From 66d0701a57f617740e7881f9cbdaf1faa89c9c16 Mon Sep 17 00:00:00 2001
From: surtur <wanderer@dotya.ml>
Date: Wed, 2 Aug 2023 13:49:47 +0200
Subject: [PATCH] add sshconfig role

---
 ansible/roles/sshconfig/tasks/main.yml      |  7 ++++
 ansible/roles/sshconfig/templates/config.j2 | 44 +++++++++++++++++++++
 2 files changed, 51 insertions(+)
 create mode 100644 ansible/roles/sshconfig/tasks/main.yml
 create mode 100644 ansible/roles/sshconfig/templates/config.j2

diff --git a/ansible/roles/sshconfig/tasks/main.yml b/ansible/roles/sshconfig/tasks/main.yml
new file mode 100644
index 0000000..5803b2b
--- /dev/null
+++ b/ansible/roles/sshconfig/tasks/main.yml
@@ -0,0 +1,7 @@
+---
+- name: Install ssh config
+  ansible.builtin.template:
+    src: config.j2
+    dest: .ssh/config
+    mode: 0600
+...
diff --git a/ansible/roles/sshconfig/templates/config.j2 b/ansible/roles/sshconfig/templates/config.j2
new file mode 100644
index 0000000..479bffc
--- /dev/null
+++ b/ansible/roles/sshconfig/templates/config.j2
@@ -0,0 +1,44 @@
+# {{ ansible_managed }}
+ControlMaster     auto
+ControlPath       {{ ssh.config.control_path }}
+ControlPersist    {{ ssh.config.control_persist }}
+
+include config.d/*
+
+Host git.dotya.ml github.com
+    IdentityFile ~/.ssh/{{ ssh.config.gitea_gh_id }}
+
+Host git.dotya.ml
+    User gitea
+
+Host github.com
+    # KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
+    User git
+
+
+# Do not keep HostKeys for internal networks
+Host 10.*.*.* 192.168.*.*
+    UserKnownHostsFile /dev/null
+    StrictHostKeyChecking no
+
+Host *
+    ForwardX11 no
+    # IdentityFile none
+    AddKeysToAgent yes
+    IdentitiesOnly yes
+    ForwardAgent no
+    StrictHostKeyChecking no
+    IPQoS af21 # low-latency
+    # IPQoS lowdelay
+    # IPQoS throughput
+    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+    KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
+    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
+
+# this could be of interest later:
+# https://mike.place/2017/ssh-match/
+# Match host <ssh_hostname> !exec "ping -t 1 -o "<ssh_hostname>.local" &>/dev/null"
+#   ProxyJump <remote_host_with_public_IP>:11033
+#
+# also:
+# https://github.com/FiloSottile/whoami.filippo.io