Update..

2020-09-26 13:47:54 +02:00 · 2020-09-26 13:47:54 +02:00 · 52858bf02c
commit 52858bf02c
parent f78a7f3565
17 changed files with 2100 additions and 1021 deletions
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@ -15,6 +15,65 @@ locales:
 set_default_limit_nofile: false
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
 sshd_ports:
  - 22
 sshd_listen_address:
   - '::'
   - '0.0.0.0'
 sshd_host_keys:
  - /etc/ssh/ssh_host_rsa_key
  - /etc/ssh/ssh_host_ecdsa_key
  - /etc/ssh/ssh_host_ed25519_key
 sshd_max_startups: !!str "10:30:100"
 sshd_max_auth_tries: 3
 sshd_max_sessions: 10
 sshd_permit_root_login: !!str "yes"
 sshd_authorized_keys_file: ".ssh/authorized_keys .ssh/authorized_keys2"
 sshd_pubkey_authentication: !!str "yes"
 sshd_password_authentication: !!str "no"
 sshd_use_pam: !!str "yes"
 sshd_print_motd: !!str "no"
 # sshd_kexalgorithms
 #
 # Example:
 #    sshd_kexalgorithms:
 #      - curve25519-sha256@libssh.org
 #      - diffie-hellman-group-exchange-sha256
 #      - diffie-hellman-group14-sha1
 #
 sshd_kexalgorithms: {}
 # sshd_kexalgorithms
 #
 # Example:
 #    sshd_ciphers:
 #      - chacha20-poly1305@openssh.com
 #      - aes256-gcm@openssh.com
 #      - aes256-ctr
 sshd_ciphers: {}
 sshd_use_dns: !!str "no"
 sshd_allowed_users: {}
 # ==========
 # vars used by roles/common/tasks/apt.yml
 # ==========
@ -156,6 +215,7 @@ apt_initial_install_stretch:
  - quotatool
  - needrestart
  - socat
  - wakeonlan
 apt_initial_install_buster:
  - apt-transport-https
@ -268,6 +328,7 @@ apt_initial_install_buster:
  - quotatool
  - needrestart
  - socat
  - wakeonlan
 apt_initial_install_xenial:
  - apt-transport-https
@ -625,6 +686,17 @@ nfs_exports:
       - 192.168.63.0/24
     fs_encrypted: false
   - src: 192.168.82.10:/data/samba
     path: /data/samba
     mount_opts: user,exec,rsize=8192,wsize=8192,hard,intr
     export_opt: rw,fsid=0,root_squash,sync,subtree_check
     export_networks:
       - 192.168.82.0/24
       - 10.0.82.0/24
       - 10.1.82.0/24
       - 192.168.63.0/24
     fs_encrypted: false
 # ==========
 # vars used by roles/common/tasks/samba-install.yml
@ -634,6 +706,8 @@ apt_install_server_samba:
  - samba
  - nscd
 #  - winbind
 apt_install_client_samba:
  - samba-client
  - samba-common
@ -860,6 +934,9 @@ nis_user:
 samba_shares:
  - name: Transfer
    path: /data/samba/Transfer
    group_valid_users: transfer
    group_write_list: transfer
    user:
      - anna
      - buero
@ -872,6 +949,9 @@ samba_shares:
      - thomas
      - frauke
  - name: Verwaltung
    path: /data/samba/Verwaltung
    group_valid_users: verwaltung
    group_write_list: verwaltung
    user:
      - anna
      - jonas
@ -886,6 +966,9 @@ samba_shares:
      - thomas
      - frauke
  - name: Scans
    path: /data/samba/Scans
    group_valid_users: scans
    group_write_list: scans
    user:
      - anna
      - buero
@ -899,30 +982,57 @@ samba_shares:
      - thomas
      - frauke
  - name: Buero_Scans
    path: /data/samba/Scans/Buero_Scans
    group_valid_users: scans
    group_write_list: scans
    user:
      - buero
  - name: Frauke_Scans
    path: /data/samba/Scans/Frauke_Scans
    group_valid_users: scans
    group_write_list: scans
    user:
      - frauke
  - name: FSJ_Scans
    path: /data/samba/Scans/FSJ_Scans
    group_valid_users: scans
    group_write_list: scans
    user:
      - fsj
  - name: Jibran_Scans
    path: /data/samba/Scans/Jibran_Scans
