--- # --- # Set some facts # --- - name: (sshd.yml) Set fact_sshd_kexalgorithms (comma separated list) set_fact: fact_sshd_kexalgorithms: "{{ sshd_kexalgorithms | join (',') }}" when: - sshd_kexalgorithms is defined and sshd_kexalgorithms | length > 0 tags: - sshd-config - name: (sshd.yml) Set fact_sshd_ciphers (comma separated list) set_fact: fact_sshd_ciphers: "{{ sshd_ciphers | join (',') }}" when: - sshd_ciphers is defined and sshd_ciphers | length > 0 tags: - sshd-config - name: (sshd.yml) Set fact_sshd_macs set_fact: fact_sshd_macs: "{{ sshd_macs | join (',') }}" when: - sshd_macs is defined and sshd_macs | length > 0 tags: - sshd-config - name: (sshd.yml) Set fact_sshd_hostkeyalgorithms (blank separated list) set_fact: fact_sshd_hostkeyalgorithms: "{{ sshd_hostkeyalgorithms | join (',') }}" when: - sshd_hostkeyalgorithms is defined and sshd_hostkeyalgorithms | length > 0 tags: - sshd-config - name: (sshd.yml) Set fact_sshd_allowed_users (blank separated list) set_fact: fact_sshd_allowed_users: "{{ sshd_allowed_users | join (' ') }}" when: - sshd_allowed_users is defined and sshd_allowed_users | length > 0 tags: - sshd-config # --- # Create new sshd_config # --- - name: (sshd.yml) Check file '/etc/ssh/sshd_config.ORIG' exists stat: path: /etc/ssh/sshd_config.ORIG register: etc_sshd_sshd_config_ORIG tags: - sshd-config - name: (sshd.yml) Backup installation version of file '/etc/ssh/sshd_config' command: cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.ORIG when: etc_sshd_sshd_config_ORIG.stat.exists == False tags: - sshd-config - name: (sshd.yml) Create new sshd_config from template sshd_config.j2 template: src: etc/ssh/sshd_config.j2 dest: /etc/ssh/sshd_config owner: root group: root mode: 0644 validate: 'sshd -f %s -T' #backup: yes notify: "Restart ssh" when: - ansible_facts['distribution'] == "Ubuntu" tags: - sshd-config - name: (sshd.yml) Create/Update new sshd_config from template sshd_config.j2 template: src: etc/ssh/sshd_config.j2 dest: /etc/ssh/sshd_config owner: root group: root mode: 0644 validate: 'sshd -f %s -T' notify: "Restart ssh" when: - create_sftp_group is undefined or create_sftp_group is defined and not create_sftp_group - ansible_facts['distribution'] == "Debian" - ansible_facts['distribution_major_version'] <= "10" tags: - sshd-config - name: (sshd.yml) Create/Update sshd_config for chrooted sftp_group from template sshd_config.j2 template: src: etc/ssh/sshd_config.j2 dest: /etc/ssh/sshd_config owner: root group: root mode: 0644 validate: 'sshd -f %s -T -C user=sftp_users' notify: "Restart ssh" when: - create_sftp_group is defined and create_sftp_group - ansible_facts['distribution'] == "Debian" - ansible_facts['distribution_major_version'] <= "10" tags: - sshd-config - name: (sshd.yml) Check if sshd_config contains activ parameter 'Subsystem sftp'.. lineinfile: path: /etc/ssh/sshd_config regexp: '^Subsystem\s+sftp(.+)$' state: absent check_mode: yes changed_when: false register: sshd_config_sftp tags: - sshd-config - name: (sshd.yml) Ensure directory '/etc/ssh/sshd_config.d' exists file: path: /etc/ssh/sshd_config.d state: directory mode: 0755 group: root owner: root when: - ansible_facts['distribution'] == "Debian" - ansible_facts['distribution_major_version'] > "10" tags: - sshd-config - name: (sshd.yml) Create/Update file '/etc/ssh/sshd_config.d/50-sshd-local.conf' from template sshd_config.j2 template: src: etc/ssh/sshd_config.j2 dest: /etc/ssh/sshd_config.d/50-sshd-local.conf owner: root group: root mode: 0644 notify: "Restart ssh" when: - ansible_facts['distribution'] == "Debian" - ansible_facts['distribution_major_version'] > "10" tags: - sshd-config