ansible-pull/roles/base/tasks/system_setup/openssh.yml

- name: system setup | openssh | install or update daemon package
  tags: openssh,ssh,system,settings
  package:
    name: "{{ openssh_package }}"
    state: latest
  notify: restart_sshd

- name: system setup | openssh | enable daemon
  tags: openssh,ssh,system,settings
  service:
    name: "{{ openssh_service }}"
    enabled: yes
    state: started

- name: system setup | openssh | create config dir
  file:
    path: "/etc/ssh/sshd_config.d"
    state: directory

- name: system setup | openssh | include sshd config dir in configuration
  lineinfile:
    path: "/etc/ssh/sshd_config"
    line: "Include /etc/ssh/sshd_config.d/*.conf"
    state: present
    insertbefore: "^#?Port.*$"
  notify: restart_sshd

- name: system setup | openssh | copy sshd custom config
  tags: openssh,ssh,system,settings
  copy:
    force: True
    src: system_setup/sshd_custom.conf
    dest: /etc/ssh/sshd_config.d/custom.conf
    owner: root
    group: root
    mode: '0644'
  notify: restart_sshd

- name: system setup | openssh | copy ssh client custom config
  tags: openssh,ssh,system,settings
  copy:
    force: True
    src: system_setup/ssh_custom.conf
    dest: /etc/ssh/ssh_config.d/custom.conf
    owner: root
    group: root
    mode: '0644'

- name: system setup | openssh | install fail2ban
  tags: fail2ban,ssh,system,settings
  package:
    name: fail2ban
    state: latest
  notify: restart_fail2ban

- name: system setup | openssh | enable fail2ban
  tags: fail2ban,ssh,system,settings
  service:
    name: fail2ban
    enabled: yes
  notify: restart_fail2ban

- name: system setup | openssh | copy local jail for fail2ban
  tags: fail2ban,ssh,system,settings
  copy:
    src: system_setup/jail.local
    dest: /etc/fail2ban/jail.local
    owner: root
    group: root
    mode: '0644'
  notify: restart_fail2ban

- name: system setup | openssh | creating privilege separation directory
  tags: ssh,system,settings
  file:
    path: "/run/sshd"
    state: directory