debian: add basic Debian role

1 files changed, 56 insertions, 0 deletions

diff --git a/roles/debian/tasks/sshd.yml b/roles/debian/tasks/sshd.yml
new file mode 100644
index 0000000..a0a2d96
--- /dev/null
+++ b/roles/debian/tasks/sshd.yml
@@ -0,0 +1,56 @@
+---
+- name: Install SSH server
+  apt:
+    name: openssh-server
+    state: present
+  tags:
+  - packages
+
+- name: Create private host keys
+  copy:
+    dest: '/etc/ssh/{{ item.key }}'
+    content: '{{ item.value.private }}'
+    owner: root
+    group: ssh_keys
+    mode: 0640
+  with_dict: '{{ ssh_host_keys }}'
+  loop_control:
+    label: '/etc/ssh/{{ item.key }}'
+  when: ssh_host_keys is defined
+
+- name: Create public host keys
+  copy:
+    dest: '/etc/ssh/{{ item.key }}.pub'
+    content: '{{ item.value.public }}'
+    owner: root
+    group: root
+    mode: 0644
+  with_dict: '{{ ssh_host_keys }}'
+  loop_control:
+    label: '/etc/ssh/{{ item.key }}.pub'
+  when: ssh_host_keys is defined
+
+- name: Configure SSH daemon
+  lineinfile:
+    path: '/etc/ssh/sshd_config'
+    regexp: '{{ item.regexp }}'
+    line: '{{ item.line }}'
+  with_items:
+  - regexp: '^[# ]*PasswordAuthentication'
+    line: 'PasswordAuthentication no'
+  - regexp: '^#*GSSAPIAuthentication'
+    line: 'GSSAPIAuthentication no'
+  notify: restart sshd
+
+- name: Enable SSH daemon
+  systemd:
+    name: ssh.service
+    enabled: yes
+    masked: no
+    state: started
+  when: not chroot
+- name: '- when in chroot'
+  command: systemctl enable ssh.service
+  when: chroot
+
+# vim: set ts=2 sw=2 et: