Internalise SSH config and make it generic to all hosts

.gitmodules

@@ -1,3 +0,0 @@
-[submodule "ansible/files/ssh"]
-	path = ansible/files/ssh
-	url = https://github.com/RealOrangeOne/ansible-ssh-bastion

ansible/files/ssh

@@ -1 +0,0 @@
-Subproject commit 02c8000af47f8db2fb9ca32324a26ddf8c7ec405

ansible/main.yml

@@ -4,5 +4,9 @@
 
 - hosts: casey
   roles:
-    - ssh-bastion
+    - ssh
     - gateway
+
+- hosts: intersect
+  roles:
+    - ssh

ansible/roles/ssh/files/sshd_config

@@ -0,0 +1,86 @@
+# TCP port to bind to
+# Change to a high/odd port if this server is exposed to the internet directly
+Port 7743
+
+# Deny all other users besides the following
+AllowUsers {{ user }}
+
+# Bind to all interfaces (change to specific interface if needed)
+ListenAddress 0.0.0.0
+
+# Force SSHv2 Protocol
+Protocol 2
+
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+
+HostKeyAlgorithms ssh-rsa,rsa-sha2-512,rsa-sha2-256
+
+# Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Public key authentication + Password authentication
+# Two-Factor Authentication in OpenSSH v6.2+
+RSAAuthentication yes
+PubkeyAuthentication yes
+AuthenticationMethods publickey
+
+# Disable root SSH access
+PermitRootLogin no
+
+# Client timeout (5 minutes)
+ClientAliveInterval 300
+ClientAliveCountMax 0
+
+# Compression (only after authentication)
+Compression delayed
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication must happen within 30 seconds
+LoginGraceTime 30
+
+PermitEmptyPasswords no
+
+# Check user folder permissions before allowing access
+StrictModes yes
+
+# Message Authentication Code (Hash, only SHA2-512)
+# SHA-256 included for compat with PuTTY-WinCrypt clients
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
+
+# Ciphers (only secure AES-256)
+Ciphers aes256-ctr,aes128-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
+
+# Key Exchange algorithms (Elliptic Curve Diffie-Hellman)
+# DH-SHA-256 included for compat with PuTTY-WinCrypt clients
+KexAlgorithms diffie-hellman-group-exchange-sha256,curve25519-sha256@libssh.org
+
+# Don’t read the user’s ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+
+# Disable unused authentication schemes
+RhostsRSAAuthentication no
+HostbasedAuthentication no
+ChallengeResponseAuthentication no
+KerberosAuthentication no
+GSSAPIAuthentication no
+UsePAM no
+
+# X11 support
+X11Forwarding no
+
+# Don’t show Message of the Day
+PrintMotd yes
+
+# TCPKeepAlive (non-tunneled, disabled)
+TCPKeepAlive no
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp internal-sftp

ansible/roles/ssh/tasks/main.yml

@@ -11,7 +11,7 @@
 
 - name: SSH config
   template:
-    src: files/ssh/sshd_config_bastion
+    src: files/sshd_config
     dest: /etc/ssh/sshd_config
     validate: /usr/sbin/sshd -t -f %s
     backup: yes