add sshd config for PSS NAS

defaults/main.yml

@@ -14,6 +14,7 @@ pss_nas_software_files:
   - test.zip
 
 pss_nas_softs_owner: root
+pss_bastion_host: pss_bastion_01.tn.esss.lu.se
 
 pss_soft_artifactory_password: !vault |
           $ANSIBLE_VAULT;1.1;AES256

handlers/main.yml

@@ -13,3 +13,8 @@
   with_items:
     - { key: 'AutomaticAction', value: 'delete' }
     - { key: 'ScanArchives', value: 'enabled' }
+
+- name: restart_ssh
+  service:
+    name: sshd
+    state: restarted

tasks/custom_pss.yml

@@ -23,3 +23,11 @@
     owner: root
     group: root
     mode: 0644
+- name: manage ssh allowed users for PSS NAS
+  template:
+    src: sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: 0640
+  notify: restart_ssh

tasks/main.yml

@@ -13,6 +13,7 @@
     - tcpdump
     - samba-winbind
     - samba-winbind-clients
+    - openssh-server
 
 - name: setup smb.conf
   template:

templates/sshd_config.j2

+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+SyslogFacility AUTHPRIV
+AuthorizedKeysFile  .ssh/authorized_keys
+PasswordAuthentication yes
+ChallengeResponseAuthentication no
+GSSAPIAuthentication yes
+GSSAPICleanupCredentials no
+UsePAM yes
+X11Forwarding yes
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
+Subsystem sftp  /usr/libexec/openssh/sftp-server
+Match User csi
+    PasswordAuthentication no
+AllowUsers  csi@172.16.50.11 csi@pss-bastion-01.tn.esss.lu.se