gitea, zomboid updates, ssh key fixes

2025-12-19 10:39:56 -05:00
parent adce3e2dd4
commit 38561cb968
24 changed files with 551 additions and 80 deletions
--- a/ansible/roles/common/tasks/security.yml
+++ b/ansible/roles/common/tasks/security.yml
@@ -1,4 +1,13 @@
 ---
+- name: enable post-quantum key exchange for sshd
+  become: true
+  ansible.builtin.template:
+    src: sshd-pq-kex.conf.j2
+    dest: /etc/ssh/sshd_config.d/30-pq-kex.conf
+    mode: 0600
+  notify: restart_sshd
+  tags: security, sshd
+
 - name: ensure sshd disallows passwords
  become: true
  ansible.builtin.lineinfile:
--- a/ansible/roles/common/templates/sshd-pq-kex.conf.j2
+++ b/ansible/roles/common/templates/sshd-pq-kex.conf.j2
@@ -0,0 +1,9 @@
+# Post-Quantum Key Exchange Algorithm
+# Managed by Ansible - do not edit directly
+#
+# Enables sntrup761x25519-sha512 (hybrid post-quantum + classical)
+# to protect against "store now, decrypt later" attacks
+#
+# This must be included BEFORE crypto-policies (40-redhat-crypto-policies.conf)
+
+KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512