init commit

playbooks/templates/sshd/00-global.conf.j2

@@ -0,0 +1,25 @@
+Port 22
+AddressFamily inet
+PermitRootLogin no
+
+PasswordAuthentication no
+KbdInteractiveAuthentication no
+ChallengeResponseAuthentication no
+PermitEmptyPasswords no
+
+UsePAM yes
+AllowGroups {{ ssh_access_group | default('sshusers') }}
+
+PubkeyAuthentication yes
+AuthorizedKeysFile .ssh/authorized_keys
+
+X11Forwarding no
+PrintMotd no
+PrintLastLog yes
+
+LoginGraceTime 30s
+MaxAuthTries 3
+MaxSessions 2
+
+AcceptEnv LANG LC_*
+Subsystem sftp /usr/lib/openssh/sftp-server

playbooks/templates/sshd/99-lan-bypass.conf.j2

@@ -0,0 +1,11 @@
+Match Address 10.0.0.0/8
+    PasswordAuthentication yes
+
+Match Address 192.168.0.0/16
+    PasswordAuthentication yes
+
+Match Address 206.202.209.9/32
+    PasswordAuthentication yes
+
+Match Address 100.64.0.0/10
+    PasswordAuthentication yes

playbooks/templates/sshd/sshd_config.j2

@@ -0,0 +1,4 @@
+# Base sshd_config — managed by Ansible
+# Delegates all settings to config fragments
+
+Include /etc/ssh/sshd_config.d/*.conf