Fixes un-overrideable public api variables

2025-01-09 00:40:19 +01:00 · 2022-08-17 11:53:56 +00:00 · 2022-08-17 11:53:56 +00:00 · 4e22a9618d
commit 4e22a9618d
parent f1d7198a2b
29 changed files with 93 additions and 78 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -48,13 +48,14 @@ sshd_config_file: "{{ __sshd_config_file }}"
 ### VARS DEFAULTS
 ### The following are defaults for OS specific configuration in var files in
 ### this role. They should not be set directly by role users.
-sshd_packages: []
+sshd_packages: "{{ __sshd_packages }}"
 sshd_config_owner: "{{ __sshd_config_owner }}"
 sshd_config_group: "{{ __sshd_config_group }}"
 sshd_config_mode: "{{ __sshd_config_mode }}"
-sshd_binary: /usr/sbin/sshd
-sshd_service: sshd
-sshd_sftp_server: /usr/lib/openssh/sftp-server
+sshd_service: "{{ __sshd_service }}"
+sshd_binary: "{{ __sshd_binary }}"
+sshd_service: "{{ __sshd_service }}"
+sshd_sftp_server: "{{ __sshd_sftp_server }}"

 # This lists by default all hostkeys as rendered in the generated configuration
 # file ("auto"). Before attempting to run sshd (either for verification of
--- a/vars/AIX.yml
+++ b/vars/AIX.yml
@ -2,11 +2,11 @@
 __sshd_config_mode: '0644'
 # sshd is not installed by yum / AIX toolbox for Linux.
 # You'll need to manually install them using AIX Web Download Packs.
-sshd_packages: []
-sshd_sftp_server: /usr/sbin/sftp-server
+__sshd_packages: []
+__sshd_sftp_server: /usr/sbin/sftp-server
 __sshd_config_group: system
 __sshd_defaults:
-  Subsystem: "sftp {{ sshd_sftp_server }}"
+  Subsystem: "sftp {{ __sshd_sftp_server }}"
 __sshd_os_supported: yes

 sshd_install_service: no
--- a/vars/Amazon.yml
+++ b/vars/Amazon.yml
@ -1,9 +1,9 @@
 ---
 __sshd_config_mode: '0644'
-sshd_packages:
+__sshd_packages:
  - openssh
  - openssh-server
-sshd_sftp_server: /usr/libexec/openssh/sftp-server
+__sshd_sftp_server: /usr/libexec/openssh/sftp-server
 __sshd_defaults:
  SyslogFacility: AUTHPRIV
  PermitRootLogin: forced-commands-only
@ -19,5 +19,5 @@ __sshd_defaults:
    - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
    - LC_IDENTIFICATION LC_ALL LANGUAGE
    - XMODIFIERS
-  Subsystem: "sftp {{ sshd_sftp_server }}"
+  Subsystem: "sftp {{ __sshd_sftp_server }}"
 __sshd_os_supported: yes
--- a/Linux.yml
+++ b/Linux.yml
@ -1 +0,0 @@
-Archlinux.yml
--- a/Linux.yml
+++ b/Linux.yml
@ -0,0 +1,11 @@
+---
+__sshd_packages:
+  - openssh
+__sshd_sftp_server: /usr/lib/ssh/sftp-server
+__sshd_defaults:
+  AuthorizedKeysFile: .ssh/authorized_keys
+  ChallengeResponseAuthentication: no
+  PrintMotd: no
+  Subsystem: "sftp {{ __sshd_sftp_server }}"
+  UsePAM: yes
+__sshd_os_supported: yes
--- a/vars/Archlinux.yml
+++ b/vars/Archlinux.yml
@ -1,11 +1,11 @@
 ---
-sshd_packages:
+__sshd_packages:
  - openssh
-sshd_sftp_server: /usr/lib/ssh/sftp-server
