Add initial_install/roles/ssh_hardening/tasks/main.yml

initial_install/roles/ssh_hardening/tasks/main.yml

@@ -0,0 +1,29 @@
+---
+- name: Detect if system is Proxmox
+  ansible.builtin.stat:
+    path: /usr/bin/pveversion
+  register: proxmox_check
+
+- name: Ensure sshd_config.d exists
+  ansible.builtin.file:
+    path: /etc/ssh/sshd_config.d
+    state: directory
+
+- name: Deploy SSH hardening config
+  ansible.builtin.copy:
+    dest: /etc/ssh/sshd_config.d/99-ansible-hardening.conf
+    mode: '0644'
+    content: |
+      PasswordAuthentication no
+      ChallengeResponseAuthentication no
+      PubkeyAuthentication yes
+      AuthenticationMethods publickey
+      UsePAM yes
+
+      {% if not proxmox_check.stat.exists %}
+      PermitRootLogin no
+      {% else %}
+      PermitRootLogin prohibit-password
+      {% endif %}
+    validate: 'sshd -t -f %s'
+  notify: Restart SSH