add install_ssh role

roles/global/install_ssh/defaults/main.yml

@@ -0,0 +1,9 @@
+---
+install_ssh_ssh_port: 22
+install_ssh_permit_root_login: "yes"
+install_ssh_password_authentication: "yes"
+install_ssh_ssh_log_level: "INFO"
+install_ssh_ssh_login_grace_time: "2m"
+install_ssh_ssh_max_auth_tries: 6
+install_ssh_ssh_max_sessions: 10
+install_ssh_ssh_max_startups: "10:30:100"

roles/global/install_ssh/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart SSH
+  ansible.builtin.service:
+    name: ssh
+    state: restarted

roles/global/install_ssh/meta/main.yml

@@ -0,0 +1,18 @@
+---
+galaxy_info:
+  author: Kevin Heyer
+  description: Role to install and configure SSH on Debian systems
+  company: Skull-IT Kevin Heyer
+  license: MIT
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Debian
+      versions:
+        - buster
+        - bullseye
+  galaxy_tags:
+    - ssh
+    - debian
+    - security
+
+dependencies: []

roles/global/install_ssh/tasks/main.yml

@@ -0,0 +1,22 @@
+---
+- name: Ensure OpenSSH server is installed
+  ansible.builtin.apt:
+    name: openssh-server
+    state: present
+    update_cache: true
+    cache_valid_time: 3600
+
+- name: Ensure OpenSSH server is enabled and started
+  ansible.builtin.service:
+    name: ssh
+    enabled: true
+    state: started
+
+- name: Deploy SSH configuration
+  ansible.builtin.template:
+    src: sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: '0600'
+  notify: Restart SSH

roles/global/install_ssh/templates/sshd_config.j2

@@ -0,0 +1,70 @@
+# This file is managed by Ansible.
+# Any manual changes will be overwritten.
+
+Port {{ install_ssh_ssh_port }}
+AddressFamily any
+ListenAddress 0.0.0.0
+ListenAddress ::
+
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+SyslogFacility AUTH
+LogLevel {{ install_ssh_ssh_log_level }}
+
+LoginGraceTime {{ install_ssh_ssh_login_grace_time }}
+PermitRootLogin {{ install_ssh_permit_root_login }}
+StrictModes yes
+
+MaxAuthTries {{ install_ssh_ssh_max_auth_tries }}
+MaxSessions {{ install_ssh_ssh_max_sessions }}
+
+PubkeyAuthentication yes
+
+AuthorizedKeysFile .ssh/authorized_keys /etc/ssh/ssh_authorized_keys
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication {{ install_ssh_password_authentication }}
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+AllowAgentForwarding yes
+AllowTcpForwarding yes
+GatewayPorts no
+X11Forwarding no
+
+# Default value for MaxStartups is 10:30:100
+MaxStartups {{ install_ssh_ssh_max_startups }}
+
+# no default banner path
+#Banner none
+
+# override default of no subsystems
+Subsystem sftp /usr/lib/openssh/sftp-server