June
f16f8697c2
Because of how Ansible local relative search paths work, the global "files" and "templates" directories need to be next to the playbooks. However its not intuitive to look into the "playbooks" directory to find the files and templates for a host. Therefore move them out of the "playbooks" directory into the root directory and add symlinks so everything still works. Similarly for local roles, they also need to be next to the playbooks. So for a nicer structure, move the "roles" directory out into the root directory as well and add a symlink so everything still works. Also see: https://docs.ansible.com/ansible/latest/playbook_guide/playbook_pathing.html#resolving-local-relative-paths https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_reuse_roles.html#storing-and-finding-roles
97 lines
3.4 KiB
Django/Jinja
97 lines
3.4 KiB
Django/Jinja
# This is the sshd server system-wide configuration file deployed and managed by
|
|
# Ansible.
|
|
# See sshd_config(5) and the "deploy_ssh_server_config" Ansible role for more
|
|
# information.
|
|
|
|
# This config doesn't set all options and leaves some to the sshd defaults.
|
|
# The sshd defaults should be alright, so this config is only really setting
|
|
# options in cases where we want to intentionally have an option a certain way
|
|
# for some reason or another. For example for hardening, improved loggin, etc.
|
|
|
|
|
|
## Use the HostKey preference, Ciphers and algorithms from Mozillas Modern
|
|
## guidelines.
|
|
|
|
# Supported HostKey algorithms by order of preference.
|
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
|
HostKey /etc/ssh/ssh_host_rsa_key
|
|
HostKey /etc/ssh/ssh_host_ecdsa_key
|
|
|
|
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
|
|
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
|
|
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
|
|
|
|
|
## Authentication Settings.
|
|
|
|
# Require only "publickey" for authentication.
|
|
# From Mozillas Modern guidelines.
|
|
AuthenticationMethods publickey
|
|
|
|
# Enable "PubkeyAuthentication" accordingly.
|
|
PubkeyAuthentication yes
|
|
# Don't do the other authentication types.
|
|
PasswordAuthentication no
|
|
{# If on Debian 12, use the new keyword (KbdInteractiveAuthentication instead of ChallengeResponseAuthentication). #}
|
|
{% if ansible_facts["distribution"] == "Debian" and ansible_facts["distribution_major_version"] == "12" %}
|
|
KbdInteractiveAuthentication no
|
|
{% else %}
|
|
ChallengeResponseAuthentication no
|
|
{% endif %}
|
|
KerberosAuthentication no
|
|
GSSAPIAuthentication no
|
|
|
|
# Don't allow root login.
|
|
PermitRootLogin no
|
|
|
|
{# If on Debian 12, use the new keyword (KbdInteractiveAuthentication instead of ChallengeResponseAuthentication). #}
|
|
{% if ansible_facts["distribution"] == "Debian" and ansible_facts["distribution_major_version"] == "12" %}
|
|
# Set this to "yes", but have "PasswordAuthentication" and
|
|
# "KbdInteractiveAuthentication" set to "no", to have account and session checks
|
|
# run.
|
|
{% else %}
|
|
# Set this to "yes", but have "PasswordAuthentication" and
|
|
# "ChallengeResponseAuthentication" set to "no", to have account and session
|
|
# checks run.
|
|
{% endif %}
|
|
# See "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config" for more
|
|
# information.
|
|
UsePAM yes
|
|
|
|
|
|
## Miscellaneous Settings.
|
|
|
|
# X11 forwarding shouldn't be needed.
|
|
X11Forwarding no
|
|
|
|
# Printing this isn't needed.
|
|
PrintMotd no
|
|
|
|
# Print time and date of last login, since that's nice.
|
|
PrintLastLog yes
|
|
|
|
# Disable general environment processing.
|
|
PermitUserEnvironment no
|
|
|
|
# Allow client to pass locale environment variables.
|
|
# From "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config".
|
|
AcceptEnv LANG LC_*
|
|
|
|
# Request response from client after 120 seconds of no communication.
|
|
# Taken from "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config".
|
|
ClientAliveInterval 120
|
|
|
|
|
|
## Logging
|
|
|
|
# Set "LogLevel" to "VERBOSE" to log users key fingerprints on login.
|
|
# This is needed for a clear audit track.
|
|
# From Mozillas Modern guidelines.
|
|
LogLevel VERBOSE
|
|
|
|
# Enable the sftp subsystem and log properly.
|
|
# From Mozillas Modern guidelines and
|
|
# "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config".
|
|
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
|