
+    path: /etc/ssh/ssh_config.d/
+    state: directory
     owner: root
     group: root
-  notify: reload sshd
+    mode: '0755'
 
-- name: authentication | ssh_config
-  template:
-    src: "ssh_config.j2"
-    dest: "/etc/ssh/ssh_config"
-    mode: 0644
+- name: Copy ssh_config to /etc/ssh/ssh_config.d/
+  ansible.builtin.copy:
+    src: "ssh_config.conf"
+    dest: /etc/ssh/ssh_config.d/
     owner: root
     group: root
+    mode: '0644'
