ansible-config/roles/common/tasks/secure-secure-shell.yml

# Secure SSH Configuration
# https://stribika.github.io/2015/01/04/secure-secure-shell.html
---
- name: check for ED25519 host key
  stat: path=/etc/ssh/ssh_host_ed25519_key
  register: f
- fail: msg="No ED25519 host key found"
  when: not f.stat.exists

- name: check for RSA host key
  stat: path=/etc/ssh/ssh_host_rsa_key
  register: f
- fail: msg="No RSA host key found"
  when: not f.stat.exists

- name: template sshd_config
  template:
    src: templates/sshd_config.j2
    dest: /etc/ssh/sshd_config
    backup: yes
  register: sshd_config

# reload sshd now in case the handlers don't run
- name: reload sshd
  service:
    name: ssh
    state: reloaded
  when: sshd_config.changed
Update common role - Add secure-secure-shell task - Add unattended-upgrades task - Change package installation tasks - Remove website tasks from generic services group 2017-02-05 13:45:33 +01:00			`# Secure SSH Configuration`
			`# https://stribika.github.io/2015/01/04/secure-secure-shell.html`
			`---`
			`- name: check for ED25519 host key`
			`stat: path=/etc/ssh/ssh_host_ed25519_key`
			`register: f`
			`- fail: msg="No ED25519 host key found"`
			`when: not f.stat.exists`

			`- name: check for RSA host key`
			`stat: path=/etc/ssh/ssh_host_rsa_key`
			`register: f`
			`- fail: msg="No RSA host key found"`
			`when: not f.stat.exists`

			`- name: template sshd_config`
			`template:`
			`src: templates/sshd_config.j2`
			`dest: /etc/ssh/sshd_config`
			`backup: yes`
			`register: sshd_config`

			`# reload sshd now in case the handlers don't run`
			`- name: reload sshd`
			`service:`
			`name: ssh`
			`state: reloaded`
			`when: sshd_config.changed`