mirror of
https://github.com/willshersystems/ansible-sshd
synced 2024-09-19 23:11:32 +02:00
Merge branch 'master' into syntax
This commit is contained in:
commit
b81977c659
12 changed files with 82 additions and 60 deletions
|
@ -25,11 +25,11 @@ script:
|
|||
- "ANSIBLE_FORCE_COLOR=1 ansible-playbook -i tests/inventory tests/test.yml --syntax-check"
|
||||
|
||||
# Run the role
|
||||
- "ANSIBLE_FORCE_COLOR=1 ansible-playbook -i tests/inventory tests/test.yml --connection=local --sudo -v"
|
||||
- "ANSIBLE_FORCE_COLOR=1 ansible-playbook -i tests/inventory tests/test.yml --connection=local --become -v"
|
||||
|
||||
# Run the role/playbook again, checking to make sure it's idempotent.
|
||||
- >
|
||||
ansible-playbook -i tests/inventory tests/test.yml --connection=local --sudo
|
||||
| grep -q 'changed=0.*failed=0'
|
||||
ansible-playbook -i tests/inventory tests/test.yml --connection=local --become | grep -q 'changed=0.*failed=0'
|
||||
&& (echo 'Idempotence test: pass' && exit 0)
|
||||
|| (echo 'Idempotence test: fail' && exit 1)
|
||||
|
||||
|
|
|
@ -44,6 +44,10 @@ Role variables
|
|||
Unconfigured, this role will provide a sshd_config that matches the OS default,
|
||||
minus the comments and in a different order.
|
||||
|
||||
* `sshd_enable`
|
||||
|
||||
If set to False, the role will be completely disabled. Defaults to True.
|
||||
|
||||
* `sshd_skip_defaults`
|
||||
|
||||
If set to True, don't apply default values. This means that you must have a
|
||||
|
|
|
@ -1,5 +1,8 @@
|
|||
---
|
||||
### USER OPTIONS
|
||||
# Set to False to disable this role completely
|
||||
sshd_enable: True
|
||||
|
||||
# Don't apply OS defaults when set to true
|
||||
sshd_skip_defaults: false
|
||||
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
name: "{{ sshd_service }}"
|
||||
state: reloaded
|
||||
when:
|
||||
- sshd_allow_reload
|
||||
- sshd_allow_reload|bool
|
||||
- ansible_virtualization_type|default(None) != 'docker'
|
||||
- ansible_connection != 'chroot'
|
||||
listen: reload_sshd
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
galaxy_info:
|
||||
author: Matt Willsher
|
||||
description: OpenSSH SSH deamon configuration
|
||||
description: OpenSSH SSH daemon configuration
|
||||
company: Willsher Systems
|
||||
license: LGPLv3
|
||||
min_ansible_version: 1.8
|
||||
|
@ -32,8 +32,8 @@ galaxy_info:
|
|||
galaxy_tags:
|
||||
- networking
|
||||
- system
|
||||
- SSH
|
||||
- OpenSSH
|
||||
- ssh
|
||||
- openssh
|
||||
- sshd
|
||||
- server
|
||||
- ubuntu
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
- name: OS is supported
|
||||
assert:
|
||||
that: '__sshd_os_supported == True'
|
||||
that: __sshd_os_supported|bool
|
||||
|
||||
- name: Install ssh packages
|
||||
package:
|
||||
|
@ -17,30 +17,45 @@
|
|||
group: "{{ sshd_config_group }}"
|
||||
mode: "{{ sshd_config_mode }}"
|
||||
validate: "{{ sshd_binary }} -t -f %s"
|
||||
backup: "{{ sshd_backup }}"
|
||||
notify: reload_sshd
|
||||
|
||||
- name: Install systemd service files
|
||||
block:
|
||||
- template:
|
||||
- name: Install service unit file
