ssh-hardening/tasks/restrictions_configfile.yml

---
- name: Check for Include directory
  shell: "awk '/^[^#]*Include/ { print $2; }' /etc/ssh/sshd_config"
  changed_when: False
  register: ssh_hardening_includedir


- name: Write restrictions to include file
  template:
    src: 'sshd_config_hardening.j2'
    dest: '{{ ssh_hardening_includedir.stdout_lines.0|dirname + "/ssh-hardening.conf" }}'
    owner: root
    group: root
    mode: 0600
    backup: yes
  when: ssh_hardening_includedir.stdout_lines|length > 0
  notify: Restart SSH


- name: Write restrictons block to sshd_config
  blockinfile:
    path: '{{ ssh_hardening_sshd_config }}'
    block: '{{ lookup("template", "sshd_config_hardening.j2") }}'
    insertbefore: '^# Logging'
    marker: '# {mark} ANSIBLE ROLE ssh-hardening'
  when: ssh_hardening_includedir.stdout_lines|length == 0
  notify: Restart SSH
First snapshot 2021-10-11 20:58:09 +00:00			`---`
			`- name: Check for Include directory`
Fix Include statement detection (starting with Alpine 3.19) 2024-07-10 09:15:11 +00:00			`shell: "awk '/^[^#]*Include/ { print $2; }' /etc/ssh/sshd_config"`
First snapshot 2021-10-11 20:58:09 +00:00			`changed_when: False`
			`register: ssh_hardening_includedir`


			`- name: Write restrictions to include file`
			`template:`
			`src: 'sshd_config_hardening.j2'`
			`dest: '{{ ssh_hardening_includedir.stdout_lines.0\|dirname + "/ssh-hardening.conf" }}'`
			`owner: root`
			`group: root`
			`mode: 0600`
			`backup: yes`
			`when: ssh_hardening_includedir.stdout_lines\|length > 0`
			`notify: Restart SSH`


			`- name: Write restrictons block to sshd_config`
			`blockinfile:`
			`path: '{{ ssh_hardening_sshd_config }}'`
			`block: '{{ lookup("template", "sshd_config_hardening.j2") }}'`
			`insertbefore: '^# Logging'`
			`marker: '# {mark} ANSIBLE ROLE ssh-hardening'`
			`when: ssh_hardening_includedir.stdout_lines\|length == 0`
			`notify: Restart SSH`