+__sshd_sftp_server: /usr/lib/ssh/sftp-server
 __sshd_defaults:
  AuthorizedKeysFile: .ssh/authorized_keys
  ChallengeResponseAuthentication: no
  PrintMotd: no
-  Subsystem: "sftp {{ sshd_sftp_server }}"
+  Subsystem: "sftp {{ __sshd_sftp_server }}"
  UsePAM: yes
 __sshd_os_supported: yes
--- a/vars/Container
+++ b/vars/Container
@ -1,10 +1,10 @@
 ---
 # There is no package manager in CoreOS
-sshd_packages: []
-sshd_service: sshd
-sshd_sftp_server: internal-sftp
+__sshd_packages: []
+__sshd_service: sshd
+__sshd_sftp_server: internal-sftp
 __sshd_defaults:
-  Subsystem: "sftp {{ sshd_sftp_server }}"
+  Subsystem: "sftp {{ __sshd_sftp_server }}"
  ClientAliveInterval: 180
  UseDNS: no
  UsePAM: yes
--- a/vars/Debian.yml
+++ b/vars/Debian.yml
@ -1,6 +1,6 @@
 ---
-sshd_service: ssh
-sshd_packages:
+__sshd_service: ssh
+__sshd_packages:
  - openssh-server
 __sshd_config_mode: "0644"
 __sshd_defaults:
@ -31,7 +31,7 @@ __sshd_defaults:
  PrintLastLog: yes
  TCPKeepAlive: yes
  AcceptEnv: LANG LC_*
-  Subsystem: "sftp {{ sshd_sftp_server }}"
+  Subsystem: "sftp {{ __sshd_sftp_server }}"
  UsePAM: yes
 __sshd_os_supported: yes
 __sshd_runtime_directory: /run/sshd
--- a/vars/Debian_10.yml
+++ b/vars/Debian_10.yml
@ -1,6 +1,6 @@
 ---
-sshd_service: ssh
-sshd_packages:
+__sshd_service: ssh
+__sshd_packages:
  - openssh-server
  - openssh-sftp-server
 __sshd_config_mode: "0644"
@ -9,7 +9,7 @@ __sshd_defaults:
  X11Forwarding: yes
  PrintMotd: no
  AcceptEnv: LANG LC_*
-  Subsystem: "sftp {{ sshd_sftp_server }}"
+  Subsystem: "sftp {{ __sshd_sftp_server }}"
  UsePAM: yes
 __sshd_os_supported: yes
 __sshd_runtime_directory: /run/sshd
--- a/vars/Debian_11.yml
+++ b/vars/Debian_11.yml
@ -1,6 +1,6 @@
 ---
-sshd_service: ssh
-sshd_packages:
+__sshd_service: ssh
+__sshd_packages:
  - openssh-server
  - openssh-sftp-server
 __sshd_config_mode: "0644"
@ -9,7 +9,7 @@ __sshd_defaults:
  X11Forwarding: yes
  PrintMotd: no
  AcceptEnv: LANG LC_*
-  Subsystem: "sftp {{ sshd_sftp_server }}"
+  Subsystem: "sftp {{ __sshd_sftp_server }}"
  UsePAM: yes
 __sshd_os_supported: yes
 __sshd_runtime_directory: /run/sshd
--- a/vars/Debian_8.yml
+++ b/vars/Debian_8.yml
@ -1,6 +1,6 @@
 ---
-sshd_service: ssh
-sshd_packages:
+__sshd_service: ssh
+__sshd_packages:
  - openssh-server
  - openssh-sftp-server
 __sshd_config_mode: "0644"
@ -33,7 +33,7 @@ __sshd_defaults:
  PrintLastLog: yes
  TCPKeepAlive: yes
  AcceptEnv: LANG LC_*
-  Subsystem: "sftp {{ sshd_sftp_server }}"
+  Subsystem: "sftp {{ __sshd_sftp_server }}"
  UsePAM: yes
 __sshd_os_supported: yes
 __sshd_runtime_directory: /run/sshd
--- a/vars/Debian_9.yml
+++ b/vars/Debian_9.yml
@ -1,6 +1,6 @@
 ---
-sshd_service: ssh
-sshd_packages:
+__sshd_service: ssh
+__sshd_packages:
  - openssh-server
  - openssh-sftp-server
 __sshd_config_mode: "0644"
@ -9,7 +9,7 @@ __sshd_defaults:
