Seperate defaults dict

defaults/main.yml

@@ -1,8 +1,19 @@
 ---
-sshd_user: root
+### USER OPTIONS
-sshd_group: root
+# Don't apply OS defaults when set to true
-sshd_binary: /usr/sbin/sshd
+sshd_skip_defaults: false
+# Empty dicts to avoid errors
+sshd: {}
+
+
+### VARS DEFAULTS
+### The following are defaults for OS specific configuration in var files in
+### this role. They should not be set by role users.
+sshd_packages: []
+sshd_config_owner: root
+sshd_config_group: root
 sshd_config_file: /etc/ssh/sshd_config
+sshd_binary: /usr/sbin/sshd
 sshd_service: sshd
 sshd_sftp_server: /usr/lib/openssh/sftp-server
-sshd: "{{ sshd_defaults }}"
+sshd_defaults: {}

meta/macros.j2

@@ -4,6 +4,8 @@
 {%     set value = override %}
 {%   elif sshd[key] is defined %}
 {%     set value = sshd[key] %}
+{%   elif sshd_defaults[key] is defined and sshd_skip_defaults != true %}
+{%     set value = sshd_defaults[key] %}
 {%   endif %}
 {%   if value is defined %}
 {%     if value is sameas true %}

tasks/main.yml

@@ -21,9 +21,9 @@
   template:
     src: sshd_config.j2
     dest: "{{ sshd_config_file }}"
-    owner: "{{ sshd_user }}"
+    owner: "{{ sshd_config_owner }}"
-    group: "{{ sshd_group }}"
+    group: "{{ sshd_config_group }}"
-    mode: 600
+    mode: 644
   notify: check and reload sshd
 
 - name: Service enabled and running

templates/sshd_config.j2

@@ -4,6 +4,8 @@
 {%     set value = override %}
 {%   elif sshd[key] is defined %}
 {%     set value = sshd[key] %}
+{%   elif sshd_defaults[key] is defined and sshd_skip_defaults != true %}
+{%     set value = sshd_defaults[key] %}
 {%   endif %}
 {%   if value is defined %}
 {%     if value is sameas true %}

vars/FreeBSD.yml

@@ -1,5 +1,3 @@
 ---
-sshd_packages: []
+sshd_config_group: wheel
-sshd_group: wheel
 sshd_sftp_server: /usr/libexec/sftp-server
-sshd_defaults: {}