molecule/virtualbox_debian12/molecule.yml

@@ -26,7 +26,7 @@ provisioner:
       # https://stackoverflow.com/questions/57435811/ansible-molecule-pass-multiple-vault-ids
       # vault_identity_list: "@$HOME/.ansible/roles/lza_install_common.pass, @$HOME/.ansible/roles/passfile_1.pass"
       # vault_identity_list: "${MOLECULE_PROJECT_DIRECTORY}/../../lza_server_hardening.pass"
-      vault_identity_list: "../lza_server_hardening.pass, ../../../lza_server_hardening.pass"
+      vault_identity_list: "../../../lza_server_hardening.pass"
       display_skipped_hosts: false
       display_ok_hosts: false
   vvv: false

tasks/configure_crypto_policy.yml

+---
+- name: Get crypto policy.
+  ansible.builtin.command:
+    cmd: "/usr/bin/update-crypto-policies --show"
+  register: crypto_policy
+  changed_when: false
+
+- name: Set crypto policy.
+  ansible.builtin.command:
+    cmd: "/usr/bin/update-crypto-policies --set FUTURE"
+  when: "'FUTURE' in crypto_policy.stdout"
+  notify:
+    - "restart sshd"
+    # The best soluion would be to reboot the server, but we won't do that for availability.
+  changed_when: false

tasks/main.yml

@@ -28,6 +28,11 @@
   ansible.builtin.import_tasks: "configure_ssh_hardening.yml"
   tags: [ssh]
 
+- name: Configure crypto policy. Settings in /etc/ssh/sshd_config keep getting overwritten if the crypto policy remains at Default.
+  ansible.builtin.import_tasks: "configure_crypto_policy.yml"
+  when: ansible_os_family == "RedHat"   # Debian doesn't use crypto-policy
+  tags: [ssh, cryptopolicy, crypto-policy, crypto_policy, cipher, kex]
+
 - name: configure fail2ban
   ansible.builtin.import_tasks: "configure_fail2ban.yml"
   tags: [fail2ban, ssh]