added tasks for a bastion host

roles/bastion/tasks/openssh_hardening.yml

@@ -0,0 +1,38 @@
+---
+- name: system setup | openssh | copy hardened sshd config for bastion
+  tags: openssh,ssh,system,settings
+  copy:
+    dest: /etc/ssh/sshd_config.d/hardened.conf
+    owner: root
+    group: root
+    mode: '0644'
+    content: |
+      # This file is managed by Ansible for the bastion role
+      # It overwrites/complements settings from the base role.
+      LogLevel VERBOSE
+      MaxAuthTries 3
+      PubkeyAuthentication yes
+      AuthorizedKeysFile      .ssh/authorized_keys
+      PasswordAuthentication no
+      UsePAM yes
+      AllowAgentForwarding no
+      AllowTcpForwarding no
+      X11Forwarding no
+      PrintMotd no
+      
+      # Harden Ciphers and Algorithms
+      KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+      Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+      MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+      HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
+
+      PrintLastLog no
+      TCPKeepAlive yes
+      Subsystem       sftp    /usr/lib/ssh/sftp-server
+      AcceptEnv *
+      AllowUsers lowpriv sshjumpuser
+
+      Match User lowpriv,sshjumpuser
+              AllowAgentForwarding yes
+              AllowTcpForwarding yes
+  notify: [ "restart_sshd", "update aide database" ]