usegalaxy-eu · mira-miracoli · Jan 13, 2026 · Jan 13, 2026 · Jan 14, 2026 · Jan 14, 2026
diff --git a/.gitignore b/.gitignore
@@ -5,7 +5,6 @@
 collections/
 roles/cloudalchemy.grafana/
 roles/dev-sec.os-hardening/
-roles/dev-sec.ssh-hardening/
 roles/galaxyproject.galaxy/
 roles/galaxyproject.nginx/
 roles/galaxyproject.cvmfs/

diff --git a/all.yml b/all.yml
@@ -1,6 +1,9 @@
 ---
-- name: Manage authorized SSH keys
+- name: Configure SSH service and manage authorized keys
   hosts: all
-  gather_facts: false
+  gather_facts: true
   roles:
     - role: usegalaxy_eu.ssh_manager
+    - ssh-host-sign
+    - role: devsec.hardening.ssh_hardening
+      become: true
diff --git a/apollo.yml b/apollo.yml
@@ -45,4 +45,3 @@
     # END custom
     - dj-wasabi.telegraf
     # - dev-sec.os-hardening
-    # - dev-sec.ssh-hardening
diff --git a/beacon.yml b/beacon.yml
@@ -8,8 +8,6 @@
     - group_vars/beacon/vars.yml
     - group_vars/beacon/vault.yml
   vars:
-  collections:
-    - devsec.hardening
   roles:
     - role: usegalaxy_eu.handy.os_setup
       vars:

diff --git a/build.yml b/build.yml
@@ -21,8 +21,6 @@
       loop:
         - http
         - https
-  collections:
-    - devsec.hardening
   roles:
     - hostname
     - usegalaxy-eu.dynmotd

diff --git a/cvmfs.yml b/cvmfs.yml
@@ -7,8 +7,6 @@
     - "secret_group_vars/all.yml"
     - mounts/mountpoints.yml
     - mounts/dest/all.yml
-  collections:
-    - devsec.hardening
   pre_tasks:
     - name: Set default version of Python
       alternatives:
@@ -51,7 +49,6 @@
     - dj-wasabi.telegraf
     # hardening
     - os_hardening
-    - ssh_hardening
 
 #
 #    - hostname
@@ -69,4 +66,3 @@
 #    # END custom
 #    - dj-wasabi.telegraf
 #    - dev-sec.os-hardening
-#    - dev-sec.ssh-hardening
diff --git a/galaxy-test.yml b/galaxy-test.yml
@@ -149,4 +149,3 @@
     # Some of our 'cleanups' also generate telegraf format so this goes at end.
     - dj-wasabi.telegraf
     #- dev-sec.os-hardening
-    - dev-sec.ssh-hardening
diff --git a/grafana.yml b/grafana.yml
@@ -25,7 +25,6 @@
         name:
           - git
   collections:
-    - devsec.hardening
     - grafana.grafana
   roles:
     ## Starting configuration of the operating system

diff --git a/group_vars/all/ssh-host-sign.yml b/group_vars/all/ssh-host-sign.yml
@@ -0,0 +1,11 @@
+ssh_host_sign_keys:
+  - key: /etc/ssh/ssh_host_rsa_key.pub
+    certificate: /etc/ssh/ssh_host_rsa_key-cert.pub
+
+  - key: /etc/ssh/ssh_host_ecdsa_key.pub
+    certificate: /etc/ssh/ssh_host_ecdsa_key-cert.pub
+
+  - key: /etc/ssh/ssh_host_ed25519_key.pub
+    certificate: /etc/ssh/ssh_host_ed25519_key-cert.pub
+
+ssh_host_sign_cert_domains_ips: "*.galaxyproject.eu,*.usegalaxy.eu,*.bi.privat,192.52.33.*,192.52.32.*,10.4.68.*,10.5.68.*,10.5.67.*"
diff --git a/group_vars/all/ssh_hardening.yml b/group_vars/all/ssh_hardening.yml
@@ -0,0 +1,5 @@
+ssh_host_certificates: "{{ ssh_host_sign_keys | map(attribute='certificate') }}"
+ssh_permit_root_login: "without-password"
+ssh_use_pam: true
+sftp_enabled: true
+ssh_client_alive_interval: 600
diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
@@ -64,9 +64,6 @@ nginx_selinux_allow_local_connections: true
 #nginx_servers:
 #  - redirect-ssl
 
-# Allow root login on all machines - TBD
-ssh_allow_root_with_key: true
-
 redis_connection_string: "redis://:{{ redis_requirepass }}@mq02.galaxyproject.eu:6379/0"
 # Chrony
 chrony_server: 'time.ruf.uni-freiburg.de iburst'
@@ -168,28 +165,6 @@ au_random_sleep: 360
 sysctl_config:
   net.ipv6.conf.all.disable_ipv6: 0
 
