Add openssh_client role

marcwrobel · Feb 2, 2025 · 54233ca · 54233ca
1 parent 1073148
commit 54233ca
Show file tree

Hide file tree

Showing 6 changed files with 69 additions and 2 deletions.
diff --git a/.ansible/roles/openssh_client/README.md b/.ansible/roles/openssh_client/README.md
@@ -0,0 +1,7 @@
+# openssh_server
+
+Install the OpenSSH client.
+
+## Links
+
+- [OpenSSH](https://www.openssh.com/)
diff --git a/.ansible/roles/openssh_client/tasks/main.yml b/.ansible/roles/openssh_client/tasks/main.yml
@@ -0,0 +1,23 @@
+---
+- name: Install
+  ansible.builtin.package:
+    name: "openssh-client"
+    state: "present"
+  become: true
+
+- name: Remove unnecessary files
+  ansible.builtin.file:
+    path: "/etc/ssh/ssh_config.d"
+    state: "absent"
+  become: true
+
+- name: Configure
+  ansible.builtin.template:
+    src: "{{ item }}.j2"
+    dest: "/{{ item }}"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  loop:
+    - "etc/ssh/ssh_config"
+  become: true
diff --git a/.ansible/roles/openssh_client/templates/etc/ssh/ssh_config.j2 b/.ansible/roles/openssh_client/templates/etc/ssh/ssh_config.j2
@@ -0,0 +1,34 @@
+# {{ ansible_managed }}
+
+# See https://man.openbsd.org/ssh_config.
+
+# Sane (overridable) default for all users.
+Host *
+  IdentityFile ~/.ssh/id_ed25519
+  IdentityFile ~/.ssh/id_ecdsa
+  IdentityFile ~/.ssh/id_rsa
+
+  # Authentication
+  HostbasedAuthentication no
+  PasswordAuthentication no
+  GSSAPIAuthentication no
+  ChallengeResponseAuthentication no
+
+  # Ciphers and algorithms, see https://infosec.mozilla.org/guidelines/openssh#modern.
+  HostKeyAlgorithms [email protected],[email protected],ssh-ed25519,ssh-rsa,[email protected],[email protected],[email protected],ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256
+  KexAlgorithms [email protected],ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+  Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
+  MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]
+
+  # Misc
+  CheckHostIP yes
+  StrictHostKeyChecking ask
+  HashKnownHosts yes
+  ForwardAgent no
+  ForwardX11 no
+  Tunnel no
+  PermitLocalCommand no
+  RekeyLimit 1G 1h
+
+  # Pass locale environment variables
+  SendEnv LANG LC_*
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,3 @@
+.ansible/.lock
 .idea
 .venv
diff --git a/dotfiles/.gnupg/gpg-agent.conf b/dotfiles/.gnupg/gpg-agent.conf
@@ -0,0 +1 @@
+enable-ssh-support
diff --git a/setup.yml b/setup.yml
@@ -1,5 +1,5 @@
 ---
-- name: "Set up local environment"
+- name: "Set up a local Debian environment"
   hosts: localhost
   connection: local
   roles:
@@ -19,8 +19,9 @@
             repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable"
             state: "present"
 
+    - { role: "openssh_client", tags: ["ssh"] }
     - { role: "git", tags: ["git"] }
-    - { role: "etckeeper", tags: ["etckeeper"] }
+    - { role: "etckeeper", tags: ["etc"] }
     - { role: "vim", tags: ["vim"] }
 
     - role: "packages"