Merge SSH into base role

ansible/roles/base/files/sshd_config

@@ -0,0 +1,86 @@
+# TCP port to bind to
+# Change to a high/odd port if this server is exposed to the internet directly
+Port 7743
+
+# Deny all other users besides the following
+AllowUsers {{ user }}
+
+# Bind to all interfaces (change to specific interface if needed)
+ListenAddress 0.0.0.0
+
+# Force SSHv2 Protocol
+Protocol 2
+
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+
+HostKeyAlgorithms ssh-rsa,rsa-sha2-512,rsa-sha2-256
+
+# Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Public key authentication + Password authentication
+# Two-Factor Authentication in OpenSSH v6.2+
+RSAAuthentication yes
+PubkeyAuthentication yes
+AuthenticationMethods publickey
+
+# Disable root SSH access
+PermitRootLogin no
+
+# Client timeout
+ClientAliveInterval 600
+ClientAliveCountMax 0
+
+# Compression (only after authentication)
+Compression delayed
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication must happen within 30 seconds
+LoginGraceTime 30
+
+PermitEmptyPasswords no
+
+# Check user folder permissions before allowing access
+StrictModes yes
+
+# Message Authentication Code (Hash, only SHA2-512)
+# SHA-256 included for compat with PuTTY-WinCrypt clients
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
+
+# Ciphers (only secure AES-256)
+Ciphers aes256-ctr,aes128-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
+
+# Key Exchange algorithms (Elliptic Curve Diffie-Hellman)
+# DH-SHA-256 included for compat with PuTTY-WinCrypt clients
+KexAlgorithms diffie-hellman-group18-sha512,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+
+# Disable unused authentication schemes
+RhostsRSAAuthentication no
+HostbasedAuthentication no
+ChallengeResponseAuthentication no
+KerberosAuthentication no
+GSSAPIAuthentication no
+UsePAM no
+
+# X11 support
+X11Forwarding no
+
+# Don't show Message of the Day
+PrintMotd yes
+
+# TCPKeepAlive (non-tunneled, disabled)
+TCPKeepAlive no
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp internal-sftp

ansible/roles/base/tasks/main.yml

@@ -0,0 +1,8 @@
+- name: Packages
+  include: packages.yml
+
+- name: User
+  include: user.yml
+
+- name: SSH
+  include: ssh.yml

ansible/roles/base/tasks/packages.yml

@@ -0,0 +1,13 @@
+- name: Install Base Packages
+  package:
+    name: "{{ item }}"
+  become: true
+  loop:
+    - htop
+    - neofetch
+    - net-tools
+    - pv
+    - speedtest-cli
+    - sudo
+    - vim
+    - git

ansible/roles/base/tasks/ssh.yml

@@ -0,0 +1,38 @@
+- name: Install OpenSSH for Debian
+  package:
+    name: openssh-server
+  become: true
+  when: ansible_os_family == 'Debian'
+
+- name: Install OpenSSH for Arch
+  package:
+    name: openssh
+  become: true
+  when: ansible_os_family == 'ArchLinux'
+
+- name: Define context
+  set_fact:
+    user: jake
+    enable_root: false
+
+- name: SSH config
+  template:
+    src: files/sshd_config
+    dest: /etc/ssh/sshd_config
+    validate: /usr/sbin/sshd -t -f %s
+    backup: yes
+  become: true
+  register: sshd_config
+
+- name: Enable SSH
+  service:
+    name: sshd
+    enabled: true
+  become: true
+
+- name: Restart SSH Daemon
+  service:
+    name: sshd
+    state: reloaded
+  when: sshd_config.changed
+  become: true

ansible/roles/base/tasks/user.yml

@@ -0,0 +1,14 @@
+- name: Make me
+  user:
+    name: "{{ user }}"
+    home: "{{ home }}"
+    comment: Jake Howard
+    shell: /bin/bash
+    system: true
+  become: true
+
+- name: Give user sudo access
+  lineinfile:
+    path: /etc/sudoers
+    line: "{{ user }} ALL=(ALL) ALL"
+  become: true