2022-09-26 16:34:13 +02:00
|
|
|
---
|
|
|
|
- name: Test we can handle all configuration options documented in manual page
|
|
|
|
hosts: all
|
|
|
|
gather_facts: true
|
|
|
|
vars:
|
|
|
|
__sshd_test_backup_files:
|
|
|
|
- /etc/dnf/dnf.conf
|
|
|
|
- /etc/yum.conf
|
|
|
|
- /tmp/sshd_config
|
|
|
|
sshd_c: {}
|
|
|
|
sshd_skip_test: false
|
|
|
|
pkg_mgr: "{{ 'dnf' if ansible_facts['distribution_version'] | int > 7 else 'yum' }}"
|
|
|
|
tasks:
|
|
|
|
- name: Backup configuration files
|
|
|
|
ansible.builtin.include_tasks: tasks/backup.yml
|
|
|
|
|
|
|
|
- name: Skip test on EL6 as it has some crippled manpages
|
|
|
|
ansible.builtin.set_fact:
|
|
|
|
sshd_skip_test: true
|
|
|
|
when:
|
|
|
|
- ansible_facts['os_family'] == "RedHat"
|
|
|
|
- ansible_facts['distribution_version'] | int <= 6
|
|
|
|
|
|
|
|
- name: Enable installation of manual pages on Fedora/RHEL
|
|
|
|
ansible.builtin.lineinfile:
|
|
|
|
line: tsflags=nodocs
|
|
|
|
path: "{{ '/etc/dnf/dnf.conf' if ansible_facts['distribution_version'] | int > 7 else '/etc/yum.conf' }}"
|
|
|
|
state: absent
|
|
|
|
when:
|
|
|
|
- ansible_facts['os_family'] == "RedHat"
|
|
|
|
|
|
|
|
- name: Reinstall manual pages for openssh-server on RHEL
|
2023-04-10 22:19:29 +02:00
|
|
|
ansible.builtin.command: "{{ pkg_mgr | quote }} reinstall -y openssh-server"
|
2022-09-26 16:34:13 +02:00
|
|
|
when:
|
|
|
|
- ansible_facts['os_family'] == "RedHat"
|
2023-04-10 22:19:29 +02:00
|
|
|
changed_when: true
|
2022-09-26 16:34:13 +02:00
|
|
|
|
|
|
|
- name: Unminimize image on Debian. It looks like there is no simpler way to get manual pages
|
2023-04-10 22:29:38 +02:00
|
|
|
ansible.builtin.shell: set -eu; set -o | grep -q pipefail && set -o pipefail; yes | unminimize
|
2022-09-26 16:34:13 +02:00
|
|
|
when:
|
|
|
|
- ansible_facts['distribution'] == "Ubuntu"
|
2023-04-10 22:19:29 +02:00
|
|
|
changed_when: true
|
2022-09-26 16:34:13 +02:00
|
|
|
|
2023-01-12 20:20:41 +01:00
|
|
|
- name: Make sure manual pages and bash are installed on Alpine
|
|
|
|
ansible.builtin.package:
|
|
|
|
name:
|
|
|
|
- mandoc
|
|
|
|
- man-pages
|
|
|
|
- openssh-doc
|
|
|
|
- bash
|
|
|
|
state: present
|
|
|
|
when:
|
|
|
|
- ansible_facts['distribution'] == "Alpine"
|
|
|
|
|
|
|
|
- name: Make sure manual pages and bash are installed elsewhere
|
2022-09-26 16:34:13 +02:00
|
|
|
ansible.builtin.package:
|
|
|
|
name:
|
|
|
|
- man
|
|
|
|
- bash
|
|
|
|
state: present
|
2023-01-12 20:20:41 +01:00
|
|
|
when:
|
|
|
|
- ansible_facts['distribution'] != "Alpine"
|
2022-09-26 16:34:13 +02:00
|
|
|
|
|
|
|
- name: Get list of options from manual page
|
|
|
|
ansible.builtin.shell: >-
|
2023-04-10 22:29:38 +02:00
|
|
|
set -eu; set -o | grep -q pipefail && set -o pipefail; man sshd_config | cat
|
2023-04-10 22:19:29 +02:00
|
|
|
changed_when: false
|
2022-09-26 16:34:13 +02:00
|
|
|
|
|
|
|
- name: Get list of options from manual page
|
|
|
|
ansible.builtin.shell: >-
|
|
|
|
set -o pipefail && man sshd_config \
|
2023-01-12 20:45:43 +01:00
|
|
|
| sed 's/\x08.//g' \
|
2022-09-26 16:34:13 +02:00
|
|
|
| grep -o '^ [A-Z][A-Za-z0-9]*\(.\| \)' \
|
|
|
|
| grep -v "[A-Za-z0-9] $" | grep -v "[^A-Za-z0-9 ]$" \
|
|
|
|
| awk '{ print $1 }' \
|
|
|
|
| grep -v '^$' | grep -v "^Match$"
|
|
|
|
args:
|
|
|
|
executable: /bin/bash
|
|
|
|
register: sshd_options
|
|
|
|
changed_when: false
|
|
|
|
when: not sshd_skip_test
|
|
|
|
|
|
|
|
- name: Print all the possible options
|
|
|
|
ansible.builtin.debug:
|
|
|
|
var: ssh_options.stdout_lines
|
|
|
|
|
|
|
|
- name: Construct the configuration list
|
|
|
|
ansible.builtin.set_fact:
|
|
|
|
sshd_c: "{{ sshd_c | combine({item: 'yes'}) }}"
|
|
|
|
loop:
|
|
|
|
"{{ sshd_options.stdout_lines }}"
|
|
|
|
when: not sshd_skip_test
|
|
|
|
|
|
|
|
- name: Run role
|
|
|
|
ansible.builtin.include_role:
|
|
|
|
name: ansible-sshd
|
|
|
|
vars:
|
|
|
|
# The configuration is not valid as we are using bogus values
|
|
|
|
__sshd_supports_validate: false
|
|
|
|
# The hostkeys are not valid either so do not validate them
|
|
|
|
sshd_verify_hostkeys: []
|
|
|
|
sshd_config_file: /tmp/sshd_config
|
|
|
|
sshd:
|
|
|
|
"{{ sshd_c }}"
|
|
|
|
when: not sshd_skip_test
|
|
|
|
|
|
|
|
- name: Download the configuration file
|
|
|
|
ansible.builtin.slurp:
|
|
|
|
src: /tmp/sshd_config
|
|
|
|
register: config
|
|
|
|
when: not sshd_skip_test
|
|
|
|
|
|
|
|
- name: Verify the options are in the file
|
|
|
|
ansible.builtin.assert:
|
|
|
|
that:
|
|
|
|
- "'{{ item }} yes' in config.content | b64decode "
|
|
|
|
loop:
|
|
|
|
"{{ sshd_options.stdout_lines }}"
|
|
|
|
when: not sshd_skip_test
|
|
|
|
|
2023-04-25 20:30:06 +02:00
|
|
|
- name: Check generated files for ansible_managed, fingerprint
|
|
|
|
ansible.builtin.include_tasks: tasks/check_header.yml
|
|
|
|
vars:
|
|
|
|
__file_content: "{{ config }}"
|
|
|
|
__fingerprint: "willshersystems:ansible-sshd"
|
|
|
|
when: not sshd_skip_test
|
|
|
|
|
2022-09-26 16:34:13 +02:00
|
|
|
- name: Restore configuration files
|
|
|
|
ansible.builtin.include_tasks: tasks/restore.yml
|