mirror of
https://github.com/willshersystems/ansible-sshd
synced 2024-12-01 07:00:17 +01:00
160 lines
5.9 KiB
YAML
160 lines
5.9 KiB
YAML
|
---
|
||
|
- name: Test systemd services and sockets files can be installed
|
||
|
hosts: all
|
||
|
vars:
|
||
|
__sshd_test_backup_files:
|
||
|
- /etc/ssh/sshd_config
|
||
|
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||
|
- /etc/systemd/system/sshd.service
|
||
|
- /etc/systemd/system/sshd@.service
|
||
|
- /etc/systemd/system/sshd.socket
|
||
|
- /etc/systemd/system/ssh.service
|
||
|
- /etc/systemd/system/ssh@.service
|
||
|
- /etc/systemd/system/ssh.socket
|
||
|
__sshd_test_service_name: sshd
|
||
|
__sshd_service_list: []
|
||
|
__sshd_service_inst_list: []
|
||
|
__sshd_socket_list: []
|
||
|
tasks:
|
||
|
- name: Fix the service name on Debian
|
||
|
ansible.builtin.set_fact:
|
||
|
__sshd_test_service_name: ssh
|
||
|
when:
|
||
|
- ansible_facts['os_family'] == "Debian"
|
||
|
|
||
|
- name: Backup configuration files
|
||
|
ansible.builtin.include_tasks: tasks/backup.yml
|
||
|
|
||
|
- name: Configure sshd with default options and install service files
|
||
|
ansible.builtin.include_role:
|
||
|
name: ansible-sshd
|
||
|
vars:
|
||
|
sshd_install_service: true
|
||
|
|
||
|
- name: Read the service files and verify they are reasonable
|
||
|
tags: tests::verify
|
||
|
when:
|
||
|
- ansible_facts['service_mgr'] == 'systemd'
|
||
|
block:
|
||
|
- name: Read the distribution service file
|
||
|
ansible.builtin.slurp:
|
||
|
src: "/lib/systemd/system/{{ __sshd_test_service_name }}.service"
|
||
|
register: service_old
|
||
|
|
||
|
- name: Read the distribution socket file
|
||
|
ansible.builtin.slurp:
|
||
|
src: "/lib/systemd/system/{{ __sshd_test_service_name }}.socket"
|
||
|
register: socket_old
|
||
|
|
||
|
- name: Read the created service file
|
||
|
ansible.builtin.slurp:
|
||
|
src: "/etc/systemd/system/{{ __sshd_test_service_name }}.service"
|
||
|
register: service
|
||
|
|
||
|
- name: Read the created socket file
|
||
|
ansible.builtin.slurp:
|
||
|
src: "/etc/systemd/system/{{ __sshd_test_service_name }}.socket"
|
||
|
register: socket
|
||
|
|
||
|
- name: Decode service file
|
||
|
ansible.builtin.set_fact:
|
||
|
service_old: "{{ service_old.content | b64decode }}"
|
||
|
|
||
|
# quite basic, but it should do the job
|
||
|
# * I do not think the ConditionPathExists is much useful so skipping on Ubuntu
|
||
|
# * I do not think the Description needs to match verbatim either
|
||
|
- name: Construct the options list from old service file
|
||
|
ansible.builtin.set_fact:
|
||
|
__sshd_service_list: "{{ __sshd_service_list + [item] }}"
|
||
|
when:
|
||
|
- not item.startswith("#")
|
||
|
- not item.startswith("ConditionPathExists=")
|
||
|
- not item.startswith("Description=")
|
||
|
loop:
|
||
|
"{{ service_old.splitlines() }}"
|
||
|
|
||
|
- name: Test options in sshd.service are kept
|
||
|
ansible.builtin.assert:
|
||
|
that:
|
||
|
- "item in service.content | b64decode"
|
||
|
loop:
|
||
|
"{{ __sshd_service_list }}"
|
||
|
|
||
|
- name: Verify the ExecStart line contains the configuration file
|
||
|
ansible.builtin.assert:
|
||
|
that:
|
||
|
- "' -f /etc/ssh/' in service.content | b64decode"
|
||
|
|
||
|
- name: Decode socket file
|
||
|
ansible.builtin.set_fact:
|
||
|
socket_old: "{{ socket_old.content | b64decode }}"
|
||
|
|
||
|
# quite basic, but it should do the job
|
||
|
# * I do not think the ConditionPathExists is much useful so skipping on Ubuntu
|
||
|
# * Before= does not make any sense in combination with Conflicts=
|
||
|
# * I do not think the Description needs to match verbatim either
|
||
|
- name: Construct the options list from old socket file
|
||
|
ansible.builtin.set_fact:
|
||
|
__sshd_socket_list: "{{ __sshd_socket_list + [item] }}"
|
||
|
when:
|
||
|
- not item.startswith("#")
|
||
|
- not item.startswith("ConditionPathExists=")
|
||
|
- not item.startswith("Before=")
|
||
|
- not item.startswith("Description=")
|
||
|
loop:
|
||
|
"{{ socket_old.splitlines() }}"
|
||
|
|
||
|
- name: Test options in sshd.socket are kept
|
||
|
ansible.builtin.assert:
|
||
|
that:
|
||
|
- "item in socket.content | b64decode"
|
||
|
loop:
|
||
|
"{{ __sshd_socket_list }}"
|
||
|
|
||
|
- name: Read the instantiated service file and verify they are reasonable
|
||
|
tags: tests::verify
|
||
|
when:
|
||
|
- ansible_facts['service_mgr'] == 'systemd'
|
||
|
- ansible_facts['distribution'] != "Debian" or ansible_facts['distribution_major_version'] | int < 12
|
||
|
block:
|
||
|
- name: Read the distribution instantiated service file
|
||
|
ansible.builtin.slurp:
|
||
|
src: "/lib/systemd/system/{{ __sshd_test_service_name }}@.service"
|
||
|
register: service_inst_old
|
||
|
|
||
|
- name: Read the created instantiated service file
|
||
|
ansible.builtin.slurp:
|
||
|
src: "/etc/systemd/system/{{ __sshd_test_service_name }}@.service"
|
||
|
register: service_inst
|
||
|
|
||
|
- name: Decode instantiated service file
|
||
|
ansible.builtin.set_fact:
|
||
|
service_inst_old: "{{ service_inst_old.content | b64decode }}"
|
||
|
|
||
|
# quite basic, but it should do the job
|
||
|
# * I do not think the Description needs to match verbatim either
|
||
|
- name: Construct the options list from old instantiated service file
|
||
|
ansible.builtin.set_fact:
|
||
|
__sshd_service_inst_list: "{{ __sshd_service_inst_list + [item] }}"
|
||
|
when:
|
||
|
- not item.startswith("#")
|
||
|
- not item.startswith("Description=")
|
||
|
loop:
|
||
|
"{{ service_inst_old.splitlines() }}"
|
||
|
|
||
|
- name: Test options in sshd@.service are kept
|
||
|
ansible.builtin.assert:
|
||
|
that:
|
||
|
- "item in service_inst.content | b64decode"
|
||
|
loop:
|
||
|
"{{ __sshd_service_inst_list }}"
|
||
|
|
||
|
- name: Verify the ExecStart line contains the configuration file
|
||
|
ansible.builtin.assert:
|
||
|
that:
|
||
|
- "' -f /etc/ssh/' in service_inst.content | b64decode"
|
||
|
|
||
|
|
||
|
- name: "Restore configuration files"
|
||
|
ansible.builtin.include_tasks: tasks/restore.yml
|