From 1ecff67cd9969b3bdf01614a85abc635cbfadce8 Mon Sep 17 00:00:00 2001
From: Alex Tavarez <admin@sukaato.moe>
Date: Fri, 29 May 2026 08:21:15 -0400
Subject: [PATCH] separated out an SSH hardening task as part of refactor

---
 roles/init-server/tasks/harden.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 roles/init-server/tasks/harden.yml

diff --git a/roles/init-server/tasks/harden.yml b/roles/init-server/tasks/harden.yml
new file mode 100644
index 0000000..963b2ea
--- /dev/null
+++ b/roles/init-server/tasks/harden.yml
@@ -0,0 +1,18 @@
+#SPDX-License-Identifier: MIT-0
+---
+# tasks file for roles/init-vps
+- name: Checking whether administrative login used
+  when: ansible_user not in (admins | map(attribute="username") | list)
+  ansible.builtin.fail:
+    msg: Must use administrative user for subsequent tasks
+- name: Hardening SSH service for the Linode VPS
+  ansible.builtin.copy:
+    src: sshd_config.d/harden.conf
+    dest: /etc/ssh/sshd_config.d/harden.conf
+    owner: root
+    group: root
+    mode: "644"
+    force: true
+    backup: true
+    validate: "sshd -t %s"
+  register: ssh_hardened
\ No newline at end of file