---
# tasks to enable secure OpenSSH server config
# mozilla values set as from
#   https://infosec.mozilla.org/guidelines/openssh
- name: "sshd_config - disable weak keys"
  lineinfile:
    dest=/etc/ssh/sshd_config
    backrefs=yes
    line={{ item.line }}
    regexp={{ item.regexp }}
  with_items:
    #- { regexp: '^#HostKey /etc/ssh/ssh_host_rsa_key',
    #    line: 'HostKey /etc/ssh/ssh_host_rsa_key' }
    - { regexp: '^HostKey /etc/ssh/ssh_host_dsa_key',
        line: '# HostKey /etc/ssh/ssh_host_dsa_key' }
    #- { regexp: '^HostKey /etc/ssh/ssh_host_ecdsa_key',
    #    line: '# HostKey /etc/ssh/ssh_host_ecdsa_key' }
    #- { regexp: '^#HostKey /etc/ssh/ssh_host_ed25519_key',
    #    line: 'HostKey /etc/ssh/ssh_host_ed25519_key' }
  notify: "restart sshd"


- name: "Set supported host key algorithms by order of preference"
  ansible.builtin.blockinfile:
      path: /etc/ssh/sshd_config
      block: |
          # Supported HostKey algorithms by order of preference.
          HostKey /etc/ssh/ssh_host_ed25519_key
          HostKey /etc/ssh/ssh_host_rsa_key
          HostKey /etc/ssh/ssh_host_ecdsa_key
  notify: "restart sshd"

          
- name: "sshd_config - set key bits to 4096"
  lineinfile:
    dest=/etc/ssh/sshd_config
    backrefs=yes
    line='ServerKeyBits 4096'
    regexp='^ServerKeyBits 1024'
    state=present
  notify: "restart sshd"


- name: "sshd_config - set secure ciphers from mozilla guidelines"
  lineinfile:
    dest=/etc/ssh/sshd_config
    line='Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
    state=present
  notify: "restart sshd"


- name: "sshd_config - set secure MACs from mozilla guidelines and ssh-audit.py"
  lineinfile:
    dest=/etc/ssh/sshd_config
    line='MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'
    state=present
  notify: "restart sshd"


    # line='KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512'
- name: "sshd_config - set secure kex algos from mozilla guidelines"
  lineinfile:
    dest=/etc/ssh/sshd_config
    line='KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256'
    state=present
  notify: "restart sshd"


- name: "sshd_config - set log level"
  lineinfile:
      dest: /etc/ssh/sshd_config
      line: "LogLevel VERBOSE"
      state: present
  notify: "restart sshd"


- name: "sshd_config - enable sftp logging"
  lineinfile:
      dest: /etc/ssh/sshd_config
      line: "Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO"
      regexp: "^Subsystem sftp  /usr/lib/openssh/sftp-server"
      backrefs: yes
      state: present
  notify: "restart sshd"


- name: "sshd_config - use privilage separation"
  lineinfile:
      dest: /etc/ssh/sshd_config
      line: "UsePrivilegeSeparation sandbox"
      state: present
  notify: "restart sshd"


- name: "remove short moduli (<2048 bits) from /etc/ssh/moduli"
  replace:
    dest=/etc/ssh/moduli
    regexp='^([0-9]+\s){4}([12][0-9]{3}\s)'
  notify: "restart sshd"