mirror of
https://github.com/willshersystems/ansible-sshd
synced 2024-12-25 10:00:19 +01:00
Refactor tasks to separate files based on the context
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
This commit is contained in:
parent
e9c8d55d5e
commit
b1421c7d2d
5 changed files with 124 additions and 115 deletions
12
tasks/check_fips.yml
Normal file
12
tasks/check_fips.yml
Normal file
|
@ -0,0 +1,12 @@
|
|||
---
|
||||
- name: Check the kernel FIPS mode
|
||||
slurp:
|
||||
src: /proc/sys/crypto/fips_enabled
|
||||
register: __sshd_kernel_fips_mode
|
||||
failed_when: false
|
||||
|
||||
- name: Check the userspace FIPS mode
|
||||
slurp:
|
||||
src: /etc/system-fips
|
||||
register: __sshd_userspace_fips_mode
|
||||
failed_when: false
|
|
@ -22,19 +22,8 @@
|
|||
- __sshd_sysconfig_supports_use_strong_rng or __sshd_sysconfig_supports_crypto_policy
|
||||
notify: reload_sshd
|
||||
|
||||
- name: Check the kernel FIPS mode
|
||||
slurp:
|
||||
src: /proc/sys/crypto/fips_enabled
|
||||
register: __sshd_kernel_fips_mode
|
||||
failed_when: false
|
||||
when:
|
||||
- __sshd_hostkeys_nofips | d([])
|
||||
|
||||
- name: Check the userspace FIPS mode
|
||||
slurp:
|
||||
src: /etc/system-fips
|
||||
register: __sshd_userspace_fips_mode
|
||||
failed_when: false
|
||||
- name: Check FIPS mode
|
||||
include_tasks: check_fips.yml
|
||||
when:
|
||||
- __sshd_hostkeys_nofips | d([])
|
||||
|
||||
|
@ -132,66 +121,11 @@
|
|||
- __sshd_runtime_directory | d(false)
|
||||
|
||||
- name: Create the complete configuration file
|
||||
template:
|
||||
src: sshd_config.j2
|
||||
dest: "{{ sshd_config_file }}"
|
||||
owner: "{{ sshd_config_owner }}"
|
||||
group: "{{ sshd_config_group }}"
|
||||
mode: "{{ sshd_config_mode }}"
|
||||
validate: >-
|
||||
{% if sshd_test_hostkey is defined and sshd_test_hostkey.path is defined %}
|
||||
{{ sshd_binary }} -t -f %s -h {{ sshd_test_hostkey.path }}/rsa_key
|
||||
{% else %}
|
||||
{{ sshd_binary }} -t -f %s
|
||||
{% endif %}
|
||||
backup: "{{ sshd_backup }}"
|
||||
notify: reload_sshd
|
||||
include_tasks: install_config.yml
|
||||
when: sshd_config_namespace is none
|
||||
|
||||
- name: Make sure the include path is present in the main sshd_config
|
||||
lineinfile:
|
||||
insertbefore: BOF
|
||||
line: "Include {{ __sshd_defaults['Include'] }}"
|
||||
path: "{{ __sshd_main_config_file }}"
|
||||
owner: "{{ sshd_config_owner }}"
|
||||
group: "{{ sshd_config_group }}"
|
||||
mode: "{{ sshd_config_mode }}"
|
||||
validate: >-
|
||||
{% if sshd_test_hostkey is defined and sshd_test_hostkey.path is defined %}
|
||||
{{ sshd_binary }} -t -f %s -h {{ sshd_test_hostkey.path }}/rsa_key
|
||||
{% else %}
|
||||
{{ sshd_binary }} -t -f %s
|
||||
{% endif %}
|
||||
backup: "{{ sshd_backup }}"
|
||||
notify: reload_sshd
|
||||
when:
|
||||
- sshd_config_namespace is none
|
||||
- __sshd_defaults['Include'] | d(false)
|
||||
- __sshd_main_config_file is not none
|
||||
- __sshd_drop_in_dir is not none
|
||||
- sshd_config_file.startswith(__sshd_drop_in_dir)
|
||||
|
||||
- name: Update configuration file snippet
|
||||
vars:
|
||||
sshd_skip_defaults: true
|
||||
blockinfile:
|
||||
path: "{{ sshd_config_file }}"
|
||||
owner: "{{ sshd_config_owner }}"
|
||||
group: "{{ sshd_config_group }}"
