From 45c0f25ce0436968e65b21b111ac7f7517e83472 Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Mon, 20 Jan 2025 14:58:08 +0100
Subject: [PATCH] debian: disable SSH password authentication

Oops. Also do it for proxmox-backup role even though SSH in default
VRF is disabled there, so it will be easier to deduplicate these roles
when someone gets around to it.
---
 roles/debian/handlers/main.yml         |  6 ++++++
 roles/debian/tasks/main.yml            | 12 ++++++++++++
 roles/proxmox-backup/handlers/main.yml |  6 ++++++
 roles/proxmox-backup/tasks/main.yml    | 12 ++++++++++++
 4 files changed, 36 insertions(+)

diff --git a/roles/debian/handlers/main.yml b/roles/debian/handlers/main.yml
index b6b8c36..49b89db 100644
--- a/roles/debian/handlers/main.yml
+++ b/roles/debian/handlers/main.yml
@@ -5,3 +5,9 @@
 - name: reload interfaces
   command: ifreload -a
   when: "'handler' not in ansible_skip_tags"
+
+- name: reload sshd
+  service:
+    name: sshd
+    state: reloaded
+  when: "'handler' not in ansible_skip_tags"
diff --git a/roles/debian/tasks/main.yml b/roles/debian/tasks/main.yml
index 2a39abc..8a6ffac 100644
--- a/roles/debian/tasks/main.yml
+++ b/roles/debian/tasks/main.yml
@@ -54,6 +54,18 @@
     mode: 0644
   notify: reload interfaces
 
+- name: Disable SSH password authentication
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?{{ item.key }}'
+    line: '{{ item.key }} {{ item.value }}'
+  loop:
+    - key: PasswordAuthentication
+      value: 'no'
+    - key: PermitRootLogin
+      value: 'prohibit-password'
+  notify: reload sshd
+
 - name: Run SSH instance in management VRF
   when: interfaces | selectattr('vrf') | selectattr('vrf.name', '==', 'mgmt')
   block:
diff --git a/roles/proxmox-backup/handlers/main.yml b/roles/proxmox-backup/handlers/main.yml
index d20c9e9..1ea07da 100644
--- a/roles/proxmox-backup/handlers/main.yml
+++ b/roles/proxmox-backup/handlers/main.yml
@@ -22,3 +22,9 @@
     name: postfix
     state: reloaded
   when: "'handler' not in ansible_skip_tags"
+
+- name: reload sshd
+  service:
+    name: sshd
+    state: reloaded
+  when: "'handler' not in ansible_skip_tags"
diff --git a/roles/proxmox-backup/tasks/main.yml b/roles/proxmox-backup/tasks/main.yml
index b3f35b9..9f9db9e 100644
--- a/roles/proxmox-backup/tasks/main.yml
+++ b/roles/proxmox-backup/tasks/main.yml
@@ -58,6 +58,18 @@
     mode: 0644
   notify: reload interfaces
 
+- name: Disable SSH password authentication
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?{{ item.key }}'
+    line: '{{ item.key }} {{ item.value }}'
+  loop:
+    - key: PasswordAuthentication
+      value: 'no'
+    - key: PermitRootLogin
+      value: 'prohibit-password'
+  notify: reload sshd
+
 - name: Run SSH instance in management VRF
   when: interfaces | selectattr('vrf') | selectattr('vrf.name', '==', 'mgmt')
   block: