From 0c62a8f3e08999b5db3a33c00d0db6b0a17ca784 Mon Sep 17 00:00:00 2001
From: julian <julian@jsts.xyz>
Date: Tue, 6 Jun 2023 23:37:42 +0200
Subject: [PATCH] Add role for deploying SSH config and also add
 mailserver-endpoint host

---
 inventories/z9/hosts.yaml                     |   3 +
 playbooks/deploy_mailserver_endpoint.yaml     |   5 +
 .../roles/deploy_ssh_server_config/README.md  |  16 +++
 ...oud_2023-04-21_default_etc_ssh_sshd_config | 124 ++++++++++++++++++
 .../files/sshd_config                         |  85 ++++++++++++
 .../deploy_ssh_server_config/tasks/main.yaml  |  23 ++++
 6 files changed, 256 insertions(+)
 create mode 100644 playbooks/deploy_mailserver_endpoint.yaml
 create mode 100644 playbooks/roles/deploy_ssh_server_config/README.md
 create mode 100644 playbooks/roles/deploy_ssh_server_config/docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config
 create mode 100644 playbooks/roles/deploy_ssh_server_config/files/sshd_config
 create mode 100644 playbooks/roles/deploy_ssh_server_config/tasks/main.yaml

diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml
index e9159dd..8b390e0 100644
--- a/inventories/z9/hosts.yaml
+++ b/inventories/z9/hosts.yaml
@@ -31,3 +31,6 @@ all:
         send-only-mailserver:
           ansible_host: send-only-mailserver.z9.ccchh.net
           ansible_user: chaos
+        mailserver-endpoint:
+          ansible_host: mailserver-endpoint.ccchh.net
+          ansible_user: chaos
diff --git a/playbooks/deploy_mailserver_endpoint.yaml b/playbooks/deploy_mailserver_endpoint.yaml
new file mode 100644
index 0000000..f59b939
--- /dev/null
+++ b/playbooks/deploy_mailserver_endpoint.yaml
@@ -0,0 +1,5 @@
+---
+- name: Deploy stuff on mailserver-endpoint.ccchh.net 
+  hosts: mailserver-endpoint
+  roles:
+    - deploy_ssh_server_config
diff --git a/playbooks/roles/deploy_ssh_server_config/README.md b/playbooks/roles/deploy_ssh_server_config/README.md
new file mode 100644
index 0000000..ba78f86
--- /dev/null
+++ b/playbooks/roles/deploy_ssh_server_config/README.md
@@ -0,0 +1,16 @@
+# Role `deploy_ssh_server_config`
+
+This role deploys an SSH server config on the specified hosts.
+
+## `hosts`
+
+The `hosts` for this role need to be the machines, for which you want to deploy an SSH server config.
+
+## Required Variables
+
+This role doesn't have nay required variables.
+
+## Links & Resources
+
+- <https://infosec.mozilla.org/guidelines/openssh>
+- Also see [Debian 11 cloud 2023-04-21 default /etc/ssh/sshd_config](docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config).
diff --git a/playbooks/roles/deploy_ssh_server_config/docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config b/playbooks/roles/deploy_ssh_server_config/docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config
new file mode 100644
index 0000000..84ed5b8
--- /dev/null
+++ b/playbooks/roles/deploy_ssh_server_config/docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config
@@ -0,0 +1,124 @@
+#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin prohibit-password
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
+ClientAliveInterval 120
diff --git a/playbooks/roles/deploy_ssh_server_config/files/sshd_config b/playbooks/roles/deploy_ssh_server_config/files/sshd_config
new file mode 100644
index 0000000..344f1fb
--- /dev/null
+++ b/playbooks/roles/deploy_ssh_server_config/files/sshd_config
@@ -0,0 +1,85 @@
+# This is the sshd server system-wide configuration file deployed and managed by
+# Ansible.
+# See sshd_config(5) and the "deploy_ssh_server_config" Ansible role for more
+# information.
+
+# This config doesn't set all options and leaves some to the sshd defaults.
+# The sshd defaults should be alright, so this config is only really setting
+# options in cases where we want to intentionally have an option a certain way
+# for some reason or another. For example for hardening, improved loggin, etc.
+
+
+## Use the HostKey preference, Ciphers and algorithms from Mozillas Modern
+## guidelines.
+
+# Supported HostKey algorithms by order of preference.
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+
+KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+
+
+## Authentication Settings.
+
+# Require only "publickey" for authentication.
+# From Mozillas Modern guidelines.
+AuthenticationMethods publickey
+
+# Enable "PubkeyAuthentication" accordingly.
+PubkeyAuthentication yes
+# Don't do the other authentication types.
+PasswordAuthentication no
+ChallengeResponseAuthentication no
+KerberosAuthentication no
+GSSAPIAuthentication no
+
+# Don't allow root login.
+PermitRootLogin no
+
+# Set this to "yes", but have "PasswordAuthentication" and
+# "ChallengeResponseAuthentication" set to "no", to have account and session
+# checks run.
+# See "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config" for more
+# information.
+UsePAM yes
+
+
+## Miscellaneous Settings.
+
+# X11 forwarding shouldn't be needed.
+X11Forwarding no
+
+# Printing this isn't needed.
+PrintMotd no
+
+# Print time and date of last login, since that's nice.
+PrintLastLog yes
+
+# Disable general environment processing.
+PermitUserEnvironment no
+
+# Allow client to pass locale environment variables.
+# From "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config".
+AcceptEnv LANG LC_*
+
+# Request response from client after 120 seconds of no communication.
+# Taken from "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config".
+ClientAliveInterval 120
+
+
+## Logging
+
+# Set "LogLevel" to "VERBOSE" to log users key fingerprints on login.
+# This is needed for a clear audit track.
+# From Mozillas Modern guidelines.
+LogLevel VERBOSE
+
+# Enable the sftp subsystem and log properly.
+# From Mozillas Modern guidelines and
+# "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config".
+Subsystem sftp  /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
diff --git a/playbooks/roles/deploy_ssh_server_config/tasks/main.yaml b/playbooks/roles/deploy_ssh_server_config/tasks/main.yaml
new file mode 100644
index 0000000..9588d14
--- /dev/null
+++ b/playbooks/roles/deploy_ssh_server_config/tasks/main.yaml
@@ -0,0 +1,23 @@
+# Role and config created after: https://infosec.mozilla.org/guidelines/openssh
+- name: deploy SSH server config
+  become: true
+
+  block:
+  - name: deploy `sshd_config`
+    ansible.builtin.copy:
+      force: true
+      dest: /etc/ssh/sshd_config
+      mode: 0644
+      owner: root
+      group: root
+      src: sshd_config
+    register: deploy_ssh_server_config__ssh_config_copy_result
+
+  - name: deactivate short moduli
+    ansible.builtin.shell:
+      cmd: awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp && mv /etc/ssh/moduli.tmp /etc/ssh/moduli
+
+  # Rebooting here instead of restarting the ssh service, since I don't know how Ansible reacts, when it restarts the service it probably needs for the connection.
+  - name: reboot, if ssh server config got changed
+    ansible.builtin.reboot:
+    when: deploy_ssh_server_config__ssh_config_copy_result.changed