  X11Forwarding: yes
  PrintMotd: no
  AcceptEnv: LANG LC_*
-  Subsystem: "sftp {{ sshd_sftp_server }}"
+  Subsystem: "sftp {{ __sshd_sftp_server }}"
  UsePAM: yes
 __sshd_os_supported: yes
 __sshd_runtime_directory: /run/sshd
--- a/vars/Fedora.yml
+++ b/vars/Fedora.yml
@ -1,10 +1,10 @@
 ---
 __sshd_os_supported: yes

-sshd_packages:
+__sshd_packages:
  - openssh
  - openssh-server
-sshd_sftp_server: /usr/libexec/openssh/sftp-server
+__sshd_sftp_server: /usr/libexec/openssh/sftp-server
 # Fedora 32 ships with drop-in directory support so we touch
 # just included file with highest priority by default
 __sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
--- a/vars/Fedora_31.yml
+++ b/vars/Fedora_31.yml
@ -1,8 +1,8 @@
 ---
-sshd_packages:
+__sshd_packages:
  - openssh
  - openssh-server
-sshd_sftp_server: /usr/libexec/openssh/sftp-server
+__sshd_sftp_server: /usr/libexec/openssh/sftp-server
 __sshd_defaults:
  HostKey:
    - /etc/ssh/ssh_host_rsa_key
@ -21,7 +21,7 @@ __sshd_defaults:
    - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
    - LC_IDENTIFICATION LC_ALL LANGUAGE
    - XMODIFIERS
-  Subsystem: "sftp {{ sshd_sftp_server }}"
+  Subsystem: "sftp {{ __sshd_sftp_server }}"
 __sshd_os_supported: yes
 __sshd_sysconfig_supports_crypto_policy: true
 __sshd_hostkey_group: ssh_keys
--- a/vars/FreeBSD.yml
+++ b/vars/FreeBSD.yml
@ -1,7 +1,7 @@
 ---
 __sshd_config_group: wheel
 __sshd_config_mode: "0644"
-sshd_sftp_server: /usr/libexec/sftp-server
+__sshd_sftp_server: /usr/libexec/sftp-server
 __sshd_defaults:
-  Subsystem: "sftp {{ sshd_sftp_server }}"
+  Subsystem: "sftp {{ __sshd_sftp_server }}"
 __sshd_os_supported: yes
--- a/vars/Gentoo.yml
+++ b/vars/Gentoo.yml
@ -1,9 +1,9 @@
 ---
-sshd_packages:
+__sshd_packages:
  - net-misc/openssh
-sshd_sftp_server: /usr/lib64/misc/sftp-server
+__sshd_sftp_server: /usr/lib64/misc/sftp-server
 __sshd_defaults:
-  Subsystem: "sftp {{ sshd_sftp_server }}"
+  Subsystem: "sftp {{ __sshd_sftp_server }}"
  # Replace tcp keepalive with unspoofable keepalive
  TCPKeepAlive: no
  ClientAliveInterval: 300
--- a/vars/OpenBSD.yml
+++ b/vars/OpenBSD.yml
@ -1,9 +1,9 @@
 ---
 __sshd_config_group: wheel
 __sshd_config_mode: "0600"
-sshd_sftp_server: /usr/libexec/sftp-server
+__sshd_sftp_server: /usr/libexec/sftp-server
 __sshd_defaults:
  AuthorizedKeysFile: .ssh/authorized_keys
-  Subsystem: "sftp {{ sshd_sftp_server }}"
+  Subsystem: "sftp {{ __sshd_sftp_server }}"
 __sshd_os_supported: yes
 __sshd_manage_var_run: no
--- a/vars/RedHat_6.yml
+++ b/vars/RedHat_6.yml
@ -1,8 +1,8 @@
 ---
-sshd_packages:
+__sshd_packages:
  - openssh
  - openssh-server
-sshd_sftp_server: /usr/libexec/openssh/sftp-server
+__sshd_sftp_server: /usr/libexec/openssh/sftp-server
 __sshd_defaults:
  HostKey:
    - /etc/ssh/ssh_host_rsa_key
@ -19,7 +19,7 @@ __sshd_defaults:
    - LC_IDENTIFICATION LC_ALL LANGUAGE
    - XMODIFIERS
  X11Forwarding: yes
-  Subsystem: "sftp {{ sshd_sftp_server }}"
+  Subsystem: "sftp {{ __sshd_sftp_server }}"
 __sshd_os_supported: yes
 __sshd_sysconfig_supports_use_strong_rng: true
 __sshd_compat_match_all: Match address *
--- a/vars/RedHat_7.yml
+++ b/vars/RedHat_7.yml
@ -1,8 +1,8 @@
 ---
-sshd_packages:
+__sshd_packages:
  - openssh
  - openssh-server
-sshd_sftp_server: /usr/libexec/openssh/sftp-server
+__sshd_sftp_server: /usr/libexec/openssh/sftp-server
 __sshd_defaults:
  HostKey:
    - /etc/ssh/ssh_host_rsa_key
@ -24,7 +24,7 @@ __sshd_defaults:
    - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
    - LC_IDENTIFICATION LC_ALL LANGUAGE
    - XMODIFIERS
-  Subsystem: "sftp {{ sshd_sftp_server }}"
+  Subsystem: "sftp {{ __sshd_sftp_server }}"
 __sshd_os_supported: yes
 __sshd_sysconfig_supports_use_strong_rng: true
 __sshd_hostkey_group: ssh_keys
--- a/vars/RedHat_8.yml
+++ b/vars/RedHat_8.yml
@ -1,8 +1,8 @@
 ---
-sshd_packages:
+__sshd_packages:
  - openssh
  - openssh-server
-sshd_sftp_server: /usr/libexec/openssh/sftp-server
+__sshd_sftp_server: /usr/libexec/openssh/sftp-server
 __sshd_defaults:
  HostKey:
    - /etc/ssh/ssh_host_rsa_key
@ -25,7 +25,7 @@ __sshd_defaults:
    - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
    - LC_IDENTIFICATION LC_ALL LANGUAGE
    - XMODIFIERS
-  Subsystem: "sftp {{ sshd_sftp_server }}"
+  Subsystem: "sftp {{ __sshd_sftp_server }}"
 __sshd_os_supported: yes
 __sshd_sysconfig_supports_use_strong_rng: true
 __sshd_sysconfig_supports_crypto_policy: true
--- a/vars/RedHat_9.yml
+++ b/vars/RedHat_9.yml
@ -1,10 +1,10 @@
 ---
 __sshd_os_supported: yes

-sshd_packages:
+__sshd_packages:
  - openssh
  - openssh-server
-sshd_sftp_server: /usr/libexec/openssh/sftp-server
+__sshd_sftp_server: /usr/libexec/openssh/sftp-server
 # RHEL 9 ships with drop-in directory support so we touch
 # just included file with highest priority by default
 __sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
--- a/vars/Suse.yml
+++ b/vars/Suse.yml
@ -1,7 +1,7 @@
 ---
-sshd_packages:
+__sshd_packages:
  - openssh
-sshd_sftp_server: /usr/lib/ssh/sftp-server
+__sshd_sftp_server: /usr/lib/ssh/sftp-server
 __sshd_defaults:
  HostKey:
    - /etc/ssh/ssh_host_rsa_key
@ -20,5 +20,5 @@ __sshd_defaults:
    - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
    - LC_IDENTIFICATION LC_ALL LANGUAGE
    - XMODIFIERS
-  Subsystem: "sftp {{ sshd_sftp_server }}"
+  Subsystem: "sftp {{ __sshd_sftp_server }}"
 __sshd_os_supported: yes
--- a/vars/Ubuntu_12.yml
+++ b/vars/Ubuntu_12.yml
@ -1,6 +1,6 @@
 ---
-sshd_service: ssh
-sshd_packages:
+__sshd_service: ssh
+__sshd_packages:
  - openssh-server
 __sshd_config_mode: "0644"
 __sshd_defaults:
@ -31,6 +31,6 @@ __sshd_defaults:
  PrintLastLog: yes
  TCPKeepAlive: yes
  AcceptEnv: LANG LC_*
-  Subsystem: "sftp {{ sshd_sftp_server }}"
+  Subsystem: "sftp {{ __sshd_sftp_server }}"
  UsePAM: yes
 __sshd_os_supported: yes
--- a/vars/Ubuntu_14.yml
+++ b/vars/Ubuntu_14.yml
@ -1,6 +1,6 @@
 ---
-sshd_service: ssh
-sshd_packages:
+__sshd_service: ssh
+__sshd_packages:
  - openssh-server
  - openssh-sftp-server
 __sshd_config_mode: "0644"
@ -33,6 +33,6 @@ __sshd_defaults:
  PrintLastLog: yes
  TCPKeepAlive: yes
  AcceptEnv: LANG LC_*
-  Subsystem: "sftp {{ sshd_sftp_server }}"
+  Subsystem: "sftp {{ __sshd_sftp_server }}"
  UsePAM: yes
 __sshd_os_supported: yes
--- a/vars/Ubuntu_16.yml
+++ b/vars/Ubuntu_16.yml
@ -1,6 +1,6 @@
 ---
-sshd_service: ssh
-sshd_packages:
+__sshd_service: ssh
+__sshd_packages:
  - openssh-server
  - openssh-sftp-server
 __sshd_config_mode: "0644"
@ -34,7 +34,7 @@ __sshd_defaults:
  PrintLastLog: yes
  TCPKeepAlive: yes
  AcceptEnv: LANG LC_*
-  Subsystem: "sftp {{ sshd_sftp_server }}"
+  Subsystem: "sftp {{ __sshd_sftp_server }}"
  UsePAM: yes
  UseDNS: no
 __sshd_os_supported: yes
--- a/vars/Ubuntu_18.yml
+++ b/vars/Ubuntu_18.yml
@ -1,6 +1,6 @@
 ---
-sshd_service: ssh
-sshd_packages:
+__sshd_service: ssh
+__sshd_packages:
  - openssh-server
  - openssh-sftp-server
 __sshd_config_mode: "0644"
@ -11,6 +11,6 @@ __sshd_defaults:
  X11Forwarding: yes
  PrintMotd: no
  AcceptEnv: LANG LC_*
-  Subsystem: "sftp {{ sshd_sftp_server }}"
+  Subsystem: "sftp {{ __sshd_sftp_server }}"
 __sshd_os_supported: yes
 __sshd_runtime_directory: /run/sshd
--- a/vars/Ubuntu_20.yml
+++ b/vars/Ubuntu_20.yml
@ -1,6 +1,6 @@
 ---
-sshd_service: ssh
-sshd_packages:
+__sshd_service: ssh
+__sshd_packages:
  - openssh-server
  - openssh-sftp-server
 __sshd_config_mode: "0644"
--- a/vars/Ubuntu_22.yml
+++ b/vars/Ubuntu_22.yml
@ -1,8 +1,8 @@
 ---
 __sshd_os_supported: yes

-sshd_service: ssh
-sshd_packages:
+__sshd_service: ssh
+__sshd_packages:
  - openssh-server
  - openssh-sftp-server
 # Ubuntu 22.04 finally ships with drop-in directory support so we touch
--- a/vars/common.yml
+++ b/vars/common.yml
@ -4,3 +4,7 @@ __sshd_skip_virt_env:
  - container
  - containerd
  - VirtualPC
+
+__sshd_binary: /usr/sbin/sshd
+__sshd_service: sshd
+__sshd_sftp_server: /usr/lib/openssh/sftp-server
--- a/vars/openSUSE
+++ b/vars/openSUSE
@ -1,7 +1,7 @@
 ---
-sshd_packages:
+__sshd_packages:
  - openssh
-sshd_sftp_server: /usr/lib/ssh/sftp-server
+__sshd_sftp_server: /usr/lib/ssh/sftp-server
 __sshd_defaults:
  AuthorizedKeysFile: .ssh/authorized_keys
  UsePAM: yes
@ -10,5 +10,5 @@ __sshd_defaults:
    - LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
    - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
    - LC_IDENTIFICATION LC_ALL
-  Subsystem: "sftp {{ sshd_sftp_server }}"
+  Subsystem: "sftp {{ __sshd_sftp_server }}"
 __sshd_os_supported: yes