29 lines
743 B
YAML
29 lines
743 B
YAML
---
|
|
- name: Detect if system is Proxmox
|
|
ansible.builtin.stat:
|
|
path: /usr/bin/pveversion
|
|
register: proxmox_check
|
|
|
|
- name: Ensure sshd_config.d exists
|
|
ansible.builtin.file:
|
|
path: /etc/ssh/sshd_config.d
|
|
state: directory
|
|
|
|
- name: Deploy SSH hardening config
|
|
ansible.builtin.copy:
|
|
dest: /etc/ssh/sshd_config.d/99-ansible-hardening.conf
|
|
mode: '0644'
|
|
content: |
|
|
PasswordAuthentication no
|
|
ChallengeResponseAuthentication no
|
|
PubkeyAuthentication yes
|
|
AuthenticationMethods publickey
|
|
UsePAM yes
|
|
|
|
{% if not proxmox_check.stat.exists %}
|
|
PermitRootLogin no
|
|
{% else %}
|
|
PermitRootLogin prohibit-password
|
|
{% endif %}
|
|
validate: 'sshd -t -f %s'
|
|
notify: Restart SSH |