home-server/roles/ssh/tasks/main.yml

---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.

# WARNING: This file may be used inside a mounted chroot.
# The running system should not be assumed to be the target system.

### UPSTREAM BEGIN ⇒ ###
- name: settings necessary for pulling from upstream
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
  vars:
    msg: SSH
### ⇐ UPSTREAM BEGIN ###

- name: create the bastion user (front only)
  user:
    name: "{{ssh_bastion_user}}"
    password: "{{ssh_bastion_pwd_sha512}}"
    create_home: true
    system: true
  when:
    - (inventory_hostname in groups['front'])

- name: send secure SSH host RSA key
  copy:
    src: "files/{{hostname}}.{{item.name}}"
    dest: "{{chroot}}/etc/ssh/{{item.name}}"
    mode: "{{item.perm}}"
  with_items:
    - {name: ssh_host_rsa_key, perm: '0400'}
    - {name: ssh_host_rsa_key.pub, perm: '0444'}
  notify:
    - restart sshd.service

- name: force mode of other secure keys (no error)
  file:
    path: "{{chroot}}/etc/ssh/{{item.name}}"
    mode: "{{item.perm}}"
  ignore_errors: true
  with_items:
    - {name: ssh_host_ed25519_key, perm: '0400'}
    - {name: ssh_host_ed25519_key.pub, perm: '0444'}

- name: send Ansible’s forced-command
  copy:
    content: |
      #!/usr/bin/env bash
      eval $SSH_ORIGINAL_COMMAND
    dest: "{{chroot}}/root/.ssh/force_ansible.sh"
    mode: 0700
  notify:
    - restart sshd.service

- name: copy Ansible key to root’s home
  lineinfile:
    path: "{{chroot}}/root/.ssh/authorized_keys"
    regexp: "{{ansible_authorized_key}}"
    line: >
      from="{{ansible_master}}",restrict,command="/root/.ssh/force_ansible.sh"
      {{ansible_authorized_key}}
    create: true
    mode: 0600
  notify:
    - restart sshd.service

- name: enable sshd
  file:
    src: /usr/lib/systemd/system/sshd.service
    dest: "{{chroot}}/etc/systemd/system/multi-user.target.wants/sshd.service"
    state: link

- meta: flush_handlers

### UPSTREAM END ⇒ ###
- name: merge local settings
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
  vars:
    msg: SSH
### ⇐ UPSTREAM END ###

- name: force mode of other secure keys
  file:
    path: "{{chroot}}/etc/ssh/{{item.name}}"
    mode: "{{item.perm}}"
  with_items:
    - {name: ssh_host_ed25519_key, perm: '0400'}
    - {name: ssh_host_ed25519_key.pub, perm: '0444'}
  when:
    - (chroot == '')
  notify:
    - restart sshd.service

- name: SSH hardening from https://stribika.github.io/
  blockinfile:
    path: "{{chroot}}/etc/ssh/sshd_config"
    marker:
      '# {mark} https://stribika.github.io/2015/01/04/secure-secure-shell.html'
    block: |
      KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
      Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
      MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
    insertafter: '^#?ListenAddress\s'
  notify:
    - restart sshd.service

- name: enable the secure host keys
  lineinfile:
    path: "{{chroot}}/etc/ssh/sshd_config"
    backrefs: true
    regexp: '^#?(HostKey\s+/etc/ssh/ssh_host_{{item}}_key)'
    line: '\1'
  with_items:
    - ed25519
    - rsa
  notify:
    - restart sshd.service

- name: disable the insecure host keys
  lineinfile:
    path: "{{chroot}}/etc/ssh/sshd_config"
    backrefs: true
    regexp: '^#?(HostKey\s+/etc/ssh/ssh_host_{{item}}_key)'
    line: '#\1'
  with_items:
    - dsa
    - ecdsa
  notify:
    - restart sshd.service

- name: restrict root login
  lineinfile:
    path: "{{chroot}}/etc/ssh/sshd_config"
    regexp: '^#?PermitRootLogin\s'
    line: 'PermitRootLogin forced-commands-only'
  notify:
    - restart sshd.service

- name: allow TCP forwarding
  lineinfile:
    path: "{{chroot}}/etc/ssh/sshd_config"
    regexp: '^#?AllowTcpForwarding\s'
    line: "AllowTcpForwarding {{ssh_allow_tcpforward}}"
  notify:
    - restart sshd.service

- name: allow gateway ports
  lineinfile:
    path: "{{chroot}}/etc/ssh/sshd_config"
    regexp: '^#?GatewayPorts\s'
    line: "GatewayPorts {{ssh_allow_gatewayports}}"
  notify:
    - restart sshd.service

- name: allow X11 forwarding
  lineinfile:
    path: "{{chroot}}/etc/ssh/sshd_config"
    regexp: '^#?X11Forwarding\s'
    line: "X11Forwarding {{ssh_allow_x11forward}}"
  notify:
    - restart sshd.service

- name: set keep-alive interval
  lineinfile:
    path: "{{chroot}}/etc/ssh/sshd_config"
    regexp: '^#?ClientAliveInterval\s'
    line: "ClientAliveInterval {{ssh_clientalive_interval}}"
  notify:
    - restart sshd.service

- name: allow tunnel
  lineinfile:
    path: "{{chroot}}/etc/ssh/sshd_config"
    regexp: '^#?PermitTunnel\s'
    line: "PermitTunnel {{ssh_allow_tunnel}}"
  notify:
    - restart sshd.service

- name: extended front setup
  blockinfile:
    path: "/etc/ssh/sshd_config"
    marker:
      '# {mark} extended setup'
    block: |
      # regular port
      Port 22
      # alternative port
      Port 23
      # remote-help port
      Port 22000
      AcceptEnv {{ssh_accept_env}}
      AllowUsers {{ssh_allowed_users}}
      ForceCommand /usr/bin/nologin
      Match Address {{(net_trusted_ranges + ' ' + (iodine_net | ipaddr('0'))) | replace(' ', ',')}}
        ForceCommand none
      Match LocalPort 23
        ForceCommand none
      Match LocalPort 22000
        ForceCommand /usr/bin/echo 'Use: ssh -NTxR 2200x:localhost:22 -i /your/key -p 22000 {{ssh_bastion_user}}@{{net_soa}}'
        PermitTTY no
        AuthenticationMethods publickey
        MaxAuthTries 1
        MaxSessions 0
        X11Forwarding no
    insertafter: EOF
  when:
    - (inventory_hostname in groups['front'])
    - (chroot == '')
  notify:
    - restart sshd.service

- name: extended back setup
  blockinfile:
    path: "/etc/ssh/sshd_config"
    marker:
      '# {mark} extended setup'
    block: |
      # regular port
      Port 22
      # git port
      Port 2222
      AcceptEnv {{ssh_accept_env}}
      AllowUsers {{ssh_allowed_users}}
      ForceCommand /usr/bin/nologin
      Match Address {{(net_trusted_ranges + ' ' + (iodine_net | ipaddr('0'))) | replace(' ', ',')}}
        ForceCommand none
      Match LocalPort 2222
        AllowUsers {{gitea_user}}
        PermitRootLogin no
        PasswordAuthentication no
        PermitEmptyPasswords no
        PubkeyAuthentication yes
    insertafter: EOF
  when:
    - (inventory_hostname in groups['back'])
    - (chroot == '')
  notify:
    - restart sshd.service

### LOCAL COMMIT ⇒ ###
- name: commit local changes
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
  vars:
    msg: SSH
### ⇐ LOCAL COMMIT ###
- meta: flush_handlers