    group_valid_users: scans
    group_write_list: scans
    user:
      - jibran
  - name: Julia_Scans
    path: /data/samba/Scans/Julia_Scans
    group_valid_users: scans
    group_write_list: scans
    user:
      - julia
  - name: Maica_scans
    path: /data/samba/Scans/Maica_scans
    group_valid_users: scans
    group_write_list: scans
    user:
      - maica
  - name: Thomas_Scans
    path: /data/samba/Scans/Thomas_Scans
    group_valid_users: scans
    group_write_list: scans
    user:
      - thomas
  - name: Birgit_Scans
    path: /data/samba/Scans/Birgit_Scans
    group_valid_users: scans
    group_write_list: scans
    user:
      - birgit
  - name: Kamera
    path: /data/samba/Kamera
    group_valid_users: intern
    group_write_list: intern
    user:
      - anna
      - buero
@ -933,6 +1043,9 @@ samba_shares:
      - thomas
      - frauke
  - name: Install
    path: /data/samba/Install
    group_valid_users: intern
    group_write_list: intern
    user:
      - anna
      - buero
--- a/host_vars/192.168.82.20.yml
+++ b/host_vars/192.168.82.20.yml
@ -0,0 +1,67 @@
 ---
 ansible_python_interpreter: /usr/bin/python3
 # ---
 # vars used by roles/common/tasks/basic.yml
 # ---
 set_default_limit_nofile: true
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
 sshd_max_auth_tries: 6
 sshd_permit_root_login: !!str "yes"
 sshd_password_authentication: !!str "yes"
 sshd_use_pam: !!str "no"
 sshd_print_motd: !!str "yes"
 # ==========
 # vars used by roles/common/tasks/nfs.yml
 # ==========
 nfs_server: 192.168.82.20
 # Set 'fs_encrypted' to true if filesystem lives on an encrypted
 # partition.
 #
 nfs_exports:
   - src: 192.168.82.20:/data/home
     path: /data/home
     mount_opts: user,exec,rsize=8192,wsize=8192,hard,intr
     export_opt: rw,fsid=0,root_squash,sync,subtree_check
     export_networks:
       - 192.168.82.0/24
       - 10.0.82.0/24
       - 10.1.82.0/24
       - 192.168.63.0/24
     fs_encrypted: false
   - src: 192.168.82.20:/data/samba
     path: /data/samba
     mount_opts: user,exec,rsize=8192,wsize=8192,hard,intr
     export_opt: rw,fsid=0,root_squash,sync,subtree_check
     export_networks:
       - 192.168.82.0/24
       - 10.0.82.0/24
       - 10.1.82.0/24
       - 192.168.63.0/24
     fs_encrypted: false
 # ==========
 # vars used by roles/common/tasks/nis-install-server.yml
 # vars used by roles/common/tasks/nis-user.yml
 # vars used by roles/common/tasks/nis-install-client.yml
 # ==========
 # also used by template
 #    - yp.conf.j2
 nis_server_address: 192.168.82.10
--- a/host_vars/file-akb.akb.netz.yml
+++ b/host_vars/file-akb.akb.netz.yml
@ -1,3 +1,24 @@
 ---
 ansible_python_interpreter: /usr/bin/python3
 # ---
 # vars used by roles/common/tasks/basic.yml
 # ---
 set_default_limit_nofile: true
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
 sshd_max_auth_tries: 6
 sshd_permit_root_login: !!str "yes"
 sshd_password_authentication: !!str "yes"
 sshd_use_pam: !!str "no"
 sshd_print_motd: !!str "yes"
--- a/host_vars/pcbuero1.flr.netz.yml
+++ b/host_vars/pcbuero1.flr.netz.yml
@ -1,37 +0,0 @@
 ---
 # ---
 # NFS
 # ---
 # ---
 # Samba / NIS
 # ---
 # ---
 # vars used by roles/ansible_dependencies
 # ---
 # ---
 # vars used by roles/ansible_user
 # ---
 # ---
 # vars used by roles/common/tasks/basic.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sudoers.yml
 # ---
 sudoers_file_cmnd_aliases:
  - name: MOUNT 
    entry: '/bin/mount,/bin/umount,/usr/bin/smb4k_mount'
