infra-ansible

ansible script to ship alpine/ssh/wireguard

git clone https://9o.is/git/infra-ansible.git

commit b3d1d7f182450c3b9c4937c1fc59be6690dc3ed3
parent e8c1691764b58c1bcab544c37bbdb47e7e2a9501
Author: Jul <jul@9o.is>
Date:   Wed,  8 May 2024 16:41:35 +0800

change openssh port to 57123

Diffstat:

Ahost/group_vars/all | 1+


Dhost/roles/openssh/files/sshd_config | 33---------------------------------


Mhost/roles/openssh/tasks/main.yml | 9+++++++--


Ahost/roles/openssh/templates/sshd_config.j2 | 33+++++++++++++++++++++++++++++++++


4 files changed, 41 insertions(+), 35 deletions(-)

diff --git a/host/group_vars/all b/host/group_vars/all
@@ -0,0 +1 @@
+openssh_port: 57123
diff --git a/host/roles/openssh/files/sshd_config b/host/roles/openssh/files/sshd_config
@@ -1,33 +0,0 @@
-Port 2222
-AllowUsers user
-
-# Supported HostKey algorithms by order of preference.
-HostKey /etc/ssh/ssh_host_ed25519_key
- 
-# Specifies the available ciphers, kex, and mac algorithms.
-KexAlgorithms curve25519-sha256
-Ciphers chacha20-poly1305@openssh.com
-MACs hmac-sha2-512-etm@openssh.com
- 
-# LogLevel VERBOSE logs user's key fingerprint on login
-# Needed to have a clear audit track of which key was using to log in.
-LogLevel VERBOSE
- 
-# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
-Subsystem sftp  /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
-
-# Disable root user login
-PermitRootLogin no
-ChallengeResponseAuthentication no
-PasswordAuthentication no
-UsePAM no
-
-# Disable password-based login
-AuthenticationMethods publickey
-PubkeyAuthentication yes
-PermitEmptyPasswords no
-AuthorizedKeysFile	.ssh/authorized_keys
-
-# Hide version
-DebianBanner no
-
diff --git a/host/roles/openssh/tasks/main.yml b/host/roles/openssh/tasks/main.yml
@@ -43,8 +43,8 @@
     mode: '0644'
 
 - name: configure sshd
-  copy:
-    src: sshd_config
+  template:
+    src: sshd_config.j2
     dest: /etc/ssh/sshd_config
     owner: root
     group: root
@@ -52,3 +52,8 @@
     validate: sshd -t -f %s
   notify: restart sshd
 
+- name: enable sshd
+  service:
+    name: sshd
+    enabled: true
+
diff --git a/host/roles/openssh/templates/sshd_config.j2 b/host/roles/openssh/templates/sshd_config.j2
@@ -0,0 +1,33 @@
+Port {{ openssh_port }}
+AllowUsers user
+
+# Supported HostKey algorithms by order of preference.
+HostKey /etc/ssh/ssh_host_ed25519_key
+ 
+# Specifies the available ciphers, kex, and mac algorithms.
+KexAlgorithms curve25519-sha256
+Ciphers chacha20-poly1305@openssh.com
+MACs hmac-sha2-512-etm@openssh.com
+ 
+# LogLevel VERBOSE logs user's key fingerprint on login
+# Needed to have a clear audit track of which key was using to log in.
+LogLevel VERBOSE
+ 
+# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
+Subsystem sftp  /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
+
+# Disable root user login
+PermitRootLogin no
+ChallengeResponseAuthentication no
+PasswordAuthentication no
+UsePAM no
+
+# Disable password-based login
+AuthenticationMethods publickey
+PubkeyAuthentication yes
+PermitEmptyPasswords no
+AuthorizedKeysFile	.ssh/authorized_keys
+
+# Hide version
+DebianBanner no
+