resist-vpn-infra/roles/system_hardening/tasks/ssh.yml

---
# SSH Hardening Tasks

- name: Backup original sshd_config
  ansible.builtin.copy:
    src: /etc/ssh/sshd_config
    dest: /etc/ssh/sshd_config.backup
    remote_src: yes
    force: no

- name: Configure SSH daemon
  ansible.builtin.template:
    src: sshd_config.j2
    dest: /etc/ssh/sshd_config
    owner: root
    group: root
    mode: '0600'
    validate: '/usr/sbin/sshd -t -f %s'
  notify: restart sshd

- name: Ensure SSH directory exists for root
  ansible.builtin.file:
    path: /root/.ssh
    state: directory
    owner: root
    group: root
    mode: '0700'

- name: Generate strong SSH host keys
  ansible.builtin.command: ssh-keygen -A
  args:
    creates: /etc/ssh/ssh_host_ed25519_key

- name: Remove weak SSH host keys
  ansible.builtin.file:
    path: "{{ item }}"
    state: absent
  loop:
    - /etc/ssh/ssh_host_dsa_key
    - /etc/ssh/ssh_host_dsa_key.pub
    - /etc/ssh/ssh_host_ecdsa_key
    - /etc/ssh/ssh_host_ecdsa_key.pub

- name: Set permissions on SSH host keys
  ansible.builtin.file:
    path: "{{ item }}"
    owner: root
    group: root
    mode: '0600'
  loop:
    - /etc/ssh/ssh_host_rsa_key
    - /etc/ssh/ssh_host_ed25519_key
  when: ansible_facts['os_family'] == "Debian"