--- a/roles/common/files/etc/samba/users.map
+++ b/roles/common/files/etc/samba/users.map
@ -0,0 +1,18 @@
 # ############################################ #
 #          --------------------------          #
 #          ** DO NOT EDIT DIRECTLY **          #
 #          --------------------------          #
 #             Ansible managed file             #
 # ############################################ #
 # This file allows you to map usernames from the clients to the server.
 # Unix_name = SMB_name1 SMB_name2 ...
 #
 # See section 'username map' in the manual page of smb.conf for more
 # information.
 #
 # This file is _not_ included in the default configuration as it makes the
 # usage of an user named administrator impossible.
 root = admin administrator
--- a/roles/common/files/etc/systemd/system/rpcbind.socket.d/override.conf
+++ b/roles/common/files/etc/systemd/system/rpcbind.socket.d/override.conf
@ -1,3 +1,10 @@
 # ############################################ #
 #          --------------------------          #
 #          ** DO NOT EDIT DIRECTLY **          #
 #          --------------------------          #
 #             Ansible managed file             #
 # ############################################ #
 [Unit]
 DefaultDependencies=no
 Wants=rpcbind.target
--- a/roles/common/files/etc/systemd/system/systemd-logind.service.d/nis_allow_network.conf
+++ b/roles/common/files/etc/systemd/system/systemd-logind.service.d/nis_allow_network.conf
@ -1,3 +1,10 @@
 # ############################################ #
 #          --------------------------          #
 #          ** DO NOT EDIT DIRECTLY **          #
 #          --------------------------          #
 #             Ansible managed file             #
 # ############################################ #
 [Service]
 IPAddressAllow=192.168.0.0/16
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@ -1,5 +1,10 @@
 ---
 - name: Restart ssh
  service:
    name: ssh
    state: restarted
 - name: Renew nis databases
  shell: make -C /var/yp
  when: 
--- a/roles/common/tasks/basic.yml
+++ b/roles/common/tasks/basic.yml
@ -21,6 +21,8 @@
    owner: root
    group: root
    state: link
  when:
    - "groups['file_server']|string is search(inventory_hostname)"
  tags:
    - symlink-sh
@ -43,3 +45,28 @@
    - etc_systemd_system_conf.stat.exists == true
  tags:
    - systemd-nofiles
 - name: (basic.yml) Check file '/etc/security/limits.conf.ORIG' exists
  stat:
    path: /etc/security/limits.conf.ORIG
  register: etc_security_limits_conf_ORIG
  tags:
    - limits-conf
 - name: (basic.yml) Backup installation version of file '/etc/security/limits.conf'
  command: cp -a /etc/security/limits.conf /etc/security/limits.conf.ORIG
  when: etc_security_limits_conf_ORIG.stat.exists == False
  tags:
    - limits-conf
 - name: (basic.yml) Create new sshd_config from template limits.conf.j2
  template:
    src: etc/security/limits.conf.j2
    dest: /etc/security/limits.conf
    owner: root
    group: root
    mode: 0644
  tags:
    - limits-conf