|
||||
mode: "{{ sshd_config_mode }}"
|
||||
block: |
|
||||
{{ __sshd_compat_match_all }}
|
||||
{{ lookup('template', 'sshd_config_snippet.j2') }}
|
||||
create: yes
|
||||
marker: "# {mark} sshd system role managed block: namespace {{ sshd_config_namespace }}"
|
||||
validate: >-
|
||||
{% if sshd_test_hostkey is defined and sshd_test_hostkey.path is defined %}
|
||||
{{ sshd_binary }} -t -f %s -h {{ sshd_test_hostkey.path }}/rsa_key
|
||||
{% else %}
|
||||
{{ sshd_binary }} -t -f %s
|
||||
{% endif %}
|
||||
backup: "{{ sshd_backup }}"
|
||||
notify: reload_sshd
|
||||
include_tasks: install_namespace.yml
|
||||
when: sshd_config_namespace is not none
|
||||
|
||||
rescue:
|
||||
|
@ -206,51 +140,8 @@
|
|||
changed_when: false
|
||||
when: sshd_test_hostkey.path is defined
|
||||
|
||||
- name: Install systemd service files
|
||||
block:
|
||||
- name: Install service unit file
|
||||
template:
|
||||
src: "{{ sshd_service_template_service }}"
|
||||
dest: "/etc/systemd/system/{{ sshd_service }}.service"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
notify: reload_sshd
|
||||
- name: Install instanced service unit file
|
||||
template:
|
||||
src: "{{ sshd_service_template_at_service }}"
|
||||
dest: "/etc/systemd/system/{{ sshd_service }}@.service"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
notify: reload_sshd
|
||||
- name: Install socket unit file
|
||||
template:
|
||||
src: "{{ sshd_service_template_socket }}"
|
||||
dest: "/etc/systemd/system/{{ sshd_service }}.socket"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
notify: reload_sshd
|
||||
when: sshd_install_service|bool
|
||||
|
||||
- name: Service enabled and running
|
||||
service:
|
||||
name: "{{ sshd_service }}"
|
||||
enabled: true
|
||||
state: started
|
||||
when:
|
||||
- sshd_manage_service|bool
|
||||
- ansible_virtualization_type|default(None) not in __sshd_skip_virt_env
|
||||
- ansible_connection != 'chroot'
|
||||
|
||||
# Due to ansible bug 21026, cannot use service module on RHEL 7
|
||||
- name: Enable service in chroot
|
||||
command: systemctl enable {{ sshd_service }} # noqa 303
|
||||
when:
|
||||
- ansible_connection == 'chroot'
|
||||
- ansible_os_family == 'RedHat'
|
||||
- ansible_distribution_major_version|int >= 7
|
||||
- name: Install and start systemd service
|
||||
include_tasks: install_service.yml
|
||||
|
||||
- name: Register that this role has run
|
||||
set_fact:
|
||||
|
|
38
tasks/install_config.yml
Normal file
38
tasks/install_config.yml
Normal file
|
@ -0,0 +1,38 @@
|
|||
---
|
||||
- name: Create the complete configuration file
|
||||
template:
|
||||
src: sshd_config.j2
|
||||
dest: "{{ sshd_config_file }}"
|
||||
owner: "{{ sshd_config_owner }}"
|
||||
group: "{{ sshd_config_group }}"
|
||||
mode: "{{ sshd_config_mode }}"
|
||||
validate: >-
|
||||
{% if sshd_test_hostkey is defined and sshd_test_hostkey.path is defined %}
|
||||
{{ sshd_binary }} -t -f %s -h {{ sshd_test_hostkey.path }}/rsa_key
|
||||
{% else %}
|
||||
{{ sshd_binary }} -t -f %s
|
||||
{% endif %}
|
||||
backup: "{{ sshd_backup }}"
|
||||
notify: reload_sshd
|
||||
|
||||
- name: Make sure the include path is present in the main sshd_config
|
||||
lineinfile:
|
||||
insertbefore: BOF
|
||||
