Allow overrides, force sftp for Ansible

defaults/main.yml

@@ -1,4 +1,8 @@
 ---
+sshd_user: root
+sshd_group: root
+sshd_binary: /usr/sbin/sshd
 sshd_config_file: /etc/ssh/sshd_config
 sshd_service: sshd
-sshd_binary: /usr/sbin/sshd
+sshd_force_sftp: true
+sshd: {}

meta/macros.j2

@@ -0,0 +1,46 @@
+# {{ ansible_managed }}
+{% macro sshd_multiline(key,override) %}
+{%   if override is defined %}
+{%     set value = override %}
+{%   elif sshd[key] is defined %}
+{%     set value = sshd[key] %}
+{%   endif %}
+{%   if value is defined %}
+{%     if value is string %}
+{{ key }} {{ value }}
+{%     else %}
+{%       for i in value %}
+{{ key }} {{ i }}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{% endmacro %}
+{% macro sshd_boolean(key,override) %}
+{%   if override is defined %}
+{%     set value = override %}
+{%   elif sshd[key] is defined %}
+{%     set value = sshd[key] %}
+{%   endif %}
+{%   if value is defined %}
+{%     if value == true %}
+{{ key }} yes
+{%     elif value == false %}
+{{ key }} no
+{%     else %}
+{{ key }} {{ value }}
+{%     endif %}
+{%   endif %}
+{% endmacro %}
+{% macro sshd_value(key,override) %}
+{%   if override is defined %}
+{%     set value = override %}
+{%   elif sshd[key] is defined %}
+{%     set value = sshd[key] %}
+{%   endif %}
+{%   if value is defined %}
+{{ key }} {{ value }}
+{%   endif %}
+{% endmacro %}
+{% if sshd_force_sftp == true %}
+Subsystem sftp {{ sshd_sftp_server }}
+{% endif %}

meta/main.yml

@@ -0,0 +1,20 @@
+---
+galaxy_info:
+  author: Matt Willsher
+  description: OpenSSH Deamon configuration
+  company: Willsher Systems
+  license: MIT 
+  min_ansible_version: 1.8
+  platforms:
+  - name: Ubuntu
+    versions:
+    - all
+  - name: Debian
+    versions:
+    - all
+  - name: FreeBSD
+    version:
+    - all
+  categories:
+  - system
+dependencies: []

meta/make_option_list

@@ -1,30 +1,20 @@
 #!/bin/sh
-echo "# {{ ansible_managed }}"
+cat macros.j2
 
 cat ssh_multi_options |
   sort |
   awk '{
-print "{% if sshd_"$1" is defined %}"
-print "{%   for i in sshd_"$1" %}"
-print $1" {{ i }}"
-print "{%   endfor %}"
-print "{% endif %}"
+print "{{ sshd_multiline(\""$1"\",sshd_"$1") -}}"
 }'
 
 cat ssh_kv_options |
   sort |
-  awk '{print "{% if sshd_"$1" is defined %}"$1" {{ sshd_"$1" }}{% endif %}"}'
+  awk '{
+print "{{ sshd_value(\""$1"\",sshd_"$1") -}}"
+}'
 
 cat ssh_boolean_options |
   sort |
   awk '{
-print "{% if sshd_"$1" is defined %}"
-print "{%   if sshd_"$1" == true %}"
-print $1" yes"
-print "{%   elif sshd_"$1" == false %}"
-print $1" no"
-print "{%   else %}"
-print $1" {{ "$1" }}"
-print "{%   endif %}"
-print "{% endif %}"
+print "{{ sshd_boolean(\""$1"\",sshd_"$1") -}}"
 }'

tasks/main.yml

@@ -1,16 +1,29 @@
 ---
-- name: Include OS specific configuration
+- name: Role set up
   include_vars: "{{ item }}"
   with_first_found:
    - "{{ ansible_distribution }}.yml"
    - "{{ ansible_os_family }}.yml"
    - default.yml
 
