rohow
52 行
1.1 KiB
YAML
52 行
1.1 KiB
YAML
# SSH 安全加固 Role
|
|
# 功能: 修改端口、配置密钥认证、禁用密码登录
|
|
---
|
|
- name: Ensure .ssh directory exists
|
|
ansible.builtin.file:
|
|
path: /root/.ssh
|
|
state: directory
|
|
mode: '0700'
|
|
|
|
- name: Add SSH public key
|
|
ansible.builtin.authorized_key:
|
|
user: root
|
|
key: "{{ ssh_pubkey }}"
|
|
state: present
|
|
|
|
- name: Backup original sshd_config
|
|
ansible.builtin.copy:
|
|
src: /etc/ssh/sshd_config
|
|
dest: /etc/ssh/sshd_config.bak
|
|
remote_src: yes
|
|
force: no
|
|
|
|
- name: Deploy secure sshd_config
|
|
ansible.builtin.template:
|
|
src: sshd_config.j2
|
|
dest: /etc/ssh/sshd_config
|
|
mode: '0600'
|
|
validate: '/usr/sbin/sshd -t -f %s'
|
|
register: sshd_config
|
|
|
|
- name: Restart sshd service
|
|
ansible.builtin.systemd:
|
|
name: sshd
|
|
state: restarted
|
|
when: sshd_config.changed
|
|
|
|
- name: Update ansible_port to new SSH port
|
|
ansible.builtin.set_fact:
|
|
ansible_port: "{{ ssh_new_port }}"
|
|
when: sshd_config.changed
|
|
|
|
- name: Wait for SSH on new port
|
|
ansible.builtin.wait_for:
|
|
port: "{{ ssh_new_port }}"
|
|
host: "{{ ansible_host }}"
|
|
delay: 5
|
|
timeout: 60
|
|
delegate_to: localhost
|
|
become: no
|
|
when: sshd_config.changed
|
|
|