feat(openssh): add ansible role

2025-04-26 20:07:43 +02:00
parent e27eb145f1
commit 115cfa8236
11 changed files with 136 additions and 0 deletions
--- a/roles/openssh/README.md
+++ b/roles/openssh/README.md
@@ -0,0 +1,13 @@
+# `finallycoffee.base.openssh`
+
+Ansible role to manage and configure openssh and it's components (like `sshd`).
+
+Currently supports `fedora` and `debian` linux distributions.
+
+## `sshd`
+
+To configure `sshd`, see the [`defaults/main/sshd.yml`](defaults/main/sshd.yml),
+where snake\_cased config keys for `/etc/ssh/sshd_config` are available in
+the `openssh_sshd_config_` namespace.
+
+To add your own config on top, simply use key-value syntax in `openssh_sshd_config`.
--- a/roles/openssh/defaults/main/main.yml
+++ b/roles/openssh/defaults/main/main.yml
@@ -0,0 +1,3 @@
+---
+openssh_state: 'present'
+openssh_sshd_config_file: "/etc/ssh/sshd_config"
--- a/roles/openssh/defaults/main/packages.yml
+++ b/roles/openssh/defaults/main/packages.yml
@@ -0,0 +1,8 @@
+---
+openssh_packages:
+  fedora: "{{ openssh_fedora_packages }}"
+  debian: "{{ openssh_debian_packages }}"
+openssh_fedora_packages:
+  - "openssh-server"
+openssh_debian_packages:
+  - "openssh-server"
--- a/roles/openssh/defaults/main/sshd.yml
+++ b/roles/openssh/defaults/main/sshd.yml
@@ -0,0 +1,33 @@
+---
+openssh_sshd_enable: true
+openssh_sshd_config_pubkey_authentication: true
+openssh_sshd_config_password_authentication: false
+openssh_sshd_config_challenge_response_authentication: false
+openssh_sshd_config_permit_root_login: false
+
+# Limits
+openssh_sshd_config_max_sessions: ~
+openssh_sshd_config_max_startups: ~
+
+# Hardening
+openssh_sshd_config_protocol: 2
+openssh_sshd_config_x11_forwarding: false
+openssh_sshd_config_allow_agent_forwarding: false
+openssh_sshd_config_allow_tcp_forwarding: false
+
+openssh_sshd_default_config:
+  PubkeyAuthentication: "{{ openssh_sshd_config_pubkey_authentication }}"
+  PasswordAuthentication: "{{ openssh_sshd_config_password_authentication }}"
+  ChallengeResponseAuthentication: >-2
+    {{ openssh_sshd_config_challenge_response_authentication }}
+  PermitRootLogin: "{{ openssh_sshd_config_permit_root_login }}"
+  MaxSessions: "{{ openssh_sshd_config_max_sessions }}"
+  MaxStartups: "{{ openssh_sshd_config_max_startups }}"
+  Protocol: "{{ openssh_sshd_config_protocol }}"
+  X11Forwarding: "{{ openssh_sshd_config_x11_forwarding }}"
+  AllowAgentForwarding: "{{ openssh_sshd_config_allow_agent_forwarding }}"
+  AllowTcpForwarding: "{{ openssh_sshd_config_allow_tcp_forwarding }}"
+
+openssh_sshd_merged_config: >-2
+  {{ openssh_sshd_default_config | default({}, true)
+     | combine(openssh_sshd_config | default({}, true)) }}
--- a/roles/openssh/defaults/main/systemd.yml
+++ b/roles/openssh/defaults/main/systemd.yml
@@ -0,0 +1,2 @@
+---
+openssh_sshd_systemd_service_name: "sshd.service"
--- a/roles/openssh/handlers/main.yml
+++ b/roles/openssh/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+- name: Ensure sshd is reloaded
+  ansible.builtin.systemd_service:
+    name: "{{ openssh_sshd_systemd_service_name }}"
+    state: "reloaded"
+  when: ansible_facts['service_mgr'] == 'systemd'
+  listen: openssh_sshd_reload
--- a/roles/openssh/tasks/configure-sshd.yml
+++ b/roles/openssh/tasks/configure-sshd.yml
@@ -0,0 +1,28 @@
+---
+- name: Configure sshd
+  ansible.builtin.lineinfile:
+    path: "{{ openssh_sshd_config_file }}"
+    regexp: "{{ openssh_sshd_config_regexp }}"
+    line: "{{ openssh_sshd_config_line }}"
+    firstmatch: true
+    state: present
+    validate: "sshd -Tf %s"
+  loop: "{{ openssh_sshd_merged_config | dict2items }}"
+  loop_control:
+    loop_var: "tuple"
+    label: "{{ tuple.key }}"
+  notify:
+    - openssh_sshd_reload
+  vars:
+    openssh_sshd_config_regexp: "^\\s*#?\\s*{{ tuple.key }}"
+    openssh_sshd_config_line: >-2
+      {{ openssh_sshd_config_line_commented }}{{ tuple.key }} {{ openssh_sshd_config_value }}
+    openssh_sshd_config_value_is_none: "{{ tuple.value is none }}"
+    openssh_sshd_config_line_commented: >-2
+      {{ openssh_sshd_config_value_is_none | ternary('#', '') }}
+    openssh_sshd_config_value: >-2
+      {{ (tuple.value is boolean) | ternary(
+           tuple.value | ternary('yes', 'no'),
+           tuple.value
+         )
+      }}
--- a/roles/openssh/tasks/install.yml
+++ b/roles/openssh/tasks/install.yml
@@ -0,0 +1,16 @@
+---
+- name: Ensure openssh server package is {{ openssh_state }} (dnf)
+  ansible.builtin.dnf:
+    name: "{{ openssh_packages[ansible_distribution | lower] }}"
+    state: "{{ openssh_state }}"
+  when:
+    - ansible_facts['pkg_mgr'] in ['dnf', 'dnf5']
+    - ansible_distribution | lower in openssh_packages.keys()
+
+- name: Ensure openssh server package is {{ openssh_state }} (apt)
+  ansible.builtin.apt:
+    package: "{{ openssh_packages[ansible_distribution | lower] }}"
+    state: "{{ openssh_state }}"
+  when:
+    - ansible_facts['pkg_mgr'] in ['apt']
+    - ansible_distribution | lower in openssh_packages.keys()
--- a/roles/openssh/tasks/main.yml
+++ b/roles/openssh/tasks/main.yml
@@ -0,0 +1,15 @@
+---
+- name: Ensure 'openssh_state' is valid
+  ansible.builtin.fail:
+    msg: >-2
+      Invalid value '{{ openssh_state }}' for 'openssh_state'.
+      Valid values are {{ openssh_states | join(', ') }}!
+  when: openssh_state not in openssh_states
+
+- name: Ensure openssh is {{ openssh_state }}
+  ansible.builtin.include_tasks:
+    file: "install.yml"
+
+- name: Ensure sshd is configured
+  ansible.builtin.include_tasks:
+    file: "configure-sshd.yml"
--- a/roles/openssh/vars/main.yml
+++ b/roles/openssh/vars/main.yml
@@ -0,0 +1,4 @@
+---
+openssh_states:
+  - "present"
+  - "absent"