-
Notifications
You must be signed in to change notification settings - Fork 3
/
sshd.yml
88 lines (68 loc) · 5.27 KB
/
sshd.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
---
# The source code packaged with this file is Free Software, Copyright (C) 2016 by
# Unidad de Laboratorios, Escuela Politecnica Superior, Universidad de Alicante :: <aeps at eps.ua.es>.
# It's licensed under the AFFERO GENERAL PUBLIC LICENSE unless stated otherwise.
# You can get copies of the licenses here: http://www.affero.org/oagpl.html
# AFFERO GENERAL PUBLIC LICENSE is also included in the file called "LICENSE".
# sshd configuration
- name: Get python version
shell: echo {{ ansible_python_version }}|cut -d' ' -f2|cut -d'.' -f1,2
register: pythonVersion
changed_when: False
- name: Configure /etc/ssh/sshd_config con PermitRootLogin
lineinfile: "name=/etc/ssh/sshd_config state=present regexp='^#?PermitRootLogin\\s*' insertafter=EOF line='PermitRootLogin {{ sshdConfig.permitRootLogin }}'"
register: sshdPermitRootLogin
- name: Configure /etc/ssh/sshd_config con ClientAliveInterval
lineinfile: "name=/etc/ssh/sshd_config state=present regexp='^#?ClientAliveInterval\\s*' insertafter=EOF line='ClientAliveInterval {{ sshdConfig.clientAliveInterval }}'"
register: sshdClientAliveInterval
- name: Configure /etc/ssh/sshd_config con ClientAliveCountMax
lineinfile: "name=/etc/ssh/sshd_config state=present regexp='^#?ClientAliveCountMax\\s*' insertafter=EOF line='ClientAliveCountMax {{ sshdConfig.clientAliveCountMax }}'"
register: sshdClientAliveCountMax
- name: Configure /etc/ssh/sshd_config con LogLevel
lineinfile: "name=/etc/ssh/sshd_config state=present regexp='^#?LogLevel\\s*' insertafter=EOF line='LogLevel {{ sshdConfig.logLevel }}'"
register: sshdLogLevel
- name: Configure /etc/ssh/sshd_config con Subsystem sftp
lineinfile: "name=/etc/ssh/sshd_config state=present regexp='^#?Subsystem\\s*sftp\\s*' insertafter=EOF line='Subsystem sftp {{ \"%s\" % (sshdConfig.opensshSftpServer) if sshdConfig.opensshSftpServer is defined else \"%s\" % (path.commands.opensshSftpServer) }} {{ sshdConfig.subsystemSftp }}'"
register: sshdSubsystemSftp
- name: Configure /etc/ssh/sshd_config con MatchGroup
lineinfile: "name=/etc/ssh/sshd_config state=present regexp='^#?Match\\s*Group\\s*' insertafter=EOF line='Match Group {{ sshdConfig.matchGroup }}'"
register: sshdMatchGroup
when: sshdConfig.matchGroup != "Ignore" and sshdConfig.matchGroup != "Delete"
- name: Configure borrado en /etc/ssh/sshd_config con MatchGroup
lineinfile: "name=/etc/ssh/sshd_config regexp='^#?Match\\s*Group\\s*' state=absent"
register: sshdBorradoMatchGroup
when: sshdConfig.matchGroup == "Delete"
- name: Configure /etc/ssh/sshd_config con ForceCommand
lineinfile: "name=/etc/ssh/sshd_config state=present regexp='^#?ForceCommand\\s*' insertafter=EOF line='ForceCommand {{ sshdConfig.forceCommand }}'"
register: sshdForceCommand
when: sshdConfig.forceCommand != "Ignore" and sshdConfig.forceCommand != "Delete"
- name: Configure borrado en /etc/ssh/sshd_config con ForceCommand
lineinfile: "name=/etc/ssh/sshd_config regexp='^#?ForceCommand\\s*' state=absent"
register: sshdBorradoForceCommand
when: sshdConfig.forceCommand == "Delete"
- name: Getting Paths
action: path_EPS
changed_when: False
ignore_errors: yes
when: path.daemons.sshd.name|default("") == ""
- name: Restart sshd systemd
systemd: name={{ path.daemons.sshd.name }} state=restarted
when: path.daemons.sshd.type == "systemctl" and path.daemons.sshd.name != "" and (sshdPermitRootLogin|changed or sshdClientAliveInterval|changed or sshdClientAliveCountMax|changed or sshdLogLevel|changed or sshdSubsystemSftp|changed or sshdMatchGroup|changed or sshdBorradoMatchGroup|changed or sshdForceCommand|changed or sshdBorradoForceCommand|changed)
- name: Restart sshd service
service: name={{ path.daemons.sshd.name }} state=restarted
when: path.daemons.sshd.type == "service" and path.daemons.sshd.name != "" and (sshdPermitRootLogin|changed or sshdClientAliveInterval|changed or sshdClientAliveCountMax|changed or sshdLogLevel|changed or sshdSubsystemSftp|changed or sshdMatchGroup|changed or sshdBorradoMatchGroup|changed or sshdForceCommand|changed or sshdBorradoForceCommand|changed)
- name: Restart sshd init
shell: "{{ path.daemons.sshd.name }} restart executable='/bin/bash'"
when: path.daemons.sshd.type == "init" and path.daemons.sshd.name != "" and (sshdPermitRootLogin|changed or sshdClientAliveInterval|changed or sshdClientAliveCountMax|changed or sshdLogLevel|changed or sshdSubsystemSftp|changed or sshdMatchGroup|changed or sshdBorradoMatchGroup|changed or sshdForceCommand|changed or sshdBorradoForceCommand|changed)
- name: Checking sshd systemd
systemd: name={{ path.daemons.sshd.name }} state=started enabled=true
changed_when: False
when: path.daemons.sshd.type == "systemctl" and path.daemons.sshd.name != ""
- name: Checking sshd service
service: name={{ path.daemons.sshd.name }} state=started enabled=true
changed_when: False
when: path.daemons.sshd.type == "service" and path.daemons.sshd.name != ""
- name: Checking sshd init
shell: "{{ path.daemons.sshd.name }} start; ([ \"{{ ansible_os_family }}\" == \"Debian\" ] && update-rc.d $(basename {{ path.daemons.sshd.name }}) defaults) || ([ \"{{ ansible_os_family }}\" == \"RedHat\" ] && chkconfig $(basename {{ path.daemons.sshd.name }}) on) executable='/bin/bash'"
changed_when: False
when: path.daemons.sshd.type == "init" and path.daemons.sshd.name != ""