libretic/ansible-sshd
6
0
Fork 0
mirror of https://github.com/willshersystems/ansible-sshd synced 2024-09-19 23:11:32 +02:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'master' into syntax

Browse source
This commit is contained in:
Nikolaos Kakouros 2019-06-04 11:43:42 +02:00
commit b81977c659
12 changed files with 82 additions and 60 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
.travis.yml
View file

@ -25,11 +25,11 @@ script:
- "ANSIBLE_FORCE_COLOR=1 ansible-playbook -i tests/inventory tests/test.yml --syntax-check"
# Run the role
- "ANSIBLE_FORCE_COLOR=1 ansible-playbook -i tests/inventory tests/test.yml --connection=local --sudo -v"
- "ANSIBLE_FORCE_COLOR=1 ansible-playbook -i tests/inventory tests/test.yml --connection=local --become -v"
# Run the role/playbook again, checking to make sure it's idempotent.
- >
ansible-playbook -i tests/inventory tests/test.yml --connection=local --sudo
| grep -q 'changed=0.*failed=0'
ansible-playbook -i tests/inventory tests/test.yml --connection=local --become | grep -q 'changed=0.*failed=0'
&& (echo 'Idempotence test: pass' && exit 0)
|| (echo 'Idempotence test: fail' && exit 1)

4
README.md
View file

@ -44,6 +44,10 @@ Role variables
Unconfigured, this role will provide a sshd_config that matches the OS default,
minus the comments and in a different order.
* `sshd_enable`
If set to False, the role will be completely disabled. Defaults to True.
* `sshd_skip_defaults`
If set to True, don't apply default values. This means that you must have a

3
defaults/main.yml
View file

@ -1,5 +1,8 @@
---
### USER OPTIONS
# Set to False to disable this role completely
sshd_enable: True
# Don't apply OS defaults when set to true
sshd_skip_defaults: false

3
handlers/main.yml
View file

@ -5,6 +5,7 @@
name: "{{ sshd_service }}"
state: reloaded
when:
- sshd_allow_reload
- sshd_allow_reload|bool
- ansible_virtualization_type|default(None) != 'docker'
- ansible_connection != 'chroot'
listen: reload_sshd

6
meta/main.yml
View file

@ -1,7 +1,7 @@
---
galaxy_info:
author: Matt Willsher
description: OpenSSH SSH deamon configuration
description: OpenSSH SSH daemon configuration
company: Willsher Systems
license: LGPLv3
min_ansible_version: 1.8
@ -32,8 +32,8 @@ galaxy_info:
galaxy_tags:
- networking
- system
- SSH
- OpenSSH
- ssh
- openssh
- sshd
- server
- ubuntu

27
tasks/install.yml
View file

@ -2,7 +2,7 @@
- name: OS is supported
assert:
that: '__sshd_os_supported == True'
that: __sshd_os_supported|bool
- name: Install ssh packages
package:
@ -17,30 +17,45 @@
group: "{{ sshd_config_group }}"
mode: "{{ sshd_config_mode }}"
validate: "{{ sshd_binary }} -t -f %s"
backup: "{{ sshd_backup }}"
notify: reload_sshd
- name: Install systemd service files
block:
- template:
- name: Install service unit file
template:
src: "{{ sshd_service_template_service }}"
dest: "/etc/systemd/system/{{ sshd_service }}.service"
notify: reload_sshd
- template:
- name: Install instanced service unit file
template:
src: "{{ sshd_service_template_at_service }}"
dest: "/etc/systemd/system/{{ sshd_service }}@.service"
notify: reload_sshd
- template:
- name: Install socket unit file
template:
src: "{{ sshd_service_template_socket }}"
dest: "/etc/systemd/system/{{ sshd_service }}.socket"
notify: reload_sshd
when: sshd_install_service
when: sshd_install_service|bool
- name: Service enabled and running
service:
name: "{{ sshd_service }}"
enabled: true
state: started
when: "sshd_manage_service and ansible_virtualization_type|default(None) != 'docker'"
when:
- sshd_manage_service|bool
- ansible_virtualization_type|default(None) != 'docker'
- ansible_connection != 'chroot'
# Due to ansible bug 21026, cannot use service module on RHEL 7
- name: Enable service in chroot
command: systemctl enable {{ sshd_service }} # noqa 303
when:
- ansible_connection == 'chroot'
- ansible_os_family == 'RedHat'
- ansible_distribution_major_version|int >= 7
- name: Register that this role has run
set_fact:

