make sprachenatelier working..

2022-02-20 23:36:51 +01:00
parent 42c3774ca6
commit 1c57c66dca
87 changed files with 19196 additions and 1382 deletions
--- a/roles/common/tasks/sshd.yml
+++ b/roles/common/tasks/sshd.yml
@ -1,5 +1,54 @@
 ---

+
+# ---
+# Set some facts
+# ---
+
+- name: (sshd.yml) Set fact_sshd_kexalgorithms (comma separated list)
+  set_fact:
+    fact_sshd_kexalgorithms: "{{ sshd_kexalgorithms | join (',') }}"
+  when:
+    - sshd_kexalgorithms is defined and sshd_kexalgorithms | length > 0
+  tags:
+    - sshd-config
+
+- name: (sshd.yml) Set fact_sshd_ciphers (comma separated list)
+  set_fact:
+    fact_sshd_ciphers: "{{ sshd_ciphers | join (',') }}"
+  when:
+    - sshd_ciphers is defined and sshd_ciphers | length > 0
+  tags:
+    - sshd-config
+
+- name: (sshd.yml) Set fact_sshd_macs 
+  set_fact:
+    fact_sshd_macs: "{{ sshd_macs | join (',') }}"
+  when:
+    - sshd_macs is defined and sshd_macs | length > 0
+  tags:
+    - sshd-config
+
+- name: (sshd.yml) Set fact_sshd_hostkeyalgorithms (blank separated list)
+  set_fact:
+    fact_sshd_hostkeyalgorithms: "{{ sshd_hostkeyalgorithms | join (',') }}"
+  when:
+    - sshd_hostkeyalgorithms is defined and sshd_hostkeyalgorithms | length > 0
+  tags:
+    - sshd-config
+
+- name: (sshd.yml) Set fact_sshd_allowed_users (blank separated list)
+  set_fact:
+    fact_sshd_allowed_users: "{{ sshd_allowed_users | join (' ') }}"
+  when:
+    - sshd_allowed_users is defined and sshd_allowed_users | length > 0
+  tags:
+    - sshd-config
+
+# ---
+# Create new sshd_config
+# ---
+
 - name: (sshd.yml) Check file '/etc/ssh/sshd_config.ORIG' exists
  stat:
    path: /etc/ssh/sshd_config.ORIG
@ -24,6 +73,79 @@
    validate: 'sshd -f %s -T'
    #backup: yes
  notify: "Restart ssh"
+  when:
+    - ansible_facts['distribution'] == "Ubuntu"
  tags:
    - sshd-config

+
+- name: (sshd.yml) Create/Update new sshd_config from template sshd_config.j2
+  template:
+    src: etc/ssh/sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: 0644
+    validate: 'sshd -f %s -T'
+  notify: "Restart ssh"
+  when:
+    - create_sftp_group is undefined or create_sftp_group is defined and not create_sftp_group
+    - ansible_facts['distribution'] == "Debian"
+    - ansible_facts['distribution_major_version'] <= "10"
+  tags:
+    - sshd-config
+
+- name: (sshd.yml) Create/Update sshd_config for chrooted sftp_group from template sshd_config.j2
+  template:
+    src: etc/ssh/sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: 0644
+    validate: 'sshd -f %s -T -C user=sftp_users'
+  notify: "Restart ssh"
+  when:
+    - create_sftp_group is defined and create_sftp_group
+    - ansible_facts['distribution'] == "Debian"
+    - ansible_facts['distribution_major_version'] <= "10"
+  tags:
+    - sshd-config
+
+
+- name: (sshd.yml) Check if sshd_config contains activ parameter 'Subsystem sftp'..
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^Subsystem\s+sftp(.+)$'
+    state: absent
+  check_mode: yes
+  changed_when: false
+  register: sshd_config_sftp
+  tags:
+    - sshd-config
+
+- name: (sshd.yml) Ensure directory '/etc/ssh/sshd_config.d' exists
+  file:
+    path: /etc/ssh/sshd_config.d
+    state: directory
+    mode: 0755
+    group: root
+    owner: root
+  when:
+    - ansible_facts['distribution'] == "Debian"
+    - ansible_facts['distribution_major_version'] > "10"
+  tags:
+    - sshd-config
+
+- name: (sshd.yml) Create/Update file '/etc/ssh/sshd_config.d/50-sshd-local.conf' from template sshd_config.j2
+  template:
+    src: etc/ssh/sshd_config.j2
+    dest: /etc/ssh/sshd_config.d/50-sshd-local.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: "Restart ssh"
+  when:
+    - ansible_facts['distribution'] == "Debian"
+    - ansible_facts['distribution_major_version'] > "10"
+  tags:
+    - sshd-config