skylab-ansible/roles/server/tasks/sshd.yaml

---
- name: Configure SSH authentication settings
  become: true
  ansible.builtin.replace:
    path: /etc/ssh/sshd_config
    regexp: "{{ item.regex }}"
    replace: "{{ item.value }}"
  notify: [restart-sshd]
  loop:
    - name: disable root login
      regex: "^.*PermitRootLogin (yes|no).*$"
      value: PermitRootLogin no
    - name: disable password auth
      regex: "^.*PasswordAuthentication (yes|no).*$"
      value: PasswordAuthentication no
    - name: disable challenge response auth
      regex: "^.*ChallengeResponseAuthentication (yes|no).*$"
      value: ChallengeResponseAuthentication no
    - name: disable GSSAPI auth
      regex: "^.*GSSAPIAuthentication (yes|no).*$"
      value: GSSAPIAuthentication no
  loop_control:
    label: "{{ item.name }}"

- name: Disable dynamic MOTD on debian systems
  when: ansible_os_family == "Debian"
  ansible.builtin.replace:
    path: /etc/pam.d/sshd
    regexp: "^session    optional     pam_motd.so  motd=/run/motd.dynamic"
    replace: "#session    optional     pam_motd.so  motd=/run/motd.dynamic"

- name: Disable Cockpit activation message on Rocky
  when: ansible_distribution == "Rocky"
  become: true
  ansible.builtin.file:
    path: /etc/motd.d/cockpit
    state: absent

- name: Copy MOTD to remote
  become: true
  ansible.builtin.template:
    src: motd.j2
    dest: /etc/motd
    mode: 0644
Reorganize provision playbook Split server-specific configs out into server role Add symlink to roles for playbook directory 2021-11-06 01:53:47 +00:00			`---`
			`- name: Configure SSH authentication settings`
			`become: true`
			`ansible.builtin.replace:`
			`path: /etc/ssh/sshd_config`
			`regexp: "{{ item.regex }}"`
			`replace: "{{ item.value }}"`
			`notify: [restart-sshd]`
			`loop:`
			`- name: disable root login`
			`regex: "^.PermitRootLogin (yes\|no).$"`
			`value: PermitRootLogin no`
			`- name: disable password auth`
			`regex: "^.PasswordAuthentication (yes\|no).$"`
			`value: PasswordAuthentication no`
			`- name: disable challenge response auth`
			`regex: "^.ChallengeResponseAuthentication (yes\|no).$"`
			`value: ChallengeResponseAuthentication no`
			`- name: disable GSSAPI auth`
			`regex: "^.GSSAPIAuthentication (yes\|no).$"`
			`value: GSSAPIAuthentication no`
			`loop_control:`
			`label: "{{ item.name }}"`

			`- name: Disable dynamic MOTD on debian systems`
			`when: ansible_os_family == "Debian"`
			`ansible.builtin.replace:`
			`path: /etc/pam.d/sshd`
			`regexp: "^session optional pam_motd.so motd=/run/motd.dynamic"`
			`replace: "#session optional pam_motd.so motd=/run/motd.dynamic"`

			`- name: Disable Cockpit activation message on Rocky`
			`when: ansible_distribution == "Rocky"`
			`become: true`
			`ansible.builtin.file:`
			`path: /etc/motd.d/cockpit`
			`state: absent`

			`- name: Copy MOTD to remote`
			`become: true`
			`ansible.builtin.template:`
			`src: motd.j2`
			`dest: /etc/motd`
			`mode: 0644`