|
||||
template:
|
||||
src: "{{ sshd_service_template_service }}"
|
||||
dest: "/etc/systemd/system/{{ sshd_service }}.service"
|
||||
notify: reload_sshd
|
||||
- template:
|
||||
- name: Install instanced service unit file
|
||||
template:
|
||||
src: "{{ sshd_service_template_at_service }}"
|
||||
dest: "/etc/systemd/system/{{ sshd_service }}@.service"
|
||||
notify: reload_sshd
|
||||
- template:
|
||||
- name: Install socket unit file
|
||||
template:
|
||||
src: "{{ sshd_service_template_socket }}"
|
||||
dest: "/etc/systemd/system/{{ sshd_service }}.socket"
|
||||
notify: reload_sshd
|
||||
when: sshd_install_service
|
||||
when: sshd_install_service|bool
|
||||
|
||||
- name: Service enabled and running
|
||||
service:
|
||||
name: "{{ sshd_service }}"
|
||||
enabled: true
|
||||
state: started
|
||||
when: "sshd_manage_service and ansible_virtualization_type|default(None) != 'docker'"
|
||||
when:
|
||||
- sshd_manage_service|bool
|
||||
- ansible_virtualization_type|default(None) != 'docker'
|
||||
- ansible_connection != 'chroot'
|
||||
|
||||
# Due to ansible bug 21026, cannot use service module on RHEL 7
|
||||
- name: Enable service in chroot
|
||||
command: systemctl enable {{ sshd_service }} # noqa 303
|
||||
when:
|
||||
- ansible_connection == 'chroot'
|
||||
- ansible_os_family == 'RedHat'
|
||||
- ansible_distribution_major_version|int >= 7
|
||||
|
||||
- name: Register that this role has run
|
||||
set_fact:
|
||||
|
|
|
@ -1,5 +1,4 @@
|
|||
---
|
||||
|
||||
- include_tasks: variables.yml
|
||||
|
||||
- include_tasks: install.yml
|
||||
- include_tasks: sshd.yml
|
||||
when: sshd_enable|bool
|
||||
|
|
5
tasks/sshd.yml
Normal file
5
tasks/sshd.yml
Normal file
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
|
||||
- include_tasks: variables.yml
|
||||
|
||||
- include_tasks: install.yml
|
|
@ -1,38 +1,59 @@
|
|||
---
|
||||
|
||||
- name: Set OS dependent variables
|
||||
include_vars: "{{ lookup('first_found', var_files) }}"
|
||||
include_vars: "{{ lookup('first_found', params) }}"
|
||||
vars:
|
||||
var_files:
|
||||
- "{{ ansible_distribution }}_{{ ansible_distribution_major_version }}.yml"
|
||||
- "{{ ansible_distribution }}.yml"
|
||||
- "{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml"
|
||||
- "{{ ansible_os_family }}.yml"
|
||||
- default.yml
|
||||
ansible_distribution_lts_offset: >-
|
||||
{{
|
||||
ansible_distribution_major_version|int % 2
|
||||
if ansible_distribution == "Ubuntu"
|
||||
else 0
|
||||
}}
|
||||
ansible_distribution_lts_version: '{{
|
||||
ansible_distribution_major_version|int -
|
||||
ansible_distribution_lts_offset|int }}'
|
||||
params:
|
||||
files:
|
||||
- "{{ ansible_distribution }}_{{ ansible_distribution_lts_version }}.yml"
|
||||
- "{{ ansible_distribution }}.yml"
|
||||
- "{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml"
|
||||
- "{{ ansible_os_family }}.yml"
|
||||
- default.yml
|
||||
paths:
|
||||
- '{{ role_path }}/vars'
|
||||
- '{{ playbook_dir }}/vars'
|
||||
|
||||
- name: Override OS defaults
|
||||
block:
|
