Post-Tyranny-Tech-Infrastru.../ansible/roles/common/tasks/ssh.yml

---
# SSH hardening configuration

- name: Configure SSH daemon
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: "{{ item.regexp }}"
    line: "{{ item.line }}"
    state: present
  with_items:
    - { regexp: '^#?PermitRootLogin', line: 'PermitRootLogin {{ common_ssh_permit_root_login }}' }
    - { regexp: '^#?PasswordAuthentication', line: 'PasswordAuthentication {{ common_ssh_password_authentication }}' }
    - { regexp: '^#?PubkeyAuthentication', line: 'PubkeyAuthentication {{ common_ssh_pubkey_authentication }}' }
    - { regexp: '^#?PermitEmptyPasswords', line: 'PermitEmptyPasswords no' }
    - { regexp: '^#?X11Forwarding', line: 'X11Forwarding no' }
    - { regexp: '^#?MaxAuthTries', line: 'MaxAuthTries 3' }
  notify: Restart SSH

- name: Ensure SSH is running and enabled
  service:
    name: ssh
    state: started
    enabled: yes
WIP: Ansible base configuration - common role (#2) Progress on Issue #2: Ansible Base Configuration Completed: - ✅ Ansible installed via pipx (isolated Python environment) - ✅ Hetzner Cloud dynamic inventory configured - ✅ Ansible configuration (ansible.cfg) - ✅ Common role for base system hardening: - SSH hardening (key-only, no root password) - UFW firewall configuration - Fail2ban for SSH protection - Automatic security updates - Timezone and system packages - ✅ Comprehensive Ansible README with setup guide Architecture Updates: - Added Decision #15: pipx for isolated Python environments - Updated ADR changelog with pipx adoption Still TODO for #2: - Docker role - Traefik role - Setup playbook - Deploy playbook - Testing against live server Files added: - ansible/README.md - Complete Ansible guide - ansible/ansible.cfg - Ansible configuration - ansible/hcloud.yml - Hetzner dynamic inventory - ansible/roles/common/* - Base hardening role Partial progress on #2 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-27 14:00:22 +01:00			`---`
			`# SSH hardening configuration`

			`- name: Configure SSH daemon`
			`lineinfile:`
			`path: /etc/ssh/sshd_config`
			`regexp: "{{ item.regexp }}"`
			`line: "{{ item.line }}"`
			`state: present`
			`with_items:`
			`- { regexp: '^#?PermitRootLogin', line: 'PermitRootLogin {{ common_ssh_permit_root_login }}' }`
			`- { regexp: '^#?PasswordAuthentication', line: 'PasswordAuthentication {{ common_ssh_password_authentication }}' }`
			`- { regexp: '^#?PubkeyAuthentication', line: 'PubkeyAuthentication {{ common_ssh_pubkey_authentication }}' }`
			`- { regexp: '^#?PermitEmptyPasswords', line: 'PermitEmptyPasswords no' }`
			`- { regexp: '^#?X11Forwarding', line: 'X11Forwarding no' }`
			`- { regexp: '^#?MaxAuthTries', line: 'MaxAuthTries 3' }`
			`notify: Restart SSH`

			`- name: Ensure SSH is running and enabled`
			`service:`
			`name: ssh`
			`state: started`
			`enabled: yes`