From 855b8ff8dc9a06233d394284e421b2a7fa77e6bf Mon Sep 17 00:00:00 2001
From: Someone <someone@somenet.org>
Date: Mon, 5 Aug 2024 19:34:51 +0200
Subject: [PATCH] [roles/base/ssh] install + update sshd

---
 roles/base/ssh/files/default/sshd_config | 128 +++++++++++++++++++++++
 roles/base/ssh/handlers/main.yml         |  13 +++
 roles/base/ssh/tasks/main.yml            |  44 ++++++++
 3 files changed, 185 insertions(+)
 create mode 100644 roles/base/ssh/files/default/sshd_config
 create mode 100644 roles/base/ssh/handlers/main.yml
 create mode 100644 roles/base/ssh/tasks/main.yml

diff --git a/roles/base/ssh/files/default/sshd_config b/roles/base/ssh/files/default/sshd_config
new file mode 100644
index 0000000..a819915
--- /dev/null
+++ b/roles/base/ssh/files/default/sshd_config
@@ -0,0 +1,128 @@
+#
+################################################
+### Managed by someone's ansible provisioner ###
+################################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Port 2
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Disabled ECDSA/NIST curves.
+KexAlgorithms diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,curve25519-sha256@libssh.org,curve25519-sha256,diffie-hellman-group-exchange-sha256
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin prohibit-password
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+KbdInteractiveAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the KbdInteractiveAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin prohibit-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and KbdInteractiveAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/openssh/sftp-server
+
+# Allow sudoers to login with a password.
+Match group sudo
+    PasswordAuthentication yes
diff --git a/roles/base/ssh/handlers/main.yml b/roles/base/ssh/handlers/main.yml
new file mode 100644
index 0000000..8bc0edd
--- /dev/null
+++ b/roles/base/ssh/handlers/main.yml
@@ -0,0 +1,13 @@
+#####################################
+### someone's ansible provisioner ###
+#####################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+---
+- name: restart sshd.service
+  systemd:
+    name: ssh.service
+    daemon_reload: yes
+    state: restarted
+  ignore_errors: yes
diff --git a/roles/base/ssh/tasks/main.yml b/roles/base/ssh/tasks/main.yml
new file mode 100644
index 0000000..26c80d9
--- /dev/null
+++ b/roles/base/ssh/tasks/main.yml
@@ -0,0 +1,44 @@
+#####################################
+### someone's ansible provisioner ###
+#####################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+---
+- name: install sshd
+  apt:
+    pkg:
+    - openssh-server
+    state: present
+    policy_rc_d: 101
+  tags: "online"
+  ignore_errors: "{{ignore_online_errors | bool}}"
+
+
+- name: copy sshd config
+  copy:
+    src: "{{item}}"
+    dest: "/etc/ssh/sshd_config"
+    mode: 0644
+    owner: "root"
+    group: "root"
+    validate: /usr/sbin/sshd -t -f %s
+  with_first_found:
+    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/sshd_config"
+    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/sshd_config"
+    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/sshd_config"
+    - "default/sshd_config"
+  notify: restart sshd.service
+
+
+- name: ensure group sudo exists - sudoers can use pw to login
+  group:
+    name: sudo
+    system: yes
+    state: present
+
+
+- name: enable and start ssh.service
+  include_role: name="base/systemd/enable-and-start"
+  vars:
+    service_name: ssh.service
-- 
2.43.0