Add debian common role

common-debian/tasks/ssh.yml

@@ -0,0 +1,56 @@
+---
+- name: install ssh configuration files
+  template:
+    src: "{{ item }}.j2"
+    dest: "/{{ item }}"
+    mode: 0644
+  notify:
+    - restart ssh
+  loop:
+    - etc/ssh/ssh_config
+    - etc/ssh/sshd_config
+    - etc/ssh/shosts.equiv
+    - etc/ssh/ssh_known_hosts
+    - etc/pam.d/sshd
+
+- name: clean up unwanted ssh host keys (DSA and ECDSA)
+  file:
+    name: "{{ item }}"
+    state: absent
+  notify:
+    - restart ssh
+  loop:
+    - /etc/ssh/ssh_host_dsa_key
+    - /etc/ssh/ssh_host_dsa_key.pub
+    - /etc/ssh/ssh_host_ecdsa_key
+    - /etc/ssh/ssh_host_ecdsa_key.pub
+
+- name: correct permissions on host keys
+  file:
+    dest: "{{ item.name }}"
+    mode: "{{ item.mode }}"
+  loop:
+    - name: /etc/ssh/ssh_host_rsa_key
+      mode: "0600"
+    - name: /etc/ssh/ssh_host_rsa_key.pub
+      mode: "0644"
+    - name: /etc/ssh/ssh_host_ed25519_key
+      mode: "0600"
+    - name: /etc/ssh/ssh_host_ed25519_key.pub
+      mode: "0644"
+
+- name: install fail2ban configuration files
+  template:
+    src: "{{ item }}.j2"
+    dest: "/{{ item }}"
+    mode: 0644
+  notify:
+    - restart fail2ban
+  loop:
+    - etc/fail2ban/action.d/route.conf
+    - etc/fail2ban/filter.d/sshd.conf
+    - etc/fail2ban/jail.d/global.local
+    - etc/fail2ban/jail.d/sshd.conf
+    - etc/fail2ban/jail.d/sshd.local
+
+- meta: flush_handlers