Harden SSH access on server profile

2026-05-30 15:39:58 +00:00 · 2026-03-25 22:26:07 +01:00
parent 88a9126afb
commit 686d77d942
3 changed files with 33 additions and 0 deletions
--- a/ansible/roles/profile_server/handlers/main.yml
+++ b/ansible/roles/profile_server/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Reload SSH service
+  tags: [services]
+  ansible.builtin.service:
+    name: ssh
+    state: reloaded
--- a/ansible/roles/profile_server/tasks/main.yml
+++ b/ansible/roles/profile_server/tasks/main.yml
@@ -24,6 +24,27 @@
  loop_control:
    label: "{{ item.dest }}"

+- name: Disable SSH root login on server
+  tags: [services]
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^\s*PermitRootLogin\s+'
+    line: "PermitRootLogin {{ server_sshd_settings.PermitRootLogin }}"
+    state: present
+    validate: "sshd -t -f %s"
+  notify: Reload SSH service
+
+- name: Restrict SSH login to allowed users on server
+  tags: [services]
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^\s*AllowUsers\s+'
+    line: "AllowUsers {{ server_sshd_allow_users | join(' ') }}"
+    state: present
+    validate: "sshd -t -f %s"
+  notify: Reload SSH service
+  when: (server_sshd_allow_users | default([])) | length > 0
+
 - name: Apply server UFW rules
  tags: [services, packages]
  community.general.ufw: