31 lines
796 B
YAML
31 lines
796 B
YAML
---
|
|
# SSH
|
|
- name: Curl SSH trusted CA
|
|
get_url:
|
|
url: https://vault.ducoterra.net/v1/ssh-client-signer/public_key
|
|
dest: /etc/ssh/trusted-user-ca-keys.pem
|
|
mode: '0660'
|
|
become: yes
|
|
- name: Create sshd_config file
|
|
copy:
|
|
dest: "/etc/ssh/sshd_config"
|
|
content: |
|
|
Include /etc/ssh/sshd_config.d/*.conf
|
|
PasswordAuthentication no
|
|
ChallengeResponseAuthentication no
|
|
UsePAM yes
|
|
KbdInteractiveAuthentication no
|
|
X11Forwarding yes
|
|
PrintMotd no
|
|
AcceptEnv LANG LC_*
|
|
Subsystem sftp /usr/lib/openssh/sftp-server
|
|
TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem
|
|
become: yes
|
|
- name: Ensure ssh service started
|
|
ansible.builtin.systemd:
|
|
name: sshd
|
|
state: restarted
|
|
daemon_reload: yes
|
|
enabled: yes
|
|
become: yes
|