||||
- set_fact:
|
||||
- name: Define sshd_packages
|
||||
set_fact:
|
||||
sshd_packages: "{{ __sshd_packages }}"
|
||||
when: sshd_packages is not defined
|
||||
- set_fact:
|
||||
- name: Define sshd_config_owner
|
||||
set_fact:
|
||||
sshd_config_owner: "{{ __sshd_config_owner }}"
|
||||
when: sshd_config_owner is not defined
|
||||
- set_fact:
|
||||
- name: Define sshd_config_group
|
||||
set_fact:
|
||||
sshd_config_group: "{{ __sshd_config_group }}"
|
||||
when: sshd_config_group is not defined
|
||||
- set_fact:
|
||||
- name: Define sshd_config_mode
|
||||
set_fact:
|
||||
sshd_config_mode: "{{ __sshd_config_mode }}"
|
||||
when: sshd_config_mode is not defined
|
||||
- set_fact:
|
||||
- name: Define sshd_config_file
|
||||
set_fact:
|
||||
sshd_config_file: "{{ __sshd_config_file }}"
|
||||
when: sshd_config_file is not defined
|
||||
- set_fact:
|
||||
- name: Define sshd_binary
|
||||
set_fact:
|
||||
sshd_binary: "{{ __sshd_binary }}"
|
||||
when: sshd_binary is not defined
|
||||
- set_fact:
|
||||
- name: Define sshd_service
|
||||
set_fact:
|
||||
sshd_service: "{{ __sshd_service }}"
|
||||
when: sshd_service is not defined
|
||||
- set_fact:
|
||||
- name: Define sshd_sftp_server
|
||||
set_fact:
|
||||
sshd_sftp_server: "{{ __sshd_sftp_server }}"
|
||||
when: sshd_sftp_server is not defined
|
||||
|
|
|
@ -10,7 +10,7 @@ KillMode=process
|
|||
Restart=on-failure
|
||||
RestartPreventExitStatus=255
|
||||
Type=notify
|
||||
RuntimeDirectory={{ sshd_binary }}
|
||||
RuntimeDirectory={{ sshd_binary | basename }}
|
||||
RuntimeDirectoryMode=0755
|
||||
|
||||
[Install]
|
||||
|
|
|
@ -16,7 +16,6 @@ __sshd_defaults:
|
|||
GSSAPICleanupCredentials: no
|
||||
UsePAM: yes
|
||||
X11Forwarding: yes
|
||||
UsePrivilegeSeparation: sandbox
|
||||
AcceptEnv:
|
||||
- LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
|
|
|
@ -5,36 +5,11 @@ __sshd_packages:
|
|||
- openssh-sftp-server
|
||||
__sshd_config_mode: "0644"
|
||||
__sshd_defaults:
|
||||
Port: 22
|
||||
Protocol: 2
|
||||
HostKey:
|
||||
- /etc/ssh/ssh_host_rsa_key
|
||||
- /etc/ssh/ssh_host_dsa_key
|
||||
- /etc/ssh/ssh_host_ecdsa_key
|
||||
- /etc/ssh/ssh_host_ed25519_key
|
||||
UsePrivilegeSeparation: yes
|
||||
KeyRegenerationInterval: 3600
|
||||
ServerKeyBits: 1024
|
||||
SyslogFacility: AUTH
|
||||
LogLevel: INFO
|
||||
LoginGraceTime: 120
|
||||
PermitRootLogin: prohibit-password
|
||||
StrictModes: yes
|
||||
RSAAuthentication: yes
|
||||
PubkeyAuthentication: yes
|
||||
AuthorizedKeysFile: "%h/.ssh/authorized_keys"
|
||||
IgnoreRhosts: yes
|
||||
RhostsRSAAuthentication: no
|
||||
HostbasedAuthentication: no
|
||||
PermitEmptyPasswords: no
|
||||
PasswordAuthentication: no
|
||||
ChallengeResponseAuthentication: no
|
||||
UsePAM: yes
|
||||
X11Forwarding: yes
|
||||
X11DisplayOffset: 10
|
||||
PrintMotd: no
|
||||
PrintLastLog: yes
|
||||
TCPKeepAlive: yes
|
||||
AcceptEnv: LANG LC_*
|
||||
Subsystem: "sftp {{ sshd_sftp_server }}"
|
||||
UsePAM: yes
|
||||
UseDNS: no
|
||||
__sshd_os_supported: yes
|
||||
|
|
Loading…
Reference in a new issue