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -10,6 +10,13 @@
    - basic
 # tags supported inside sshd.yml
 #
 #    sshd-config
 - import_tasks: sshd.yml
  tags: sshd
 # tags supported inside apt.yml
 #
 #   apt-update
--- a/roles/common/tasks/nis-install-server.yml
+++ b/roles/common/tasks/nis-install-server.yml
@ -140,7 +140,7 @@
    mode: '0755'
    state: directory
  when:
-    - "groups['nfs_server']|string is search(inventory_hostname)"
+    - "groups['nis_server']|string is search(inventory_hostname)"
  tags:
    - nis-install
    - nis-install-server
--- a/roles/common/tasks/samba-install.yml
+++ b/roles/common/tasks/samba-install.yml
@ -35,6 +35,22 @@
    - samba-server
 - name: (samba-install.yml) Ensure file /etc/samba/users.map exists
  copy:
    src: "{{ role_path + '/files//etc/samba/users.map' }}"
    dest: /etc/samba/users.map
    owner: root
    group: root
    mode: 0644
  when:
    - "groups['samba_server']|string is search(inventory_hostname)"
  notify:
    - Restart smbd
    - Restart nmbd
  tags:
    - samba-server
 - name: (samba-install.yml) /etc/samba/smb.conf
  template:
    dest: /etc/samba/smb.conf
--- a/roles/common/tasks/sshd.yml
+++ b/roles/common/tasks/sshd.yml
@ -0,0 +1,28 @@
 ---
 - name: (sshd.yml) Check file '/etc/ssh/sshd_config.ORIG' exists
  stat:
    path: /etc/ssh/sshd_config.ORIG
  register: etc_sshd_sshd_config_ORIG
  tags:
    - sshd-config
 - name: (sshd.yml) Backup installation version of file '/etc/ssh/sshd_config'
  command: cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.ORIG
  when: etc_sshd_sshd_config_ORIG.stat.exists == False
  tags:
    - sshd-config
 - name: (sshd.yml) Create new sshd_config from template sshd_config.j2
  template:
    src: etc/ssh/sshd_config.j2
    dest: /etc/ssh/sshd_config
    owner: root
    group: root
    mode: 0644
    validate: 'sshd -f %s -T'
    #backup: yes
  notify: "Restart ssh"
  tags:
    - sshd-config
--- a/roles/common/templates/etc/samba/smb.conf.j2
+++ b/roles/common/templates/etc/samba/smb.conf.j2
--- a/roles/common/templates/etc/samba/smb.conf.j2.BAK
+++ b/roles/common/templates/etc/samba/smb.conf.j2.BAK
--- a/roles/common/templates/etc/security/limits.conf.j2
+++ b/roles/common/templates/etc/security/limits.conf.j2
@ -0,0 +1,62 @@
 # {{ ansible_managed }}
 # /etc/security/limits.conf
 # 
 #Each line describes a limit for a user in the form:
 #
 #<domain>        <type>  <item>  <value>
 #
 #Where:
 #<domain> can be:
 #        - a user name
 #        - a group name, with @group syntax
 #        - the wildcard *, for default entry
 #        - the wildcard %, can be also used with %group syntax,
 #                 for maxlogin limit
 #        - NOTE: group and wildcard limits are not applied to root.
 #          To apply a limit to the root user, <domain> must be
 #          the literal username root.
 #
 #<type> can have the two values:
 #        - "soft" for enforcing the soft limits
 #        - "hard" for enforcing hard limits
 #
 #<item> can be one of the following:
