92 lines
2.1 KiB
YAML
92 lines
2.1 KiB
YAML
- name: Ensure SSH instalation
|
|
become: true
|
|
ansible.builtin.package:
|
|
name: '{{ system_ssh_package }}'
|
|
state: present
|
|
- name: Ensure .ssh exist for user
|
|
become: true
|
|
ansible.builtin.file:
|
|
state: directory
|
|
path: '/home/{{ item }}/.ssh'
|
|
owner: '{{ item }}'
|
|
mode: 0700
|
|
with_items:
|
|
- '{{ user.name }}'
|
|
- ansible
|
|
|
|
- name: Copy ssh config for user
|
|
become: true
|
|
ansible.builtin.template:
|
|
dest: '/home/{{ item }}/.ssh/config'
|
|
src: 'ssh/config.j2'
|
|
force: true
|
|
remote_src: false
|
|
mode: '600'
|
|
selevel: s0
|
|
owner: '{{ item }}'
|
|
with_items:
|
|
- '{{ user.name }}'
|
|
- ansible
|
|
- name: Ensure root ssh directory exist
|
|
become: true
|
|
ansible.builtin.file:
|
|
state: directory
|
|
path: '/root/.ssh'
|
|
owner: 'root'
|
|
mode: 0700
|
|
|
|
- name: Copy ssh config for root
|
|
become: true
|
|
ansible.builtin.copy:
|
|
dest: /root/.ssh/
|
|
src: 'ssh/config'
|
|
force: true
|
|
remote_src: false
|
|
mode: '600'
|
|
selevel: s0
|
|
owner: 'root'
|
|
|
|
- name: Ensure key directory exist
|
|
become: true
|
|
ansible.builtin.file:
|
|
state: directory
|
|
path: '{{ item.keyfile | dirname }}'
|
|
owner: '{{ item.user }}'
|
|
mode: 0700
|
|
with_items: '{{ privatekeytodeploy }}'
|
|
|
|
- name: Install ssh private key
|
|
become: true
|
|
ansible.builtin.copy:
|
|
content: '{{ item.privatekey }}'
|
|
dest: '{{ item.keyfile }}'
|
|
mode: 0600
|
|
owner: '{{ item.user }}'
|
|
with_items: '{{ privatekeytodeploy }}'
|
|
|
|
- name: Deploy SSH-Keys to remote host
|
|
ansible.posix.authorized_key:
|
|
user: '{{ item.user }}'
|
|
key: '{{ item.sshkey }}'
|
|
exclusive: false
|
|
with_items: '{{ keystodeploy }}'
|
|
become: true
|
|
|
|
- name: Les connexions par mot de passe sont désactivées
|
|
become: true
|
|
ansible.builtin.lineinfile:
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^#?PasswordAuthentication'
|
|
line: 'PasswordAuthentication no'
|
|
state: present
|
|
notify: Restart sshd
|
|
|
|
- name: Remove root SSH access
|
|
become: true
|
|
ansible.builtin.lineinfile:
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^PermitRootLogin'
|
|
line: 'PermitRootLogin no'
|
|
state: present
|
|
notify: Restart sshd
|