initial upload

roles/ssh/defaults/main.yml

@@ -0,0 +1,43 @@
+---
+
+ssh_client_settings:
+#  Host:
+#    - Host: "*"
+#      SendEnv: LANG LC_*
+#      HashKnownHosts: yes
+  ForwardAgent: yes
+  HashKnownHosts: yes
+
+
+ssh_server_settings:
+  Port: 22
+  Protocol: 2
+  HostKey:
+    - /etc/ssh/ssh_host_rsa_key
+    - /etc/ssh/ssh_host_ecdsa_key
+    - /etc/ssh/ssh_host_ed25519_key
+  SyslogFacility: AUTH
+  LogLevel: INFO
+  PermitRootLogin: prohibit-password
+  PubkeyAuthentication: yes
+  PermitEmptyPasswords: no
+  AuthenticationMethods publickey,keyboard-interactive
+  ChallengeResponseAuthentication: yes
+  PasswordAuthentication: no
+  X11Forwarding: no
+  PrintMotd: no
+  PrintLastLog: yes
+  AcceptEnv: LANG LC_*
+  Subsystem:
+    - sftp /usr/lib/openssh/sftp-server
+  UsePAM: yes
+
+  # Hardened cipher list
+  KexAlgorithms: curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
+  Ciphers: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+  MACs: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
+  HostKeyAlgorithms: ssh-rsa,ssh-ed25519
+
+#  Match:
+#    - Match: "*"
+#      AllowAgentForwarding: yes

roles/ssh/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+
+- name: Restart SSH
+  service: name=ssh state=restarted

roles/ssh/tasks/main.yml

@@ -0,0 +1,45 @@
+---
+# Tasks to install and configure OpenSSH
+
+- name: Make sure the SSH server and client packages are installed
+  apt:
+    pkg:
+      - openssh-client
+      - openssh-server
+    state: present
+  tags: ssh
+
+- name: Configure the SSH Client
+  template:
+    src: etc_ssh_ssh_config.j2
+    dest: /etc/ssh/ssh_config
+    owner: root
+    group: root
+    mode: 0644
+  tags: ssh
+
+- name: Configure the SSH Server
+  template:
+    src: etc_ssh_sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: 0644
+  notify: Restart SSH
+  tags: ssh
+
+#- name: Update ssh_known_hosts
+#  lineinfile:
+#    dest: /etc/ssh/ssh_known_hosts
+#    regexp: "^{{ hostvars[item].ansible_hostname }},"
+#    line: >
+#      {{ hostvars[item].ansible_hostname }},{{ hostvars[item].ansible_fqdn }},{{ hostvars[item].ansible_default_ipv4.address }}
+#      ssh-rsa {{ hostvars[item].ansible_ssh_host_key_rsa_public }}
+#    state: present
+#    create: yes
+#    owner: root
+#    group: root
+#    mode: 0644
+#  with_items: "{{ groups.all|sort }}"
+#  when: item in hostvars
+#  tags: ssh

roles/ssh/templates/etc_ssh_ssh_config.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+# See the ssh_config(5) manpage for details
+
+{% from 'ssh_common.j2' import ssh_config with context %}
+{% call ssh_config(ssh_client_settings) %}{% endcall %}
+
+# EOF

roles/ssh/templates/etc_ssh_sshd_config.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+# See the sshd_config(5) manpage for details
+
+{% from 'ssh_common.j2' import ssh_config with context %}
+{% call ssh_config(ssh_server_settings) %}{% endcall %}
+
+# EOF

roles/ssh/templates/ssh_common.j2

@@ -0,0 +1,25 @@
+# {{ ansible_managed }}
+{% macro ssh_config(settings, caller='') %}
+{% set sections = ('Host', 'Match') %}
+
+{%- for key, value in settings|dictsort if key not in sections %}
+{% if value is sequence and value is not string %}
+{% for item in value %}
+{{ key }} {{ item }}
+{% endfor %}
+{% else %}
+{{ key }} {{ ['no','yes'][value|int] if value in (False,True) else value }}
+{% endif %}
+{% endfor %}
+
+{%- for section in sections if section in settings %}
+
+{% for item in settings[section] %}
+{{ section }} {{ item[section] }}
+{% for key, value in item|dictsort if key != section %}
+    {{ key }} {{ ['no','yes'][value|int] if value in (False,True) else value }}
+{% endfor %}
+{% endfor %}
+{% endfor -%}
+
+{% endmacro %}