 #        - core - limits the core file size (KB)
 #        - data - max data size (KB)
 #        - fsize - maximum filesize (KB)
 #        - memlock - max locked-in-memory address space (KB)
 #        - nofile - max number of open file descriptors
 #        - rss - max resident set size (KB)
 #        - stack - max stack size (KB)
 #        - cpu - max CPU time (MIN)
 #        - nproc - max number of processes
 #        - as - address space limit (KB)
 #        - maxlogins - max number of logins for this user
 #        - maxsyslogins - max number of logins on the system
 #        - priority - the priority to run user process with
 #        - locks - max number of file locks the user can hold
 #        - sigpending - max number of pending signals
 #        - msgqueue - max memory used by POSIX message queues (bytes)
 #        - nice - max nice priority allowed to raise to values: [-20, 19]
 #        - rtprio - max realtime priority
 #        - chroot - change root to directory (Debian-specific)
 #
 #<domain>      <type>  <item>         <value>
 #
 #*               soft    core            0
 #root            hard    core            100000
 #*               hard    rss             10000
 #@student        hard    nproc           20
 #@faculty        soft    nproc           20
 #@faculty        hard    nproc           50
 #ftp             hard    nproc           0
 #ftp             -       chroot          /ftp
 #@student        -       maxlogins       4
 *     -  nofile   1048576
 root  -  nofile   1048576
 # End of file
--- a/roles/common/templates/etc/ssh/sshd_config.j2
+++ b/roles/common/templates/etc/ssh/sshd_config.j2
@ -0,0 +1,349 @@
 # {{ ansible_managed }}
 #-----------------------------
 # Daemon
 #-----------------------------
 # What ports, IPs and protocols we listen for
 {% for item in sshd_ports %}
 Port {{ item }}
 {% endfor %}
 # Specifies the local addresses sshd(8) should listen on.  The following forms may be used:
 # 
 #    ListenAddress host|IPv4_addr|IPv6_addr
 #    ListenAddress host|IPv4_addr:port
 #    ListenAddress [host|IPv6_addr]:port
 # 
 # If port is not specified, sshd will listen on the address and all Port options specified.  The default
 # is to listen on all local addresses.  Multiple ListenAddress options are permitted.
 #
 #    ListenAddress ::
 #    ListenAddress 0.0.0.0
 #    ListenAddress 159.69.72.24
 #    ListenAddress 2a01:4f8:231:171f::2
 #
 {% if (sshd_listen_address is defined) and sshd_listen_address %}
 {% for item in sshd_listen_address %}
 ListenAddress {{ item }}
 {% endfor %}
 {% endif %}
 # Specifies the protocol versions sshd(8) supports.
 # The possible values are ‘1’ , `2' and ‘1,2’.
 # The default is ‘2’.
 Protocol 2
 # HostKeys for protocol version 2
 {% for item in sshd_host_keys %}
 HostKey {{ item }}
 {% endfor %}
 # Lifetime and size of ephemeral version 1 server key
 #
 # Note:
 #    Deprecated option KeyRegenerationInterval
 #    Deprecated option ServerKeyBits
 #
 #KeyRegenerationInterval 3600
 #ServerKeyBits 768
 # Specifies the maximum number of concurrent unauthenticated connections
 # to the SSH daemon. See sshd_config(5) for specifiing the three colon 
 # separated values.
 # The default is 10.
 #MaxStartups 10:30:100
 #MaxStartups 3
 MaxStartups {{ sshd_max_startups }}
 # Specifies the maximum number of authentication attempts permitted per
 # connection.
 # The default is 6.
 MaxAuthTries {{ sshd_max_auth_tries }}
 # Specifies the maximum number of open sessions permitted per network
 # connection.
 # The default is 10.
 MaxSessions {{ sshd_max_sessions }}
 #-----------------------------
 # Authentication
 #-----------------------------
 # Specifies whether sshd(8) separates privileges by creating an unprivileged
 # child process to deal with incoming network traffic.
 # The default is "yes" (for security).
 {% if (ansible_facts['distribution'] == "Debian") and (ansible_facts['distribution_major_version']|int > 9) %}
