From e5b570ddad5f976a0a04233f4794a54b85bb440b Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Fri, 13 Dec 2024 14:49:44 +0100
Subject: [PATCH] proxmox: disable password SSH authentication
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Apparently it’s not needed for cluster operations.
---
 roles/proxmox/handlers/main.yml |  6 ++++++
 roles/proxmox/tasks/main.yml    | 12 ++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/roles/proxmox/handlers/main.yml b/roles/proxmox/handlers/main.yml
index f422af1..a48f969 100644
--- a/roles/proxmox/handlers/main.yml
+++ b/roles/proxmox/handlers/main.yml
@@ -12,6 +12,12 @@
     state: reloaded
   when: "'handler' not in ansible_skip_tags"
 
+- name: reload sshd
+  service:
+    name: sshd
+    state: reloaded
+  when: "'handler' not in ansible_skip_tags"
+
 - name: update package cache
   package:
     update_cache: yes
diff --git a/roles/proxmox/tasks/main.yml b/roles/proxmox/tasks/main.yml
index a7ede66..aadd7d0 100644
--- a/roles/proxmox/tasks/main.yml
+++ b/roles/proxmox/tasks/main.yml
@@ -18,6 +18,18 @@
     src: resolv.conf.j2
     mode: 0644
 
+- name: Disable SSH password authentication
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?{{ item.key }}'
+    line: '{{ item.key }} {{ item.value }}'
+  loop:
+    - key: PasswordAuthentication
+      value: 'no'
+    - key: PermitRootLogin
+      value: 'prohibit-password'
+  notify: reload sshd
+
 - include_tasks: network.yml
 
 - name: Disable enterprise repositories