/ansible-role-srv_ssh

An Ansible to install and configure the ssh server.

Primary LanguagePythonBSD 3-Clause "New" or "Revised" LicenseBSD-3-Clause

Github (tag) Github (license) Github (issues) Github (pull requests)

Travis (com)

Ansible (min. version) Ansible (platforms) Ansible (tags)

Ansible Role: ssh

An Ansible to install and configure the ssh server.

Motivation

The Openssh Server is the default access to almost all *nix systems. Having a role, that installs and configures this core service is mandatory for most operators.

Description

This Ansible Role installs and configures the openssh server (sshd).

  • install needed packages
  • configure sshd
  • configure a banner
  • configure SELinux
  • configure firewalld
  • apply some compliance standards (OpensSCAP Standard System Security Profile)

Requirements

Used Modules:

Installation

Install from Ansible Galaxy

ansible-galaxy install while_true_do.srv_ssh

Install from Github

git clone https://github.com/while-true-do/ansible-role-srv_ssh.git while_true_do.srv_ssh

Usage

Role Variables

---
# defaults file for while_true_do.srv_ssh

## Package Management
wtd_srv_ssh_package: "openssh-server"
# State can be present|latest|absent
wtd_srv_ssh_package_state: "present"

## Configuration Management
# Specify the banner file
wtd_srv_ssh_conf_banner: ""
# Per default some Compliance Standards are applied. You can review them in the
# README.md or the templates.
# You can specify addtional configuration.
wtd_srv_ssh_conf:
  Port: "22"
# You can define a banner [builtin|<path>], where "builtin" will use the
# template from this role.
  Banner: "builtin"
# key: "value"
# key: "value"
# Defining the banner this way will use the banner template, which is the
# default behavior.

## Service Management
wtd_srv_ssh_service: "sshd"
# State can be started|stopped
wtd_srv_ssh_service_state: "started"
wtd_srv_ssh_service_enabled: true

## Firewalld Management
wtd_srv_ssh_fw_mgmt: true
wtd_srv_ssh_fw_port: "{{ wtd_srv_ssh_conf.Port }}/tcp"
# State can be enabled|disabled
wtd_srv_ssh_fw_state: "enabled"
# Zone can be according to defined zones on your machine.
wtd_srv_ssh_fw_zone: "public"

Example Playbook

Running Ansible Roles can be done in a playbook.

Simple

---
- hosts: all
  roles:
    - role: while_true_do.srv_ssh

Advanced

Configure another ssh port, disable password login and use the builtin banner.

- hosts: all
  roles:
    - role: while_true_do.srv_ssh
      wtd_srv_ssh_conf:
        Port: "19022"
        PasswordAuthentication: "no"
        Banner: "builtin"

Known Issues

  1. RedHat Testing is currently not possible in public, due to limitations in subscriptions.
  2. Some services and features cannot be tested properly, due to limitations in docker.

Testing

Most of the "generic" tests are located in the Test Library.

Ansible specific testing is done with Molecule.

Infrastructure testing is done with testinfra.

Automated testing is done with Travis CI.

Contribute

Thank you so much for considering to contribute. We are very happy, when somebody is joining the hard work. Please fell free to open Bugs, Feature Requests or Pull Requests after reading the Contribution Guideline.

See who has contributed already in the kudos.txt.

License

This work is licensed under a BSD-3-Clause License.

Contact