line: "Include {{ __sshd_defaults['Include'] }}"
|
||||
path: "{{ __sshd_main_config_file }}"
|
||||
owner: "{{ sshd_config_owner }}"
|
||||
group: "{{ sshd_config_group }}"
|
||||
mode: "{{ sshd_config_mode }}"
|
||||
validate: >-
|
||||
{% if sshd_test_hostkey is defined and sshd_test_hostkey.path is defined %}
|
||||
{{ sshd_binary }} -t -f %s -h {{ sshd_test_hostkey.path }}/rsa_key
|
||||
{% else %}
|
||||
{{ sshd_binary }} -t -f %s
|
||||
{% endif %}
|
||||
backup: "{{ sshd_backup }}"
|
||||
notify: reload_sshd
|
||||
when:
|
||||
- __sshd_defaults['Include'] | d(false)
|
||||
- __sshd_main_config_file is not none
|
||||
- __sshd_drop_in_dir is not none
|
||||
- sshd_config_file.startswith(__sshd_drop_in_dir)
|
22
tasks/install_namespace.yml
Normal file
22
tasks/install_namespace.yml
Normal file
|
@ -0,0 +1,22 @@
|
|||
---
|
||||
- name: Update configuration file snippet
|
||||
vars:
|
||||
sshd_skip_defaults: true
|
||||
blockinfile:
|
||||
path: "{{ sshd_config_file }}"
|
||||
owner: "{{ sshd_config_owner }}"
|
||||
group: "{{ sshd_config_group }}"
|
||||
mode: "{{ sshd_config_mode }}"
|
||||
block: |
|
||||
{{ __sshd_compat_match_all }}
|
||||
{{ lookup('template', 'sshd_config_snippet.j2') }}
|
||||
create: yes
|
||||
marker: "# {mark} sshd system role managed block: namespace {{ sshd_config_namespace }}"
|
||||
validate: >-
|
||||
{% if sshd_test_hostkey is defined and sshd_test_hostkey.path is defined %}
|
||||
{{ sshd_binary }} -t -f %s -h {{ sshd_test_hostkey.path }}/rsa_key
|
||||
{% else %}
|
||||
{{ sshd_binary }} -t -f %s
|
||||
{% endif %}
|
||||
backup: "{{ sshd_backup }}"
|
||||
notify: reload_sshd
|
46
tasks/install_service.yml
Normal file
46
tasks/install_service.yml
Normal file
|
@ -0,0 +1,46 @@
|
|||
---
|
||||
- name: Install systemd service files
|
||||
block:
|
||||
- name: Install service unit file
|
||||
template:
|
||||
src: "{{ sshd_service_template_service }}"
|
||||
dest: "/etc/systemd/system/{{ sshd_service }}.service"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
notify: reload_sshd
|
||||
- name: Install instanced service unit file
|
||||
template:
|
||||
src: "{{ sshd_service_template_at_service }}"
|
||||
dest: "/etc/systemd/system/{{ sshd_service }}@.service"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
notify: reload_sshd
|
||||
- name: Install socket unit file
|
||||
template:
|
||||
src: "{{ sshd_service_template_socket }}"
|
||||
dest: "/etc/systemd/system/{{ sshd_service }}.socket"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
notify: reload_sshd
|
||||
when: sshd_install_service|bool
|
||||
|
||||
- name: Service enabled and running
|
||||
service:
|
||||
name: "{{ sshd_service }}"
|
||||
enabled: true
|
||||
state: started
|
||||
when:
|
||||
- sshd_manage_service|bool
|
||||
- ansible_virtualization_type|default(None) not in __sshd_skip_virt_env
|
||||
- ansible_connection != 'chroot'
|
||||
|
||||
# Due to ansible bug 21026, cannot use service module on RHEL 7
|
||||
- name: Enable service in chroot
|
||||
command: systemctl enable {{ sshd_service }} # noqa 303
|
||||
when:
|
||||
- ansible_connection == 'chroot'
|
||||
- ansible_os_family == 'RedHat'
|
||||
- ansible_distribution_major_version|int >= 7
|
Loading…
Reference in a new issue