5
tasks/main.yml
View file

@ -1,5 +1,4 @@
---
- include_tasks: variables.yml
- include_tasks: install.yml
- include_tasks: sshd.yml
when: sshd_enable|bool

5
tasks/sshd.yml Normal file
View file

@ -0,0 +1,5 @@
---
- include_tasks: variables.yml
- include_tasks: install.yml

51
tasks/variables.yml
View file

@ -1,38 +1,59 @@
---
- name: Set OS dependent variables
include_vars: "{{ lookup('first_found', var_files) }}"
include_vars: "{{ lookup('first_found', params) }}"
vars:
var_files:
- "{{ ansible_distribution }}_{{ ansible_distribution_major_version }}.yml"
- "{{ ansible_distribution }}.yml"
- "{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml"
- "{{ ansible_os_family }}.yml"
- default.yml
ansible_distribution_lts_offset: >-
{{
ansible_distribution_major_version|int % 2
if ansible_distribution == "Ubuntu"
else 0
}}
ansible_distribution_lts_version: '{{
ansible_distribution_major_version|int -
ansible_distribution_lts_offset|int }}'
params:
files:
- "{{ ansible_distribution }}_{{ ansible_distribution_lts_version }}.yml"
- "{{ ansible_distribution }}.yml"
- "{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml"
- "{{ ansible_os_family }}.yml"
- default.yml
paths:
- '{{ role_path }}/vars'
- '{{ playbook_dir }}/vars'
- name: Override OS defaults
block:
- set_fact:
- name: Define sshd_packages
set_fact:
sshd_packages: "{{ __sshd_packages }}"
when: sshd_packages is not defined
- set_fact:
- name: Define sshd_config_owner
set_fact:
sshd_config_owner: "{{ __sshd_config_owner }}"
when: sshd_config_owner is not defined
- set_fact:
- name: Define sshd_config_group
set_fact:
sshd_config_group: "{{ __sshd_config_group }}"
when: sshd_config_group is not defined
- set_fact:
- name: Define sshd_config_mode
set_fact:
sshd_config_mode: "{{ __sshd_config_mode }}"
when: sshd_config_mode is not defined
- set_fact:
- name: Define sshd_config_file
set_fact:
sshd_config_file: "{{ __sshd_config_file }}"
when: sshd_config_file is not defined
- set_fact:
- name: Define sshd_binary
set_fact:
sshd_binary: "{{ __sshd_binary }}"
when: sshd_binary is not defined
- set_fact:
- name: Define sshd_service
set_fact:
sshd_service: "{{ __sshd_service }}"
when: sshd_service is not defined
- set_fact:
- name: Define sshd_sftp_server
set_fact:
sshd_sftp_server: "{{ __sshd_sftp_server }}"
when: sshd_sftp_server is not defined

2
templates/sshd.service.j2
View file

@ -10,7 +10,7 @@ KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
Type=notify
RuntimeDirectory={{ sshd_binary }}
RuntimeDirectory={{ sshd_binary | basename }}
RuntimeDirectoryMode=0755
[Install]

1
vars/Fedora.yml
View file

@ -16,7 +16,6 @@ __sshd_defaults:
GSSAPICleanupCredentials: no
UsePAM: yes
X11Forwarding: yes
UsePrivilegeSeparation: sandbox
AcceptEnv:
- LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT

29
vars/Ubuntu_18.yml
View file

@ -5,36 +5,11 @@ __sshd_packages:
- openssh-sftp-server
__sshd_config_mode: "0644"
__sshd_defaults:
Port: 22
Protocol: 2
HostKey:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_dsa_key
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation: yes
KeyRegenerationInterval: 3600
ServerKeyBits: 1024
SyslogFacility: AUTH
LogLevel: INFO
LoginGraceTime: 120
PermitRootLogin: prohibit-password
StrictModes: yes
RSAAuthentication: yes
PubkeyAuthentication: yes
AuthorizedKeysFile: "%h/.ssh/authorized_keys"
IgnoreRhosts: yes
RhostsRSAAuthentication: no
HostbasedAuthentication: no
PermitEmptyPasswords: no
PasswordAuthentication: no
ChallengeResponseAuthentication: no
UsePAM: yes
X11Forwarding: yes
X11DisplayOffset: 10
PrintMotd: no
PrintLastLog: yes
TCPKeepAlive: yes
AcceptEnv: LANG LC_*
Subsystem: "sftp {{ sshd_sftp_server }}"
UsePAM: yes
UseDNS: no
__sshd_os_supported: yes