xoxys.sshd/tasks/ssh_default.yml

---
- block:
    - name: Hardening sshd config
      template:
        src: etc/ssh/sshd_config.j2
        dest: /etc/ssh/sshd_config
        owner: root
        group: root
        mode: 0600
      notify: __sshd_restart

    - name: Check if /etc/ssh/moduli contains weak DH parameters
      shell: awk '$5 < {{ sshd_moduli_minimum }}' /etc/ssh/moduli
      register: __sshd_register_moduli
      changed_when: False
      check_mode: no

    - name: Remove all small primes
      shell: awk '$5 >= {{ sshd_moduli_minimum }}' /etc/ssh/moduli > /etc/ssh/moduli.new ;
            [ -r /etc/ssh/moduli.new -a -s /etc/ssh/moduli.new ] && mv /etc/ssh/moduli.new /etc/ssh/moduli || true
      notify: __sshd_restart
      when: __sshd_register_moduli.stdout

    - name: Create SSH Usergroup
      group:
        name: "{{ item }}"
        state: present
      loop: "{{ sshd_allow_groups }}"
  become: True
  become_user: root
initial commit 2019-11-02 18:10:39 +00:00			`---`
			`- block:`
			`- name: Hardening sshd config`
			`template:`
			`src: etc/ssh/sshd_config.j2`
			`dest: /etc/ssh/sshd_config`
			`owner: root`
			`group: root`
			`mode: 0600`
			`notify: __sshd_restart`

			`- name: Check if /etc/ssh/moduli contains weak DH parameters`
			`shell: awk '$5 < {{ sshd_moduli_minimum }}' /etc/ssh/moduli`
			`register: __sshd_register_moduli`
			`changed_when: False`
			`check_mode: no`

			`- name: Remove all small primes`
			`shell: awk '$5 >= {{ sshd_moduli_minimum }}' /etc/ssh/moduli > /etc/ssh/moduli.new ;`
			`[ -r /etc/ssh/moduli.new -a -s /etc/ssh/moduli.new ] && mv /etc/ssh/moduli.new /etc/ssh/moduli \|\| true`
			`notify: __sshd_restart`
			`when: __sshd_register_moduli.stdout`

			`- name: Create SSH Usergroup`
			`group:`
			`name: "{{ item }}"`
			`state: present`
			`loop: "{{ sshd_allow_groups }}"`
			`become: True`
			`become_user: root`