 #
 # Note: (Release 7.5)
 #    Deprecated option UsePrivilegeSeparation
 #    Privilege separation has been on by default for almost 15 years
 #    sandboxing has been on by default for almost the last five
 #
 #UsePrivilegeSeparation sandbox
 {% else %}
 UsePrivilegeSeparation sandbox
 {% endif %}
 # The server disconnects after this time if the user has not
 # successfully logged in.
 # The default is 120 seconds.
 LoginGraceTime 120
 # Specifies whether root can log in using ssh(1).
 # The default is "yes".
 # Possible values: yes, no, prohibit-password (or teh older one: without-password)
 #PermitRootLogin yes
 PermitRootLogin {{ sshd_permit_root_login }}
 # Specifies whether sshd(8) should check file modes and ownership of the 
 # user's files and home directory before accepting login.  This is normally 
 # desirable because novices sometimes accidentally leave their directory or 
 # files world-writable. Note that this does not apply to ChrootDirectory, 
 # whose permissions and ownership are checked unconditionally.  
 # The default is “yes”.
 StrictModes yes
 # Specifies whether pure RSA authentication is allowed. This option 
 # applies to protocol version 1 only.
 # The default is “yes”.
 #
 # Note:
 #    Deprecated option RSAAuthentication
 #
 #RSAAuthentication yes
 # Specifies whether public key authentication is allowed. Note that this 
 # option applies to protocol version 2 only.
 # The default is “yes”.
 PubkeyAuthentication {{ sshd_pubkey_authentication }}
 # Specifies the file that contains the public keys that can be used for 
 # user authentication.  The format is described in the AUTHORIZED_KEYS FILE 
 # FORMAT section of sshd(8).
 # AuthorizedKeysFile may contain tokens of the form %T which are substituted
 # during connection setup. The following tokens are defined: %% is replaced 
 # by a literal '%', %h is replaced by the home directory of the user being 
 # authenticated, and %u is replaced by the username of that user. After 
 # expansion, AuthorizedKeysFile is taken to be an absolute path or one relative 
 # to the user's home directory. Multiple files may be listed, separated by 
 # whitespace.
 # The default is “.ssh/authorized_keys .ssh/authorized_keys2”.
 #AuthorizedKeysFile	%h/.ssh/authorized_keys
 AuthorizedKeysFile {{ sshd_authorized_keys_file }}
 # Specifies whether password authentication is allowed.
 # Change to no to disable tunnelled clear text passwords
 # The default is "yes".
 #PasswordAuthentication yes
 PasswordAuthentication {{ sshd_password_authentication }}
 # When password authentication is allowed, it specifies whether the 
 # server allows login to accounts with empty password strings.
 # The default is “no”.
 PermitEmptyPasswords no
 # Specifies whether challenge-response authentication is allowed (e.g. via PAM).
 # The default is “yes”.
 ChallengeResponseAuthentication no
 # Don't read the user's ~/.rhosts and ~/.shosts files
 IgnoreRhosts yes
 # For this to work you will also need host keys in /etc/ssh_known_hosts
 #
 # Note:
 #    Deprecated option RhostsRSAAuthentication
 #
 #RhostsRSAAuthentication no
 # similar for protocol version 2
 HostbasedAuthentication no
 # Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts 
 # during RhostsRSAAuthentication or HostbasedAuthentication. 
 # The default is “no”.
 # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
 #IgnoreUserKnownHosts yes
 # If specified, login is allowed only for user names that match one of
 # the patterns.
 # The allow/deny directives are processed in the following order: DenyUsers, 
 # AllowUsers, DenyGroups, and finally AllowGroups.
 # By default, login is allowed for all users.
 {% if (fact_sshd_allowed_users is defined) and fact_sshd_allowed_users %}
 AllowUsers {{ fact_sshd_allowed_users }}
 {% else %}
 #AllowUsers back chris sysadm cityslang christoph
 {% endif %}
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 # be allowed through the ChallengeResponseAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
 # PAM authentication via ChallengeResponseAuthentication may bypass
 # the setting of "PermitRootLogin without-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 UsePAM {{ sshd_use_pam }}