-- name: sshd configuration
+- name: Installed
+  action: >
+    {{ ansible_pkg_mgr }}
+    name="{{ item }}"
+    state=installed
+  with_items: sshd_packages
+
+- name: Configured
   template:
     src: sshd_config.j2
     dest: "{{ sshd_config_file }}"
-    owner: root
-    group: root
+    owner: "{{ sshd_user }}"
+    group: "{{ sshd_group }}"
     mode: 600
   notify: check and reload sshd
+
+- name: Service enabled and running
+  service:
+    name: "{{ sshd_service }}"
+    enabled: true
+    state: running

templates/sshd_config.j2

@@ -1,394 +1,124 @@
 # {{ ansible_managed }}
-{% if sshd_HostKey is defined %}
-{%   for i in sshd_HostKey %}
-HostKey {{ i }}
-{%   endfor %}
-{% endif %}
-{% if sshd_ListenAddress is defined %}
-{%   for i in sshd_ListenAddress %}
-ListenAddress {{ i }}
-{%   endfor %}
-{% endif %}
-{% if sshd_Subsystem is defined %}
-{%   for i in sshd_Subsystem %}
-Subsystem {{ i }}
-{%   endfor %}
-{% endif %}
-{% if sshd_AcceptEnv is defined %}AcceptEnv {{ sshd_AcceptEnv }}{% endif %}
-{% if sshd_AddressFamily is defined %}AddressFamily {{ sshd_AddressFamily }}{% endif %}
-{% if sshd_AllowGroups is defined %}AllowGroups {{ sshd_AllowGroups }}{% endif %}
-{% if sshd_AllowUsers is defined %}AllowUsers {{ sshd_AllowUsers }}{% endif %}
-{% if sshd_AuthenticationMethods is defined %}AuthenticationMethods {{ sshd_AuthenticationMethods }}{% endif %}
-{% if sshd_AuthorizedKeysCommand is defined %}AuthorizedKeysCommand {{ sshd_AuthorizedKeysCommand }}{% endif %}
-{% if sshd_AuthorizedKeysCommandUser is defined %}AuthorizedKeysCommandUser {{ sshd_AuthorizedKeysCommandUser }}{% endif %}
-{% if sshd_AuthorizedKeysFile is defined %}AuthorizedKeysFile {{ sshd_AuthorizedKeysFile }}{% endif %}
-{% if sshd_AuthorizedPrincipalsFile is defined %}AuthorizedPrincipalsFile {{ sshd_AuthorizedPrincipalsFile }}{% endif %}
-{% if sshd_Banner is defined %}Banner {{ sshd_Banner }}{% endif %}
-{% if sshd_ChrootDirectory is defined %}ChrootDirectory {{ sshd_ChrootDirectory }}{% endif %}
-{% if sshd_Ciphers is defined %}Ciphers {{ sshd_Ciphers }}{% endif %}
-{% if sshd_ClientAliveCountMax is defined %}ClientAliveCountMax {{ sshd_ClientAliveCountMax }}{% endif %}
-{% if sshd_ClientAliveInterval is defined %}ClientAliveInterval {{ sshd_ClientAliveInterval }}{% endif %}
-{% if sshd_DenyGroups is defined %}DenyGroups {{ sshd_DenyGroups }}{% endif %}
-{% if sshd_DenyUsers is defined %}DenyUsers {{ sshd_DenyUsers }}{% endif %}
-{% if sshd_ForceCommand is defined %}ForceCommand {{ sshd_ForceCommand }}{% endif %}
-{% if sshd_GSSAPIAuthentication is defined %}GSSAPIAuthentication {{ sshd_GSSAPIAuthentication }}{% endif %}
-{% if sshd_GSSAPIKeyExchange is defined %}GSSAPIKeyExchange {{ sshd_GSSAPIKeyExchange }}{% endif %}
-{% if sshd_HPNBufferSize is defined %}HPNBufferSize {{ sshd_HPNBufferSize }}{% endif %}
-{% if sshd_HostCertificate is defined %}HostCertificate {{ sshd_HostCertificate }}{% endif %}
-{% if sshd_HostKeyAgent is defined %}HostKeyAgent {{ sshd_HostKeyAgent }}{% endif %}
-{% if sshd_IPQoS is defined %}IPQoS {{ sshd_IPQoS }}{% endif %}
-{% if sshd_KbdInteractiveAuthentication is defined %}KbdInteractiveAuthentication {{ sshd_KbdInteractiveAuthentication }}{% endif %}
-{% if sshd_KexAlgorithms is defined %}KexAlgorithms {{ sshd_KexAlgorithms }}{% endif %}
-{% if sshd_KeyRegenerationInterval is defined %}KeyRegenerationInterval {{ sshd_KeyRegenerationInterval }}{% endif %}
-{% if sshd_LogLevel is defined %}LogLevel {{ sshd_LogLevel }}{% endif %}
-{% if sshd_LoginGraceTime is defined %}LoginGraceTime {{ sshd_LoginGraceTime }}{% endif %}
-{% if sshd_MACs is defined %}MACs {{ sshd_MACs }}{% endif %}
-{% if sshd_MaxAuthTries is defined %}MaxAuthTries {{ sshd_MaxAuthTries }}{% endif %}
-{% if sshd_MaxSessions is defined %}MaxSessions {{ sshd_MaxSessions }}{% endif %}
-{% if sshd_MaxStartups is defined %}MaxStartups {{ sshd_MaxStartups }}{% endif %}
-{% if sshd_PermitOpen is defined %}PermitOpen {{ sshd_PermitOpen }}{% endif %}
-{% if sshd_PermitTTY is defined %}PermitTTY {{ sshd_PermitTTY }}{% endif %}
-{% if sshd_PidFile is defined %}PidFile {{ sshd_PidFile }}{% endif %}
-{% if sshd_Port is defined %}Port {{ sshd_Port }}{% endif %}
-{% if sshd_Protocol is defined %}Protocol {{ sshd_Protocol }}{% endif %}
-{% if sshd_RekeyLimit is defined %}RekeyLimit {{ sshd_RekeyLimit }}{% endif %}
-{% if sshd_RevokedKeys is defined %}RevokedKeys {{ sshd_RevokedKeys }}{% endif %}
-{% if sshd_ServerKeyBits is defined %}ServerKeyBits {{ sshd_ServerKeyBits }}{% endif %}
-{% if sshd_SyslogFacility is defined %}SyslogFacility {{ sshd_SyslogFacility }}{% endif %}
-{% if sshd_TrustedUserCAKeys is defined %}TrustedUserCAKeys {{ sshd_TrustedUserCAKeys }}{% endif %}
-{% if sshd_VersionAddendum is defined %}VersionAddendum {{ sshd_VersionAddendum }}{% endif %}
-{% if sshd_X11DisplayOffset is defined %}X11DisplayOffset {{ sshd_X11DisplayOffset }}{% endif %}
-{% if sshd_XAuthLocation is defined %}XAuthLocation {{ sshd_XAuthLocation }}{% endif %}
-{% if sshd_AllowAgentForwarding is defined %}
-{%   if sshd_AllowAgentForwarding == true %}
-AllowAgentForwarding yes
-{%   elif sshd_AllowAgentForwarding == false %}
-AllowAgentForwarding no
-{%   else %}
-AllowAgentForwarding {{ AllowAgentForwarding }}
+{% macro sshd_multiline(key,override) %}
+{%   if override is defined %}
+{%     set value = override %}
+{%   elif sshd[key] is defined %}
+{%     set value = sshd[key] %}
 {%   endif %}
-{% endif %}
-{% if sshd_AllowTcpForwarding is defined %}
-{%   if sshd_AllowTcpForwarding == true %}
