Add role for deploying SSH config and also add mailserver-endpoint host

2023-06-06 23:37:42 +02:00 · 2023-06-06 23:37:42 +02:00 · 0c62a8f3e0
commit 0c62a8f3e0
parent ebfa591484
6 changed files with 256 additions and 0 deletions
--- a/playbooks/roles/deploy_ssh_server_config/files/sshd_config
+++ b/playbooks/roles/deploy_ssh_server_config/files/sshd_config
@ -0,0 +1,85 @@
+# This is the sshd server system-wide configuration file deployed and managed by
+# Ansible.
+# See sshd_config(5) and the "deploy_ssh_server_config" Ansible role for more
+# information.
+
+# This config doesn't set all options and leaves some to the sshd defaults.
+# The sshd defaults should be alright, so this config is only really setting
+# options in cases where we want to intentionally have an option a certain way
+# for some reason or another. For example for hardening, improved loggin, etc.
+
+
+## Use the HostKey preference, Ciphers and algorithms from Mozillas Modern
+## guidelines.
+
+# Supported HostKey algorithms by order of preference.
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+
+KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+
+
+## Authentication Settings.
+
+# Require only "publickey" for authentication.
+# From Mozillas Modern guidelines.
+AuthenticationMethods publickey
+
+# Enable "PubkeyAuthentication" accordingly.
+PubkeyAuthentication yes
+# Don't do the other authentication types.
+PasswordAuthentication no
+ChallengeResponseAuthentication no
+KerberosAuthentication no
+GSSAPIAuthentication no
+
+# Don't allow root login.
+PermitRootLogin no
+
+# Set this to "yes", but have "PasswordAuthentication" and
+# "ChallengeResponseAuthentication" set to "no", to have account and session
+# checks run.
+# See "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config" for more
+# information.
+UsePAM yes
+
+
+## Miscellaneous Settings.
+
+# X11 forwarding shouldn't be needed.
+X11Forwarding no
+
+# Printing this isn't needed.
+PrintMotd no
+
+# Print time and date of last login, since that's nice.
+PrintLastLog yes
+
+# Disable general environment processing.
+PermitUserEnvironment no
+
+# Allow client to pass locale environment variables.
+# From "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config".
+AcceptEnv LANG LC_*
+
+# Request response from client after 120 seconds of no communication.
+# Taken from "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config".
+ClientAliveInterval 120
+
+
+## Logging
+
+# Set "LogLevel" to "VERBOSE" to log users key fingerprints on login.
+# This is needed for a clear audit track.
+# From Mozillas Modern guidelines.
+LogLevel VERBOSE
+
+# Enable the sftp subsystem and log properly.
+# From Mozillas Modern guidelines and
+# "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config".
+Subsystem sftp  /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO