This repository has been archived by the owner on Dec 2, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ssh.yml
77 lines (68 loc) · 1.84 KB
/
ssh.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
---
- name: Load vars
hosts: all
gather_facts: no
tasks:
- import_tasks: tasks/import_user_vars.yml
- name: Add SSH keys
hosts: all
gather_facts: yes
vars_files:
- files/secrets/secrets.yml
vars:
- ansible_become_pass: "{{ sudo_password }}"
tasks:
- import_tasks: tasks/import_os_vars.yml
- name: SSH | Ensure sudo group exists
become: yes
group:
name: sudo
state: present
- name: SSH | Ensure user exists
become: yes
user:
name: "{{ ansible_user }}"
group: sudo
generate_ssh_key: yes
shell: "/bin/bash"
state: present
- name: SSH | Ensure ~/.ssh directory exists
become: yes
file:
path: /home/{{ ansible_user }}/.ssh
state: directory
owner: "{{ ansible_user }}"
mode: 0700
- name: SSH | Allow Access
become: yes
authorized_key:
user: "{{ ansible_user }}"
state: present
key: "{{ lookup('file', public_key_file) }}"
- name: SSH | Remove require tty
become: yes
lineinfile:
regexp: "requiretty"
dest: "{{ item }}"
state: absent
with_items:
- /etc/sudoers
- /etc/sudoers.d/os_defaults
- name: SSH | Disable password-based authentication
become: yes
lineinfile:
line: "{{ item.line }}"
dest: /etc/ssh/sshd_config
state: "{{ item.state }}"
with_items:
- { line: "PasswordAuthentication no", state: "present" }
- { line: "PasswordAuthentication yes", state: "absent" }
- { line: "PubkeyAuthentication yes", state: "present" }
- { line: "ChallengeResponseAuthentication no", state: "present" }
notify: SSH Reload
handlers:
- name: SSH Reload
become: yes
systemd:
name: sshd
state: reloaded