r/fileserver: Restrict non-administrators to SFTP

Normal users do not need shell access to the file server, and certainly
should not be allowed to e.g. forward ports through it.  Using a `Match`
block, we can apply restrictions to users who do not need administrative
functionality.  In this case, we restrict everyone who is not a member
of the *Server Admins* group in the PYROCUFFLINK AD domain.

group_vars/pyrocufflink/main.yml

@@ -22,3 +22,5 @@ sudo_authorized_ssh_keys: |
 # Default flags include -n, which makes Ansible complain about a "missing
 # become password," even though it would never actually prompt for one.
 ansible_become_flags: -H
+
+fileserver_sftp_only_match: 'Group !server?admins,*'

roles/fileserver/defaults/main.yml

@@ -1,2 +1,4 @@
 file_shares: []
 samba_use_smbd: true
+
+fileserver_sftp_only_match: 'User !root,*'

roles/fileserver/handlers/main.yml

@@ -1,2 +1,7 @@
 - name: save firewalld configuration
   command: firewall-cmd --runtime-to-permanent
+
+- name: reload sshd
+  service:
+    name: sshd
+    state: reloaded

roles/fileserver/tasks/main.yml

@@ -44,3 +44,16 @@
     name=samba_enable_home_dirs
     persistent=yes
     state=yes
+
+- name: ensure ssh server is configured for sftp only
+  template:
+    src: sftp-only.sshd_config.j2
+    dest: /etc/ssh/sshd_config.d/95-sftp-only.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload sshd
+  tags:
+  - sshd-config
+  - config

roles/fileserver/templates/sftp-only.sshd_config.j2

@@ -0,0 +1,11 @@
+Match {{ fileserver_sftp_only_match }}
+    AllowAgentForwarding no
+    AllowStreamLocalForwarding no
+    AllowTcpForwarding no
+    DisableForwarding yes
+    ForceCommand internal-sftp
+    PermitListen none
+    PermitOpen none
+    PermitTTY no
+    PermitTunnel no
+    PermitUserRC no