space_server: use common secrets.yml in ansible root

..and generalize and move sshd tasks to fedora role.

2 files changed, 53 insertions, 0 deletions

diff --git a/roles/fedora/tasks/main.yml b/roles/fedora/tasks/main.yml
index 4492df5..de4c160 100644
--- a/roles/fedora/tasks/main.yml
+++ b/roles/fedora/tasks/main.yml
@@ -20,5 +20,7 @@
   tags: networkd
 - import_tasks: timesyncd.yml
   tags: timesyncd
+- import_tasks: sshd.yml
+  tags: sshd
 
 # vim: set ts=2 sw=2 et:
diff --git a/roles/fedora/tasks/sshd.yml b/roles/fedora/tasks/sshd.yml
new file mode 100644
index 0000000..603fbf9
--- /dev/null
+++ b/roles/fedora/tasks/sshd.yml
@@ -0,0 +1,51 @@
+---
+- name: Create private host keys
+  copy:
+    dest: '/etc/ssh/{{ item.key }}'
+    content: '{{ item.value.private }}'
+    owner: root
+    group: ssh_keys
+    mode: 0640
+  with_dict: '{{ ssh_host_keys[hostname] }}'
+  loop_control:
+    label: '/etc/ssh/{{ item.key }}'
+  when: ssh_host_keys is defined and hostname in ssh_host_keys
+
+- name: Create public host keys
+  copy:
+    dest: '/etc/ssh/{{ item.key }}.pub'
+    content: '{{ item.value.public }}'
+    owner: root
+    group: root
+    mode: 0644
+  with_dict: '{{ ssh_host_keys[hostname] }}'
+  loop_control:
+    label: '/etc/ssh/{{ item.key }}.pub'
+  when: ssh_host_keys is defined and hostname in ssh_host_keys
+
+- name: Configure SSH daemon
+  lineinfile:
+    path: '/etc/ssh/sshd_config'
+    regexp: '{{ item.regexp }}'
+    line: '{{ item.line }}'
+  with_items:
+  - regexp: '^[# ]*PermitRootLogin'
+    line: 'PermitRootLogin no'
+  - regexp: '^PasswordAuthentication'
+    line: 'PasswordAuthentication no'
+  - regexp: '^[# ]*GSSAPIAuthentication'
+    line: 'GSSAPIAuthentication no'
+  notify: restart sshd
+
+- name: Enable SSH daemon
+  systemd:
+    name: sshd.service
+    enabled: yes
+    masked: no
+    state: started
+  when: not chroot
+- name: '- when in chroot'
+  command: systemctl enable sshd.service
+  when: chroot|bool
+
+# vim: set ts=2 sw=2 et: