# Role and config created after: https://infosec.mozilla.org/guidelines/openssh - name: deploy SSH server config become: true block: - name: deploy `sshd_config` ansible.builtin.template: force: true dest: /etc/ssh/sshd_config mode: "0644" owner: root group: root src: sshd_config.j2 notify: # Reboot instead of just restarting the ssh service, since I don't know how Ansible reacts, when it restarts the service it probably needs for the connection. - reboot the system - name: deactivate short moduli ansible.builtin.shell: executable: /bin/bash cmd: | set -eo pipefail awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp if diff /etc/ssh/moduli /etc/ssh/moduli.tmp; then rm /etc/ssh/moduli.tmp else mv /etc/ssh/moduli.tmp /etc/ssh/moduli echo "ansible-changed: changed /etc/ssh/moduli" fi register: result changed_when: - '"ansible-changed" in result.stdout' notify: # Reboot instead of just restarting the ssh service, since I don't know how Ansible reacts, when it restarts the service it probably needs for the connection. - reboot the system