Split server part into "server.yml" tasks

2022-05-12 15:39:41 +02:00 · 2022-05-12 15:39:41 +02:00 · 9cb7172cda
parent 8c96e48deb
commit 9cb7172cda
2 changed files with 60 additions and 56 deletions
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -32,62 +32,8 @@
    - "os_{{ (ansible_os_family|lower).split(' ')[0] }}.yml"
    - "os_default.yml"

-
- name: Backup sshd_config
-  copy:
-    src: "{{ ssh_hardening_sshd_config }}"
-    dest: "{{ ssh_hardening_sshd_config }}.{{ ssh_hardening_backup_suffix }}"
-    remote_src: yes
-    owner: root
-    group: root
-    mode: 0600
-
 ####################

- name: "Hostkeys: Disable (EC)DSA (and maybe RSA)"
-  lineinfile:
-    dest: "{{ ssh_hardening_sshd_config }}"
-    regexp: '(?i)\s*#*\s*hostkey.*{{ item }}_key'
-    state: absent
-  loop: "{{ ssh_hardening_hostkeys_all|difference(ssh_hardening_hostkeys) }}"
-  notify: Restart SSH
-
-
- name: "Hostkeys: Enable (RSA &) ED25519"
-  lineinfile:
-    dest: "{{ ssh_hardening_sshd_config }}"
-    regexp: '(?i)\s*#*\s*hostkey.*{{ item }}_key'
-    line: 'HostKey /etc/ssh/ssh_host_{{ item }}_key'
-  loop: '{{ ssh_hardening_hostkeys }}'
-  notify: Restart SSH
-
-
- name: "Renew RSA hostkeys if too short"
-  openssh_keypair:
-    path: /etc/ssh/ssh_host_rsa_key
-    type: rsa
-    size: 4096
-  when: '"rsa" in ssh_hardening_hostkeys'
-
-####################
-
- name: "INCLUDE: Remove small Diffie-Hellman moduli"
-  include_tasks: moduli.yml
-
-####################
-
- name: "Check for crypto-policies"
-  stat:
-    path: /etc/crypto-policies/back-ends/opensshserver.config
-  register: ssh_hardening_use_policies
-
-
- name: "The (RedHat) crypto policy way..."
-  include_tasks: restrictions_crypto_policy.yml
-  when: ssh_hardening_use_policies.stat.exists
-
-
- name: "The standard config way..."
-  include_tasks: restrictions_configfile.yml
-  when: not ssh_hardening_use_policies.stat.exists
+- name: "INCLUDE: Server hardening"
+  include_tasks: server.yml

--- a/tasks/server.yml
+++ b/tasks/server.yml
@ -0,0 +1,58 @@
+---
+- name: Backup sshd_config
+  copy:
+    src: "{{ ssh_hardening_sshd_config }}"
+    dest: "{{ ssh_hardening_sshd_config }}.{{ ssh_hardening_backup_suffix }}"
+    remote_src: yes
+    owner: root
+    group: root
+    mode: 0600
+
+
+- name: "Hostkeys: Disable (EC)DSA (and maybe RSA)"
+  lineinfile:
+    dest: "{{ ssh_hardening_sshd_config }}"
+    regexp: '(?i)\s*#*\s*hostkey.*{{ item }}_key'
+    state: absent
+  loop: "{{ ssh_hardening_hostkeys_all|difference(ssh_hardening_hostkeys) }}"
+  notify: Restart SSH
+
+
+- name: "Hostkeys: Enable (RSA &) ED25519"
+  lineinfile:
+    dest: "{{ ssh_hardening_sshd_config }}"
+    regexp: '(?i)\s*#*\s*hostkey.*{{ item }}_key'
+    line: 'HostKey /etc/ssh/ssh_host_{{ item }}_key'
+  loop: '{{ ssh_hardening_hostkeys }}'
+  notify: Restart SSH
+
+
+- name: "Renew RSA hostkeys if too short"
+  openssh_keypair:
+    path: /etc/ssh/ssh_host_rsa_key
+    type: rsa
+    size: 4096
+  when: '"rsa" in ssh_hardening_hostkeys'
+
+####################
+
+- name: "INCLUDE: Remove small Diffie-Hellman moduli"
+  include_tasks: moduli.yml
+
+####################
+
+- name: "Check for crypto-policies"
+  stat:
+    path: /etc/crypto-policies/back-ends/opensshserver.config
+  register: ssh_hardening_use_policies
+
+
+- name: "The (RedHat) crypto policy way..."
+  include_tasks: restrictions_crypto_policy.yml
+  when: ssh_hardening_use_policies.stat.exists
+
+
+- name: "The standard config way..."
+  include_tasks: restrictions_configfile.yml
+  when: not ssh_hardening_use_policies.stat.exists
+