Harden SSH access on server profile

ansible/inventory/group_vars/server.yml

@@ -30,3 +30,9 @@ server_templates:
 server_ufw_rules:
   - rule: allow
     name: OpenSSH
+
+server_sshd_settings:
+  PermitRootLogin: "no"
+
+server_sshd_allow_users:
+  - "{{ username }}"

ansible/roles/profile_server/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: Reload SSH service
+  tags: [services]
+  ansible.builtin.service:
+    name: ssh
+    state: reloaded

ansible/roles/profile_server/tasks/main.yml

@@ -24,6 +24,27 @@
   loop_control:
     label: "{{ item.dest }}"
 
+- name: Disable SSH root login on server
+  tags: [services]
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^\s*PermitRootLogin\s+'
+    line: "PermitRootLogin {{ server_sshd_settings.PermitRootLogin }}"
+    state: present
+    validate: "sshd -t -f %s"
+  notify: Reload SSH service
+
+- name: Restrict SSH login to allowed users on server
+  tags: [services]
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^\s*AllowUsers\s+'
+    line: "AllowUsers {{ server_sshd_allow_users | join(' ') }}"
+    state: present
+    validate: "sshd -t -f %s"
+  notify: Reload SSH service
+  when: (server_sshd_allow_users | default([])) | length > 0
+
 - name: Apply server UFW rules
   tags: [services, packages]
   community.general.ufw: