feat: add SSH login information and dotfiles status check to hello.py; include OpenSSH server tasks in Ansible configuration

config/ansible/tasks/global/global.yml

@@ -22,6 +22,10 @@
   ansible.builtin.import_tasks: tasks/global/ollama.yml
   become: true
 
+- name: Include OpenSSH Server tasks
+  ansible.builtin.import_tasks: tasks/global/openssh-server.yml
+  become: true
+
 - name: Ensure common packages are installed
   ansible.builtin.package:
     name:
@@ -31,9 +35,11 @@
       - trash-cli
       - curl
       - wget
+      # Python is used for the dotfiles CLI tools
       - python3
       - python3-pip
       - python3-venv
+      - lastlog2 # Used for displaying last login information
     state: present
   become: true
 

config/ansible/tasks/global/openssh-server.yml

@@ -0,0 +1,22 @@
+---
+- name: Ensure openssh-server is installed
+  ansible.builtin.package:
+    name: openssh-server
+    state: present
+
+- name: Ensure SSH server configuration is proper
+  ansible.builtin.template:
+    src: templates/sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: '0644'
+    validate: '/usr/sbin/sshd -t -f %s'
+  notify: Restart SSH service
+  register: ssh_config
+
+- name: Ensure SSH service is enabled and running
+  ansible.builtin.service:
+    name: ssh
+    state: started
+    enabled: true

config/ansible/templates/sshd_config.j2

@@ -1,4 +1,3 @@
-
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
 
@@ -11,6 +10,15 @@
 
 Include /etc/ssh/sshd_config.d/*.conf
 
+# When systemd socket activation is used (the default), the socket
+# configuration must be re-generated after changing Port, AddressFamily, or
+# ListenAddress.
+#
+# For changes to take effect, run:
+#
+#   systemctl daemon-reload
+#   systemctl restart ssh.socket
+#
 Port 400
 #AddressFamily any
 #ListenAddress 0.0.0.0
@@ -25,12 +33,12 @@ Port 400
 
 # Logging
 #SyslogFacility AUTH
-#LogLevel INFO
+LogLevel INFO
 
 # Authentication:
 
 #LoginGraceTime 2m
-PermitRootLogin prohibit-password
+PermitRootLogin no
 #StrictModes yes
 #MaxAuthTries 6
 #MaxSessions 10
@@ -54,8 +62,8 @@ PubkeyAuthentication yes
 #IgnoreRhosts yes
 
 # To disable tunneled clear text passwords, change to no here!
-PasswordAuthentication yes
-PermitEmptyPasswords no
+PasswordAuthentication no
+#PermitEmptyPasswords no
 
 # Change to yes to enable challenge-response passwords (beware issues with
 # some PAM modules and threads)
@@ -84,8 +92,8 @@ KbdInteractiveAuthentication no
 # and KbdInteractiveAuthentication to 'no'.
 UsePAM yes
 
-AllowAgentForwarding yes
-AllowTcpForwarding yes
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
 #GatewayPorts no
 X11Forwarding yes
 #X11DisplayOffset 10
@@ -96,8 +104,8 @@ PrintMotd no
 #TCPKeepAlive yes
 #PermitUserEnvironment no
 #Compression delayed
-#ClientAliveInterval 0
-#ClientAliveCountMax 3
+ClientAliveInterval 300
+ClientAliveCountMax 2
 #UseDNS no
 #PidFile /run/sshd.pid
 #MaxStartups 10:30:100
@@ -116,7 +124,7 @@ Subsystem	sftp	/usr/lib/openssh/sftp-server
 
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
-#	X11Forwarding no
-#	AllowTcpForwarding no
+X11Forwarding yes
+AllowTcpForwarding yes
 #	PermitTTY no
 #	ForceCommand cvs server

config/home-manager/flake.lock

@@ -39,11 +39,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1741379970,
-        "narHash": "sha256-Wh7esNh7G24qYleLvgOSY/7HlDUzWaL/n4qzlBePpiw=",
+        "lastModified": 1741513245,
+        "narHash": "sha256-7rTAMNTY1xoBwz0h7ZMtEcd8LELk9R5TzBPoHuhNSCk=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "36fd87baa9083f34f7f5027900b62ee6d09b1f2f",
+        "rev": "e3e32b642a31e6714ec1b712de8c91a3352ce7e1",
         "type": "github"
       },
       "original": {