 # Specifies whether login(1) is used for interactive login sessions.
 # Note that login(1) is never used for remote command execution. 
 # Note also, that if this is enabled, X11Forwarding will be disabled 
 # because login(1) does not know how to handle xauth(1) cookies. If
 # UsePrivilegeSeparation is specified, it will be disabled after 
 # authentication.
 # The default is “no”.
 #UseLogin no
 #-----------------------------
 # Cryptography
 #-----------------------------
 # Specifies the available KEX (Key Exchange) algorithms.
 # The default is:
 ## curve25519-sha256@libssh.org,
 ## ecdh-sha2-nistp256,
 ## ecdh-sha2-nistp384,
 ## ecdh-sha2-nistp521,
 ## diffie-hellman-group-exchange-sha256,
 ## diffie-hellman-group14-sha1.
 {% if (fact_sshd_kexalgorithms is defined) and fact_sshd_kexalgorithms %}
 KexAlgorithms {{ fact_sshd_kexalgorithms }}
 {% else %}
 #KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
 {% endif %}
 # Specifies the ciphers allowed for protocol version 2.
 # The default is:
 ## aes128-ctr,
 ## aes192-ctr,
 ## aes256-ctr,
 ## aes128-gcm@openssh.com,
 ## aes256-gcm@openssh.com,
 ## chacha20-poly1305@openssh.com.
 {% if (fact_sshd_ciphers is defined) and fact_sshd_ciphers %}
 Ciphers {{ fact_sshd_ciphers }}
 {% else %}
 #Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
 {% endif %}
 # Specifies the available MAC (message authentication code) algorithms.
 # The default is:
 ## umac-64-etm@openssh.com,
 ## umac-128-etm@openssh.com,
 ## hmac-sha2-256-etm@openssh.com,
 ## hmac-sha2-512-etm@openssh.com,
 ## umac-64@openssh.com,
 ## umac-128@openssh.com,
 ## hmac-sha2-256,
 ## hmac-sha2-512.
 {% if (fact_sshd_macs is defined) and fact_sshd_macs %}
 MACs {{ fact_sshd_macs }}
 {% else %}
 #MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
 {% endif %}
 #-----------------------------
 # Logging
 #-----------------------------
 # Gives the facility code that is used when logging messages from sshd(8).  
 # The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, 
 # LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  
 # The default is AUTH.
 SyslogFacility AUTH
 # Gives the verbosity level that is used when logging messages from
 # sshd(8).
 # The default is INFO.
 LogLevel INFO
 #-----------------------------
 # Behavior
 #-----------------------------
 # Specifies whether the distribution-specified extra version suffix is included
 # during initial protocol handshake.
 # The default is "yes".
 DebianBanner no
 # The contents of the specified file are sent to the remote user before
 # authentication is allowed.
 # By default, no banner is displayed.
 #Banner /etc/issue.net
 # Specifies whether sshd(8) should print /etc/motd when a user logs in 
 # interactively. (On some systems it is also printed by the shell, 
 # /etc/profile, or equivalent.)  
 # The default is “yes”.
 PrintMotd {{ sshd_print_motd }}
 # Specifies what environment variables sent by the client will be copied
 # into the session's environ(7).
 # The default is not to accept any environment variables.
 AcceptEnv LANG LC_*
 # Configures an external subsystem (e.g. file transfer daemon).
 # By default no subsystems are defined.
 Subsystem sftp /usr/lib/openssh/sftp-server
 # Specifies whether sshd(8) should look up the remote host name and check 
 # that the resolved host name for the remote IP address maps back to the 
 # very same IP address.
 # The default is “yes”.
 UseDNS {{ sshd_use_dns }}
 # Specifies whether X11 forwarding is permitted. The argument must be 
 # “yes” or “no”. See sshd_config(5) for further expalnation
 # The default is “no”.
 #X11Forwarding yes
 # Specifies the first display number available for sshd(8)'s X11 
 # forwarding. This prevents sshd from interfering with real X11 servers.
 # The default is 10.
 X11DisplayOffset 10
 # Specifies whether the system should send TCP keepalive messages to the 
 # other side. If they are sent, death of the connection or crash of one 
 # of the machines will be properly noticed.  However, this means
 # that connections will die if the route is down temporarily, and some 
 # people find it annoying. On the other hand, if TCP keepalives are not 
 # sent, sessions may hang indefinitely on the server, leaving “ghost” users 
 # and consuming server resources.
 #
 # The default is “yes” (to send TCP keepalive messages), and the server 
 # will notice if the network goes down or the client host crashes. This 
 # avoids infinitely hanging sessions.
 TCPKeepAlive yes
 #Specifies whether sshd(8) should print the date and time of the last 
 # user login when a user logs in interactively.
 # The default is “yes”.
 PrintLastLog yes
 #-----------------------------
 # Kerberos options
 #-----------------------------
 #KerberosAuthentication no
 #KerberosGetAFSToken no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
 #-----------------------------
 # GSSAPI options
 #-----------------------------
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes