From 17a9e9ef7de1f6399944f83df6ec2dc47c5136e5 Mon Sep 17 00:00:00 2001
From: DarkFeather <ircs://aninix.net:6697/DarkFeather>
Date: Fri, 25 Dec 2020 05:40:57 -0600
Subject: [PATCH] Group controls, hostkey protection, and typo correction in
 SSH

---
 roles/SSH/tasks/main.yml | 29 ++++++++++++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

diff --git a/roles/SSH/tasks/main.yml b/roles/SSH/tasks/main.yml
index 44586da..0626ac6 100644
--- a/roles/SSH/tasks/main.yml
+++ b/roles/SSH/tasks/main.yml
@@ -10,7 +10,7 @@
  - name: SSH Config
    become: yes
    copy: 
-       src: sshd_config
+       src: ssh_config
        dest: /etc/ssh/ssh_config
 
  - name: SSHD Config
@@ -19,3 +19,30 @@
        src: sshd_config
        dest: /etc/ssh/sshd_config
 
+ - name: Mark SSH keys as immutable
+   become: yes
+   file:
+       path: "{{ item }}" 
+       attributes: i
+   loop: 
+       - /etc/ssh/ssh_host_ed25519_key
+       - /etc/ssh/ssh_host_ed25519_key.pub
+       - /etc/ssh/ssh_host_rsa_key
+       - /etc/ssh/ssh_host_rsa_key.pub
+
+ - name: Add SSH control groups
+   become: yes
+   group: 
+       name: "{{ item }}"
+       state: present
+   loop: 
+       - ssh-allow
+       - ssh-forward
+       - sftp-home-jail
+
+ - name: Add SSH user to ssh-allow
+   become: yes
+   user: 
+       name: "{{ ansible_user_id }}"
+       groups: ssh-allow
+       append: yes