47 lines
1.2 KiB
YAML
47 lines
1.2 KiB
YAML
---
|
|
- name: Ensure mandatory variables are configured
|
|
assert:
|
|
that: "{{ item }} is defined"
|
|
fail_msg: "You must define the '{{ item }}' variable"
|
|
with_items:
|
|
- sshd_user_accounts
|
|
|
|
- name: Disable root SSH login
|
|
lineinfile:
|
|
line: PermitRootLogin no
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: "^#?PermitRootLogin"
|
|
when: not sshd_permit_root_login
|
|
notify: Restart SSH
|
|
|
|
- name: Do not allow SSH access using passwords
|
|
lineinfile:
|
|
line: PasswordAuthentication no
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: "^#?PasswordAuthentication"
|
|
notify: Restart SSH
|
|
|
|
- name: Include resource variables
|
|
include_vars: "{{ sshd_user_accounts }}"
|
|
tags:
|
|
# Note(d1): we already load in converge.yml so skip here
|
|
- molecule-notest
|
|
|
|
- name: Register the list of members
|
|
set_fact:
|
|
members_list: "{{ members | map(attribute='username') | list | join(' ') }}"
|
|
|
|
- name: "Only allow logins from {{ members_list }}"
|
|
lineinfile:
|
|
line: "AllowUsers {{ members_list }}"
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: "^#?AllowUsers"
|
|
notify: Restart SSH
|
|
|
|
- name: "Set SSH port to {{ sshd_port }}"
|
|
lineinfile:
|
|
line: "Port {{ sshd_port }}"
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: "^#?Port"
|
|
notify: Restart SSH
|