init

.ansible-lint.yml

@@ -0,0 +1,4 @@
+---
+skip_list:
+  - fqcn-builtins
+  - experimental

.drone.yml

@@ -0,0 +1,16 @@
+----
+kind: pipeline
+name: default
+steps:
+  - name: integration test
+    image: python:3.9-buster
+    environment:
+      REMOTE_USER: molecule
+      HCLOUD_TOKEN:
+        from_secret: HCLOUD_TOKEN
+    commands:
+      - apt update && apt install -y pwgen
+      - mkdir -p /root/.ansible/roles && ln -sr . /root/.ansible/roles/autonomic.sshd
+      - export INSTANCE_UUID=$(pwgen 8 1)
+      - pip install -r requirements.txt
+      - molecule test

.envrc.sample

@@ -0,0 +1,18 @@
+# Your username that you use for accounts on our machines.
+export REMOTE_USER=
+export ANSIBLE_USER=$REMOTE_USER
+
+# The path to our pass credentials store
+export PASSWORD_STORE_DIR=
+
+# The Hetzner Cloud API token for managing our instances
+# Uncomment the prod/test line below depending on what you're doing
+# export HCLOUD_TOKEN=$(pass show logins/hetzner/prod/api_key)
+# export HCLOUD_TOKEN=$(pass show logins/hetzner/test/api_key)
+export HCLOUD_TOKEN=$(pass show logins/hetzner/cicd/api_key)
+
+# For molecule role testing
+export INSTANCE_UUID=$RANDOM
+
+# So molecule will show credentials in the logs
+export MOLECULE_NO_LOG=False

.yamllint.yml

@@ -0,0 +1,16 @@
+---
+extends: default
+
+yaml-files:
+  - "*.yaml"
+  - "*.yml"
+
+ignore: |
+  .venv
+  .drone.yml
+
+rules:
+  line-length: disable
+  braces:
+    max-spaces-inside: 1
+    level: error

LICENSE

@@ -0,0 +1,15 @@
+autonomic.sshd: Configures an SSH server securely
+Copyright (C) 2022  Autonomic Co-operative <helo@autonomic.zone>
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <https://www.gnu.org/licenses/>.

README.md

@@ -0,0 +1,3 @@
+# autonomic.sshd
+
+[![Build Status](https://drone.autonomic.zone/api/badges/autonomic-cooperative/autonomic.sshd/status.svg?ref=refs/heads/main)](https://drone.autonomic.zone/autonomic-cooperative/autonomic.sshd)

defaults/main.yml

@@ -0,0 +1,3 @@
+---
+sshd_permit_root_login: false
+sshd_port: 222

handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: Restart SSH
+  become: true
+  service:
+    name: ssh
+    state: restarted

meta/main.yml

@@ -0,0 +1,14 @@
+---
+dependencies: []
+galaxy_info:
+  role_name: sshd
+  namespace: autonomic
+  author: autonomic
+  description: Configures an SSH server securely
+  company: Autonomic
+  license: GPLv3
+  min_ansible_version: 2.9
+  platforms:
+    - name: Debian
+      versions:
+        - buster

molecule/default/converge.yml

@@ -0,0 +1,10 @@
+---
+- name: Converge
+  hosts: all
+  vars:
+    # Note(decentral1se): otherwise, we lock ourselves
+    # out during our test run and that is absolutely no bueno
+    sshd_permit_root_login: true
+    sshd_port: 22
+  roles:
+    - role: autonomic.sshd

molecule/default/molecule.yml

@@ -0,0 +1,19 @@
+---
+dependency:
+  name: galaxy
+
+driver:
+  name: hetznercloud
+
+platforms:
+  - name: "autonomic.sshd-${INSTANCE_UUID}"
+    server_type: cx11
+    image: debian-10
+
+provisioner:
+  name: ansible
+
+lint: |
+  set -e
+  yamllint -c .yamllint.yml .
+  ansible-lint --exclude .drone.yml -c .ansible-lint.yml .

requirements.txt

@@ -0,0 +1,4 @@
+ansible-lint==6.0.0
+ansible==5.4.0
+molecule-hetznercloud==1.3.0
+molecule==3.6.1

tasks/main.yml

@@ -0,0 +1,36 @@
+---
+- name: Disable root SSH login
+  lineinfile:
+    line: PermitRootLogin no
+    dest: /etc/ssh/sshd_config
+    regexp: "^#?PermitRootLogin"
+  when: not sshd_permit_root_login
+  notify: Restart SSH
+
+- name: Do not allow SSH access using passwords
+  lineinfile:
+    line: PasswordAuthentication no
+    dest: /etc/ssh/sshd_config
+    regexp: "^#?PasswordAuthentication"
+  notify: Restart SSH
+
+- name: Include the resource variables
+  include_vars: "{{ role_path }}/../../resources/{{ lookup('env', 'MEMBERS_FILE') | default('members.yml', True) }}"
+
+- name: Register the list of autonomic members
+  set_fact:
+    members_list: "{{ autonomic_members | map(attribute='username') | list | join(' ') }}"
+
+- name: "Only allow logins from {{ members_list }}"
+  lineinfile:
+    line: "AllowUsers {{ members_list }}"
+    dest: /etc/ssh/sshd_config
+    regexp: "^#?AllowUsers"
+  notify: Restart SSH
+
+- name: "Set SSH port to {{ sshd_port }}"
+  lineinfile:
+    line: "Port {{ sshd_port }}"
+    dest: /etc/ssh/sshd_config
+    regexp: "^#?Port"
+  notify: Restart SSH