From ff92d88583f1fe6c18759d40af8f578519cedb3c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9mi=20-=20Le=20Filament?= <remi@le-filament.com>
Date: Thu, 10 Jun 2021 05:13:28 +0200
Subject: [PATCH] Add GitLab sshd config and disable ipv6

---
 README.md                | 3 ++-
 tasks/main.yml           | 7 +++++++
 templates/sshd_config.j2 | 5 ++++-
 vars/RedHat.yml          | 2 +-
 vars/main.yml            | 4 ++++
 5 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 6512762..b861bd0 100644
--- a/README.md
+++ b/README.md
@@ -12,7 +12,7 @@ This role initializes a server with the following actions :
 Requirements
 ------------
 
-This role mostly uses ansible.builtin module but also authorized_key from ansible.posix collection
+This role mostly uses mainly ansible.builtin modules but also authorized_key and sysctl from ansible.posix collection
 
 Role Variables
 --------------
@@ -34,6 +34,7 @@ Variables from vars directory (OS specific):
   * users_to_remove : list of users to remove from default delivered servers
 * Global :
   * default_ssh_public_keys : ssh_public_key + extra_public_key (if exists)
+  * sysctl_disable_ipv6_keys : sysctl entries to activate to disable ipv6
 
 This role also makes use of variables gathered from facts :
 * ansible_os_family : Family of Operating System (Debian or RedHat)
diff --git a/tasks/main.yml b/tasks/main.yml
index 6a2911a..a828a19 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -156,6 +156,13 @@
       export TMOUT
   when: ansible_os_family == "RedHat"
 
+- name: disable ipv6
+  sysctl:
+    name: "{{ item }}"
+    value: '1'
+    sysctl_set: true
+  with_items: "{{ sysctl_disable_ipv6_keys }}"
+
 - name: Check if backup servers present in root known hosts
   lineinfile:
     path: /root/.ssh/known_hosts
diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2
index a2279e3..e491820 100644
--- a/templates/sshd_config.j2
+++ b/templates/sshd_config.j2
@@ -10,6 +10,9 @@ LogLevel VERBOSE
 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
 PasswordAuthentication no
 PermitRootLogin no
+{% if inventory_hostname in groups.gitlab %}
+Port 22
+{% endif %}
 Port {{ default_sshd_port }}
 PrintMotd no
 Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
@@ -25,5 +28,5 @@ Match Group sftpgroup
       GatewayPorts no
       X11Forwarding no
 {% else %}
-AllowUsers {{ host_user }}{% if host_user2 is defined %} {{ host_user2 }}{% endif %}
+AllowUsers {{ host_user }}{% if host_user2 is defined %} {{ host_user2 }}{% endif %}{% if inventory_hostname in groups.gitlab %} git{% endif %}
 {% endif %}
diff --git a/vars/RedHat.yml b/vars/RedHat.yml
index 01eedb5..1fb5304 100644
--- a/vars/RedHat.yml
+++ b/vars/RedHat.yml
@@ -2,4 +2,4 @@
 packages_to_remove: []
 files_to_remove: []
 users_to_remove:
-- zabbix
+  - zabbix
diff --git a/vars/main.yml b/vars/main.yml
index 7237f73..9fbbd86 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -1,2 +1,6 @@
 ---
 default_ssh_public_keys: "{{ ssh_public_key }}{% if extra_public_key is defined %} \n {{ extra_public_key }}{% endif %}"
+sysctl_disable_ipv6_keys:
+  - net.ipv6.conf.all.disable_ipv6
+  - net.ipv6.conf.default.disable_ipv6
+  - net.ipv6.conf.lo.disable_ipv6
-- 
GitLab