-# SSH
-
-# ALL hosts should have signed SSH keys.
-# ssh-host-(re)sign role
-ssh_host_key_cert_files:
-  - /etc/ssh/ssh_host_rsa_key-cert.pub
-  - /etc/ssh/ssh_host_ecdsa_key-cert.pub
-  - /etc/ssh/ssh_host_ed25519_key-cert.pub
-
-# dev-sec.ssh-hardening role
-# Allow root login on all machines
-ssh_permit_root_login: "without-password"
-sshd_custom_options:
-  - "HostCertificate {{ ssh_host_key_cert_files[0] }}"
-  - "HostCertificate {{ ssh_host_key_cert_files[1] }}"
-  - "HostCertificate {{ ssh_host_key_cert_files[2] }}"
-# Anything else prevents more login
-ssh_use_pam: true
-# Required if you want to run ansible more than once.
-sftp_enabled: true
-ssh_client_alive_interval: 600
-
 # Apollo env vars
 apollo_env: "GALAXY_WEBAPOLLO_URL={{ GALAXY_WEBAPOLLO_URL }} GALAXY_WEBAPOLLO_USER={{ GALAXY_WEBAPOLLO_USER }} GALAXY_WEBAPOLLO_PASSWORD={{ GALAXY_WEBAPOLLO_PASSWORD }} GALAXY_WEBAPOLLO_EXT_URL={{ GALAXY_WEBAPOLLO_EXT_URL }} GALAXY_SHARED_DIR={{ GALAXY_SHARED_DIR }} GALAXY_APOLLO_ORG_SUFFIX=id"
 

diff --git a/host_vars/apps.galaxyproject.eu.yml b/host_vars/apps.galaxyproject.eu.yml
@@ -0,0 +1 @@
+ssh_server_ports: ["8080"]
diff --git a/incoming.yml b/incoming.yml
@@ -9,8 +9,6 @@
     - secret_group_vars/all.yml
     - mounts/mountpoints.yml
     - mounts/dest/all.yml
-  collections:
-    - devsec.hardening
   pre_tasks:
     - name: Set timezone to Europe/Berlin
       community.general.timezone:

diff --git a/influxdb.yml b/influxdb.yml
@@ -39,8 +39,6 @@
       ansible.builtin.service:
         name: firewalld
         state: reloaded
-  collections:
-    - devsec.hardening
   roles:
     ## Starting configuration of the operating system
     - geerlingguy.swap

diff --git a/maintenance.yml b/maintenance.yml
@@ -8,8 +8,6 @@
     - secret_group_vars/all.yml
     - mounts/dest/all.yml
     - mounts/mountpoints.yml
-  collections:
-    - devsec.hardening
   handlers:
     - name: restart rsyslog
       service:

diff --git a/mq.yml b/mq.yml
@@ -6,8 +6,6 @@
     - secret_group_vars/all.yml
     - secret_group_vars/aws.yml # AWS creds
     - secret_group_vars/pulsar.yml     # Pulsar + MQ Connections
-  collections:
-    - devsec.hardening
   pre_tasks:
     #    - name: Set default version of Python
     #      alternatives:

diff --git a/one-off/cvmfs-stratum0.yml b/one-off/cvmfs-stratum0.yml
@@ -30,4 +30,3 @@
     # END custom
     - dj-wasabi.telegraf
 #    - dev-sec.os-hardening
-#    - dev-sec.ssh-hardening
diff --git a/one-off/denbi-stratum0.yml b/one-off/denbi-stratum0.yml
@@ -29,4 +29,3 @@
     # END custom
     - dj-wasabi.telegraf
     #- dev-sec.os-hardening
-    #- dev-sec.ssh-hardening
diff --git a/one-off/hicbrowser.yml b/one-off/hicbrowser.yml
@@ -16,4 +16,3 @@
     # END custom
     - dj-wasabi.telegraf
     - dev-sec.os-hardening
-    - dev-sec.ssh-hardening
diff --git a/one-off/job-working-dir.yml b/one-off/job-working-dir.yml
@@ -19,4 +19,3 @@
     # END custom
     - dj-wasabi.telegraf
     - dev-sec.os-hardening
-    - dev-sec.ssh-hardening
diff --git a/one-off/org-jenkins-nodes.yml b/one-off/org-jenkins-nodes.yml
@@ -45,4 +45,3 @@
     - hxr.monitor-email
     - influxdata.chrony
     - dev-sec.os-hardening
-    - dev-sec.ssh-hardening
diff --git a/one-off/ssds1.yml b/one-off/ssds1.yml
@@ -15,4 +15,3 @@
     - geerlingguy.nfs
     - linuxhq.yum_cron
     - dev-sec.os-hardening
-    - dev-sec.ssh-hardening
diff --git a/plausible.yml b/plausible.yml
@@ -7,8 +7,6 @@
   vars_files:
     - secret_group_vars/all.yml
     - secret_group_vars/plausible.yml
-  collections:
-    - devsec.hardening
   roles:
     - hostname
     - usegalaxy-eu.dynmotd

diff --git a/proxy.yml b/proxy.yml
@@ -6,8 +6,6 @@
     hostname: proxy.galaxyproject.eu
   vars_files:
     - secret_group_vars/all.yml
-  collections:
-    - devsec.hardening
   pre_tasks:
     - name: Set default version of Python
       alternatives:

diff --git a/requirements.yaml b/requirements.yaml
@@ -55,8 +55,6 @@ collections:
 roles:
   - name: dev-sec.os-hardening
     version: 4.2.0
-  - name: dev-sec.ssh-hardening
-    version: 9.7.0
   - name: devops.tomcat7
     version: 1.0.0
   - name: dj-wasabi.telegraf

diff --git a/resign-keys.yml b/resign-keys.yml
diff --git a/roles/ssh-host-resign/files/server_ca b/roles/ssh-host-resign/files/server_ca
diff --git a/roles/ssh-host-resign/files/server_ca.pub b/roles/ssh-host-resign/files/server_ca.pub
diff --git a/roles/ssh-host-resign/tasks/main.yml b/roles/ssh-host-resign/tasks/main.yml