Update common role

- Add secure-secure-shell task - Add unattended-upgrades task - Change package installation tasks - Remove website tasks from generic services group
2017-02-05 13:45:33 +01:00 · 2017-02-05 13:45:33 +01:00 · 17468493cc
commit 17468493cc
parent db911b40c1
12 changed files with 242 additions and 22 deletions
--- a/roles/common/tasks/secure-secure-shell.yml
+++ b/roles/common/tasks/secure-secure-shell.yml
@ -0,0 +1,28 @@
+# Secure SSH Configuration
+# https://stribika.github.io/2015/01/04/secure-secure-shell.html
+---
+- name: check for ED25519 host key
+  stat: path=/etc/ssh/ssh_host_ed25519_key
+  register: f
+- fail: msg="No ED25519 host key found"
+  when: not f.stat.exists
+
+- name: check for RSA host key
+  stat: path=/etc/ssh/ssh_host_rsa_key
+  register: f
+- fail: msg="No RSA host key found"
+  when: not f.stat.exists
+
+- name: template sshd_config
+  template:
+    src: templates/sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    backup: yes
+  register: sshd_config
+
+# reload sshd now in case the handlers don't run
+- name: reload sshd
+  service:
+    name: ssh
+    state: reloaded
+  when: sshd_config.changed