From 849257c2f4249d7327277c94f0d37eff9bd7ae1d Mon Sep 17 00:00:00 2001 From: Matt Willsher Date: Tue, 13 Jan 2015 17:41:56 +0000 Subject: [PATCH 1/4] Add test for supported OS --- tasks/main.yml | 6 ++++-- vars/Amazon.yml | 1 + vars/Archlinux.yml | 1 + vars/Debian.yml | 1 + vars/Debian_8.yml | 1 + vars/FreeBSD.yml | 1 + vars/RedHat_6.yml | 1 + vars/RedHat_7.yml | 1 + vars/Ubuntu_12.yml | 1 + vars/Ubuntu_14.yml | 1 + 10 files changed, 13 insertions(+), 2 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 9b5d3d8..b4d6268 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -6,10 +6,13 @@ - "{{ ansible_distribution }}.yml" - "{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml" - "{{ ansible_os_family }}.yml" - - default.yml tags: - sshd +- name: OS is supported + assert: + that: sshd_os_supported == True + - name: Installed action: > {{ ansible_pkg_mgr }} @@ -37,4 +40,3 @@ state: running tags: - sshd - diff --git a/vars/Amazon.yml b/vars/Amazon.yml index 9db08ab..8223d49 100644 --- a/vars/Amazon.yml +++ b/vars/Amazon.yml @@ -20,3 +20,4 @@ sshd: - LC_IDENTIFICATION LC_ALL LANGUAGE - XMODIFIERS Subsystem: "sftp {{ sshd_sftp_server }}" +sshd_os_supported: yes diff --git a/vars/Archlinux.yml b/vars/Archlinux.yml index c529f91..ccdc2e5 100644 --- a/vars/Archlinux.yml +++ b/vars/Archlinux.yml @@ -12,3 +12,4 @@ sshd_defaults: Subsystem: "sftp {{ sshd_sftp_server }}" UsePAM: yes UsePrivilegeSeparation: sandbox +sshd_os_supported: yes diff --git a/vars/Debian.yml b/vars/Debian.yml index ca9ff3a..d4e52cd 100644 --- a/vars/Debian.yml +++ b/vars/Debian.yml @@ -34,3 +34,4 @@ sshd_defaults: AcceptEnv: LANG LC_* Subsystem: "sftp {{ sshd_sftp_server }}" UsePAM: yes +sshd_os_supported: yes diff --git a/vars/Debian_8.yml b/vars/Debian_8.yml index e3d9298..a64006d 100644 --- a/vars/Debian_8.yml +++ b/vars/Debian_8.yml @@ -35,3 +35,4 @@ sshd_defaults: AcceptEnv: LANG LC_* Subsystem: "sftp {{ sshd_sftp_server }}" UsePAM: yes +sshd_os_supported: yes diff --git a/vars/FreeBSD.yml b/vars/FreeBSD.yml index 57118f5..007f3d5 100644 --- a/vars/FreeBSD.yml +++ b/vars/FreeBSD.yml @@ -2,3 +2,4 @@ sshd_config_group: wheel sshd_config_mode: "0644" sshd_sftp_server: /usr/libexec/sftp-server +sshd_os_supported: yes diff --git a/vars/RedHat_6.yml b/vars/RedHat_6.yml index 89de8fd..442108f 100644 --- a/vars/RedHat_6.yml +++ b/vars/RedHat_6.yml @@ -18,3 +18,4 @@ sshd_defaults: - XMODIFIERS X11Forwarding: yes Subsystem: "sftp {{ sshd_sftp_server }}" +sshd_os_supported: yes diff --git a/vars/RedHat_7.yml b/vars/RedHat_7.yml index 80907ca..44b9bee 100644 --- a/vars/RedHat_7.yml +++ b/vars/RedHat_7.yml @@ -22,3 +22,4 @@ sshd_defaults: - LC_IDENTIFICATION LC_ALL LANGUAGE - XMODIFIERS Subsystem: "sftp {{ sshd_sftp_server }}" +sshd_os_supported: yes diff --git a/vars/Ubuntu_12.yml b/vars/Ubuntu_12.yml index 4c941b0..e4777f6 100644 --- a/vars/Ubuntu_12.yml +++ b/vars/Ubuntu_12.yml @@ -33,3 +33,4 @@ sshd_defaults: AcceptEnv: LANG LC_* Subsystem: "sftp {{ sshd_sftp_server }}" UsePAM: yes +sshd_os_supported: yes diff --git a/vars/Ubuntu_14.yml b/vars/Ubuntu_14.yml index e3d9298..a64006d 100644 --- a/vars/Ubuntu_14.yml +++ b/vars/Ubuntu_14.yml @@ -35,3 +35,4 @@ sshd_defaults: AcceptEnv: LANG LC_* Subsystem: "sftp {{ sshd_sftp_server }}" UsePAM: yes +sshd_os_supported: yes From 964496fcd1201b94c4ea661831d33b28b86fd9bd Mon Sep 17 00:00:00 2001 From: Matt Willsher Date: Tue, 13 Jan 2015 17:42:10 +0000 Subject: [PATCH 2/4] Allow reload to be skipped --- README.md | 46 ++++++++++++++++++++++++++++++++++++---------- defaults/main.yml | 3 +++ handlers/main.yml | 1 + 3 files changed, 40 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 570b5ef..b408834 100644 --- a/README.md +++ b/README.md @@ -39,12 +39,23 @@ It will likely work on other flavours and more direct support via suitable Role variables --------------- -* Unconfigured, this role will provide a sshd_config that matches the OS default, +Unconfigured, this role will provide a sshd_config that matches the OS default, minus the comments and in a different order. -* Defaults can be disabled by setting `sshd_skip_defaults: true` +* sshd_skip_defaults -* Supports use of a dict to configure items: +If set to True, don't apply default values. This means that you must have a +complete set of configuration defaults via either the sshd dict, or sshd_Key +variables. Defaults to *False*. + +* sshd_allow_reload + +If set to False, a reload of sshd wont happen on change. This can help with +troubleshooting. Defaults to *True*. + +* sshd + +A dict containing configuration. e.g. ```yaml sshd: @@ -53,15 +64,17 @@ sshd: - 0.0.0.0 ``` -* Simple variables can be used rather than a dict. Simple values override dict -values: +* ssh_... + +Simple variables can be used rather than a dict. Simple values override dict +values. e.g.: ```yaml sshd_Compression: off ``` -* Correctly interprets booleans as yes and no in sshd configuration -* Supports lists for multi line configuration items: +In all cases, booleans correctly rendered as yes and no in sshd configuration. +Lists can be used for multiline configuration items. e.g. ```yaml sshd_ListenAddress: @@ -69,11 +82,24 @@ sshd_ListenAddress: - '::' ``` -* Supports match section either via Match in the sshd dict, sshd_match and any of sshd_match_1 through sshd_match_9. Match items can either be a dict or an array. +Renders as: + +``` +ListenAddress 0.0.0.0 +ListenAddress :: +``` + +* sshd_match + +A list of dicts for a match section. See the example playbook. + +* sshd_match_1 through sshd_match_9 + +A list of dicts or just a dict for a Match section. Example Playbook ---------------- - + ```yaml --- - hosts: all @@ -98,7 +124,7 @@ Example Playbook Results in: -``` +``` # Ansible managed: ... Compression yes GSSAPIAuthentication no diff --git a/defaults/main.yml b/defaults/main.yml index 60909bb..27417d5 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -2,6 +2,8 @@ ### USER OPTIONS # Don't apply OS defaults when set to true sshd_skip_defaults: false +# If the below is false, don't reload the ssh deamon on change +sshd_allow_reload: yes # Empty dicts to avoid errors sshd: {} @@ -18,3 +20,4 @@ sshd_binary: /usr/sbin/sshd sshd_service: sshd sshd_sftp_server: /usr/lib/openssh/sftp-server sshd_defaults: {} +sshd_os_supported: no diff --git a/handlers/main.yml b/handlers/main.yml index 90c1ed6..2772fc7 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -7,3 +7,4 @@ service: name: "{{ sshd_service }}" state: reloaded + when: sshd_allow_reload == True From 184bd300d7c9800684b5dd92fee77f4841785a3a Mon Sep 17 00:00:00 2001 From: Matt Willsher Date: Tue, 13 Jan 2015 17:44:00 +0000 Subject: [PATCH 3/4] Clarify reload --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index b408834..5dff8ba 100644 --- a/README.md +++ b/README.md @@ -51,7 +51,8 @@ variables. Defaults to *False*. * sshd_allow_reload If set to False, a reload of sshd wont happen on change. This can help with -troubleshooting. Defaults to *True*. +troubleshooting. You'll need to manually reload sshd if you want to apply the +changed configuration. Defaults to *True*. * sshd From 0a9ef445bb2db2aee6545366e369da37d589797c Mon Sep 17 00:00:00 2001 From: Matt Willsher Date: Tue, 13 Jan 2015 17:45:12 +0000 Subject: [PATCH 4/4] Release 0.2.4 --- CHANGELOG | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG b/CHANGELOG index c437d74..1a758a7 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,7 @@ +0.2.4 13 January 2014 Matt Willsher +- Allow reload to be skipped +- Test for OS support +- Documentation improvements 0.2.3 13 January 2014 Matt Willsher - Fixed HostbasedAuthentication typo 0.2.2 13 January 2014 Matt Willsher