Commit 48b4bd92 authored by ulif's avatar ulif 🐻

Add role `security`.

This role settles some basic sshd-related stuff. Contrary to our
upstream we forbid root ssh completely.

TODO: restrict allowed ciphers, etc.
TODO: disable DSA host keys
parent 6e65ec54
- name: Restart ssh
service: name=ssh state=restarted
listen: Restart ssh
- name: Restart ufw
service: name=ufw state=restarted
listen: Restart ufw
# Secure the server
- name: Disallow ssh password authentication
lineinfile:
dest=/etc/ssh/sshd_config
regexp="^PasswordAuthentication"
line="PasswordAuthentication no"
state=present
notify: Restart ssh
- name: Disallow root SSH access
lineinfile:
dest=/etc/ssh/sshd_config
regexp="^PermitRootLogin"
line="PermitRootLogin no"
state=present
notify: Restart ssh
- name: allow ssh in ufw
ufw:
rule: limit
name: OpenSSH
state: enabled
notify: Restart ufw
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment