mirror of
https://github.com/willshersystems/ansible-sshd
synced 2025-01-11 01:30:18 +01:00
commit
5317dd72cb
8 changed files with 193 additions and 11 deletions
6
.github/workflows/ansible-lint.yml
vendored
6
.github/workflows/ansible-lint.yml
vendored
|
@ -10,7 +10,7 @@ jobs:
|
|||
- name: Lint Ansible Playbook
|
||||
uses: ansible/ansible-lint-action@master
|
||||
with:
|
||||
targets: "tests/test.yml"
|
||||
targets: "tests/test_*.yml"
|
||||
override-deps: |
|
||||
ansible==2.8
|
||||
args: ""
|
||||
|
@ -21,7 +21,7 @@ jobs:
|
|||
- name: Lint Ansible Playbook
|
||||
uses: ansible/ansible-lint-action@master
|
||||
with:
|
||||
targets: "tests/test.yml"
|
||||
targets: "tests/test_*.yml"
|
||||
override-deps: |
|
||||
ansible==2.9
|
||||
args: ""
|
||||
|
@ -32,7 +32,7 @@ jobs:
|
|||
- name: Lint Ansible Playbook
|
||||
uses: ansible/ansible-lint-action@master
|
||||
with:
|
||||
targets: "tests/test.yml"
|
||||
targets: "tests/test_*.yml"
|
||||
override-deps: |
|
||||
ansible==2.10
|
||||
args: ""
|
||||
|
|
38
.travis.yml
38
.travis.yml
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
os: linux
|
||||
dist: focal
|
||||
language: c
|
||||
sudo: required
|
||||
language: python
|
||||
|
||||
notifications:
|
||||
webhooks: https://galaxy.ansible.com/api/v1/notifications/
|
||||
|
@ -14,14 +14,36 @@ install:
|
|||
- "{ echo '[defaults]'; echo 'roles_path = ../'; echo 'deprecation_warnings=False'; } >> ansible.cfg"
|
||||
|
||||
script:
|
||||
# Check the roles syntax.
|
||||
- "ANSIBLE_FORCE_COLOR=1 ansible-playbook -i tests/inventory tests/test.yml --syntax-check"
|
||||
# Test 0: Check the roles syntax.
|
||||
- "ANSIBLE_FORCE_COLOR=1 ansible-playbook -i tests/inventory tests/test_default.yml --syntax-check"
|
||||
|
||||
# Run the role
|
||||
- "ANSIBLE_FORCE_COLOR=1 ansible-playbook -i tests/inventory tests/test.yml --connection=local --become -v"
|
||||
# Test 1a: Run the role
|
||||
- "ANSIBLE_FORCE_COLOR=1 ansible-playbook -i tests/inventory tests/test_default.yml --connection=local --become -v"
|
||||
|
||||
# Run the role/playbook again, checking to make sure it's idempotent.
|
||||
# Test 1b: Run the role through include
|
||||
- "ANSIBLE_FORCE_COLOR=1 ansible-playbook -i tests/inventory tests/test_default_include.yml --connection=local --become -v"
|
||||
|
||||
# Test 2: Run the role/playbook again, checking to make sure it's idempotent.
|
||||
- >
|
||||
ansible-playbook -i tests/inventory tests/test.yml --connection=local --become | grep -q 'changed=0.*failed=0'
|
||||
ansible-playbook -i tests/inventory tests/test_default.yml --connection=local --become | grep -q 'changed=0.*failed=0'
|
||||
&& (echo 'Idempotence test: pass' && exit 0)
|
||||
|| (echo 'Idempotence test: fail' && exit 1)
|
||||
|
||||
# Test 3: Check we can set arbitrary configuration options
|
||||
- >
|
||||
ANSIBLE_FORCE_COLOR=1 ansible-playbook -i tests/inventory tests/test_set_common.yml --connection=local --become -v
|
||||
&& (echo 'Common variables test: pass' && exit 0)
|
||||
|| (echo 'Common variables test: fail' && exit 1)
|
||||
|
||||
# Test 4: Check if we set uncommon or unsupported configuration option, it will not fail hard
|
||||
- >
|
||||
ANSIBLE_FORCE_COLOR=1 ansible-playbook -i tests/inventory tests/test_set_uncommon.yml --connection=local --become -v
|
||||
&& (echo 'Uncommon configuration test: pass' && exit 0)
|
||||
|| (echo 'Uncommon configuration test: fail' && exit 1)
|
||||
|
||||
# Test 5: Make sure we can modify other files, for example for inclusion
|
||||
# in the main sshd_config or second sshd service
|
||||
- >
|
||||
ANSIBLE_FORCE_COLOR=1 ansible-playbook -i tests/inventory tests/test_alternative_file.yml --connection=local --become -v
|
||||
&& (echo 'Alternative configuration file test: pass' && exit 0)
|
||||
|| (echo 'Alternative configuration file test: fail' && exit 1)
|
||||
|
|
28
README.md
28
README.md
|
@ -206,6 +206,34 @@ Match Group xusers
|
|||
X11Forwarding yes
|
||||
```
|
||||
|
||||
Since Ansible 2.4, the role can be invoked using `include_role` keyword,
|
||||
for example:
|
||||
|
||||
```yaml
|
||||
---
|
||||
- hosts: all
|
||||
become: true
|
||||
tasks:
|
||||
- name: "Configure sshd"
|
||||
include_role:
|
||||
name: willshersystems.sshd
|
||||
vars:
|
||||
sshd_skip_defaults: true
|
||||
sshd:
|
||||
Compression: true
|
||||
ListenAddress:
|
||||
- "0.0.0.0"
|
||||
- "::"
|
||||
GSSAPIAuthentication: no
|
||||
Match:
|
||||
- Condition: "Group user"
|
||||
GSSAPIAuthentication: yes
|
||||
sshd_UsePrivilegeSeparation: no
|
||||
sshd_match:
|
||||
- Condition: "Group xusers"
|
||||
X11Forwarding: yes
|
||||
|
||||
|
||||
Template Generation
|
||||
-------------------
|
||||
|
||||
|
|
31
tests/test_alternative_file.yml
Normal file
31
tests/test_alternative_file.yml
Normal file
|
@ -0,0 +1,31 @@
|
|||
---
|
||||
- hosts: all
|
||||
become: true
|
||||
tasks:
|
||||
- name: Configure alternative sshd_config file
|
||||
include_role:
|
||||
name: ansible-sshd
|
||||
vars:
|
||||
# just anything -- will not get processed by sshd
|
||||
sshd_config_file: /etc/ssh/sshd_config_custom
|
||||
sshd_skip_defaults: true
|
||||
sshd:
|
||||
AcceptEnv: LANG
|
||||
Banner: /etc/issue
|
||||
Ciphers: aes256-gcm@openssh.com
|
||||
|
||||
- name: Verify the options are correctly set
|
||||
block:
|
||||
- meta: flush_handlers
|
||||
|
||||
- name: Print current configuration file
|
||||
command: cat /etc/ssh/sshd_config_custom
|
||||
register: config
|
||||
|
||||
- name: Check the options are in configuration file
|
||||
assert:
|
||||
that:
|
||||
- "'AcceptEnv LANG' in config.stdout"
|
||||
- "'Banner /etc/issue' in config.stdout"
|
||||
- "'Ciphers aes256-gcm@openssh.com' in config.stdout"
|
||||
tags: tests::verify
|
7
tests/test_default_include.yml
Normal file
7
tests/test_default_include.yml
Normal file
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
- hosts: all
|
||||
become: true
|
||||
tasks:
|
||||
- name: "Configure sshd"
|
||||
include_role:
|
||||
name: ansible-sshd
|
43
tests/test_set_common.yml
Normal file
43
tests/test_set_common.yml
Normal file
|
@ -0,0 +1,43 @@
|
|||
---
|
||||
- hosts: all
|
||||
become: true
|
||||
tasks:
|
||||
- name: Configure sshd
|
||||
include_role:
|
||||
name: ansible-sshd
|
||||
vars:
|
||||
sshd:
|
||||
AcceptEnv: LANG
|
||||
Banner: /etc/issue
|
||||
Ciphers: aes256-gcm@openssh.com
|
||||
Subsystem: "sftp internal-sftp"
|
||||
|
||||
- name: Verify the options are correctly set
|
||||
block:
|
||||
- meta: flush_handlers
|
||||
|
||||
- name: List effective configuration using sshd -T
|
||||
command: sshd -T
|
||||
register: runtime
|
||||
|
||||
- name: Print current configuration file
|
||||
command: cat /etc/ssh/sshd_config
|
||||
register: config
|
||||
|
||||
- name: Check the options are effective
|
||||
# note, the options are in lower-case here
|
||||
assert:
|
||||
that:
|
||||
- "'acceptenv LANG' in runtime.stdout"
|
||||
- "'banner /etc/issue' in runtime.stdout"
|
||||
- "'ciphers aes256-gcm@openssh.com' in runtime.stdout"
|
||||
- "'subsystem sftp internal-sftp' in runtime.stdout"
|
||||
|
||||
- name: Check the options are in configuration file
|
||||
assert:
|
||||
that:
|
||||
- "'AcceptEnv LANG' in config.stdout"
|
||||
- "'Banner /etc/issue' in config.stdout"
|
||||
- "'Ciphers aes256-gcm@openssh.com' in config.stdout"
|
||||
- "'Subsystem sftp internal-sftp' in config.stdout"
|
||||
tags: tests::verify
|
51
tests/test_set_uncommon.yml
Normal file
51
tests/test_set_uncommon.yml
Normal file
|
@ -0,0 +1,51 @@
|
|||
---
|
||||
- hosts: all
|
||||
become: true
|
||||
tasks:
|
||||
- name: Configure sshd with uncommon options, making sure it keeps running
|
||||
block:
|
||||
- name: Configure ssh with unsupported options
|
||||
include_role:
|
||||
name: ansible-sshd
|
||||
vars:
|
||||
sshd:
|
||||
# Unsupported in new versions, but ignored ?
|
||||
Protocol: 1
|
||||
UsePrivilegeSeparation: no
|
||||
UseLogin: yes
|
||||
# Debian only
|
||||
DebianBanner: /etc/motd
|
||||
# Used in FreeBSD ?
|
||||
VersionAddendum: FreeBSD-20180909
|
||||
# HPN only
|
||||
HPNDisabled: yes
|
||||
HPNBufferSize: 2MB
|
||||
TcpRcvBufPoll: yes
|
||||
NoneEnabled: yes
|
||||
# some builds might be without kerberos/GSSAPI
|
||||
KerberosAuthentication: yes
|
||||
GSSAPIStoreCredentialsOnRekey: yes
|
||||
# SSHv1 options
|
||||
KeyRegenerationInterval: 1h
|
||||
ServerKeyBits: 1024
|
||||
# This one is pretty new, but works on OpenBSD only
|
||||
RDomain: 2
|
||||
register: role_result
|
||||
|
||||
- name: unreachable task
|
||||
fail:
|
||||
msg: UNREACH
|
||||
rescue:
|
||||
- name: Check that we failed in the role
|
||||
assert:
|
||||
that:
|
||||
- ansible_failed_result.msg != 'UNREACH'
|
||||
- not role_result.changed
|
||||
msg: "Role has not failed when it should have"
|
||||
|
||||
- name: Make sure service is still running
|
||||
service:
|
||||
name: sshd
|
||||
state: started
|
||||
register: result
|
||||
failed_when: result.changed
|
Loading…
Reference in a new issue