From 3a0e231bf3630629f4b540c1bdbaf89213579ff7 Mon Sep 17 00:00:00 2001
From: Thomas Kleinendorst <thomas@kleinendorst.info>
Date: Tue, 9 Apr 2024 17:57:38 +0200
Subject: [PATCH] Configure the SSH hardening role

This one is also disabled since it's not super useful to run more than
once. This role however doesn't report changes on reruns (as we've seen
for the os_hardening role).
---
 playbook.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/playbook.yml b/playbook.yml
index d225158..c8ab685 100644
--- a/playbook.yml
+++ b/playbook.yml
@@ -6,12 +6,17 @@
     # These roles are disabled after they have being applied once for performance reasons, it should be safe to enable them again.
     # Notice that this role changes some settings on reruns (on the "Change various sysctl-settings" task), doesn't seem problematic though.
     # - devsec.hardening.os_hardening
+    # - devsec.hardening.ssh_hardening
   vars:
     # devsec.hardening.os_hardening vars:
     os_auth_pw_max_age: 99999 # Effectively disables the setting as mentioned in the docs.
     os_cron_enabled: false # Cron isn't needed for the installation.
     sysctl_overwrite:
       vm.mmap_rnd_bits: 16 # See the "sysctl - vm.mmap_rnd_bits" section of the docs.
+    # devsec.hardening.ssh_hardening vars:
+    ssh_allow_users: 'thomas'
+    ssh_client_port: 22 # Default, but duplicated here for documentation purpose. Not changed because its only accessible via LAN.
+    ssh_client_password_login: false # Default, but duplicated here for documentation purpose.
   tasks:
     # Disable warning on updating latest packages, it should be safe enough for this system.
     - name: Update all packages to their latest version # noqa: package-latest