-AllowTcpForwarding yes
-{%   elif sshd_AllowTcpForwarding == false %}
-AllowTcpForwarding no
-{%   else %}
-AllowTcpForwarding {{ AllowTcpForwarding }}
+{%   if value is defined %}
+{%     for i in value %}
+{{ key }} {{ i }}
+{%     endfor %}
 {%   endif %}
-{% endif %}
-{% if sshd_ChallengeResponseAuthentication is defined %}
-{%   if sshd_ChallengeResponseAuthentication == true %}
-ChallengeResponseAuthentication yes
-{%   elif sshd_ChallengeResponseAuthentication == false %}
-ChallengeResponseAuthentication no
-{%   else %}
-ChallengeResponseAuthentication {{ ChallengeResponseAuthentication }}
+{% endmacro %}
+{% macro sshd_boolean(key,override) %}
+{%   if override is defined %}
+{%     set value = override %}
+{%   elif sshd[key] is defined %}
+{%     set value = sshd[key] %}
 {%   endif %}
-{% endif %}
-{% if sshd_Compression is defined %}
-{%   if sshd_Compression == true %}
-Compression yes
-{%   elif sshd_Compression == false %}
-Compression no
-{%   else %}
-Compression {{ Compression }}
+{%   if value is defined %}
+{%     if value == true %}
+{{ key }} yes
+{%     elif value == false %}
+{{ key }} no
+{%     else %}
+{{ key }} {{ value }}
+{%     endif %}
 {%   endif %}
-{% endif %}
-{% if sshd_GSSAPICleanupCredentials is defined %}
-{%   if sshd_GSSAPICleanupCredentials == true %}
-GSSAPICleanupCredentials yes
-{%   elif sshd_GSSAPICleanupCredentials == false %}
-GSSAPICleanupCredentials no
-{%   else %}
-GSSAPICleanupCredentials {{ GSSAPICleanupCredentials }}
-{%   endif %}
-{% endif %}
-{% if sshd_GSSAPIStoreCredentialsOnRekey is defined %}
-{%   if sshd_GSSAPIStoreCredentialsOnRekey == true %}
-GSSAPIStoreCredentialsOnRekey yes
-{%   elif sshd_GSSAPIStoreCredentialsOnRekey == false %}
-GSSAPIStoreCredentialsOnRekey no
-{%   else %}
-GSSAPIStoreCredentialsOnRekey {{ GSSAPIStoreCredentialsOnRekey }}
-{%   endif %}
-{% endif %}
-{% if sshd_GSSAPIStrictAcceptorCheck is defined %}
-{%   if sshd_GSSAPIStrictAcceptorCheck == true %}
-GSSAPIStrictAcceptorCheck yes
-{%   elif sshd_GSSAPIStrictAcceptorCheck == false %}
-GSSAPIStrictAcceptorCheck no
-{%   else %}
-GSSAPIStrictAcceptorCheck {{ GSSAPIStrictAcceptorCheck }}
-{%   endif %}
-{% endif %}
-{% if sshd_GatewayPorts is defined %}
-{%   if sshd_GatewayPorts == true %}
-GatewayPorts yes
-{%   elif sshd_GatewayPorts == false %}
-GatewayPorts no
-{%   else %}
-GatewayPorts {{ GatewayPorts }}
-{%   endif %}
-{% endif %}
-{% if sshd_HPNDisabled is defined %}
-{%   if sshd_HPNDisabled == true %}
-HPNDisabled yes
-{%   elif sshd_HPNDisabled == false %}
-HPNDisabled no
-{%   else %}
-HPNDisabled {{ HPNDisabled }}
-{%   endif %}
-{% endif %}
-{% if sshd_HostbasedAuthentication is defined %}
-{%   if sshd_HostbasedAuthentication == true %}
-HostbasedAuthentication yes
-{%   elif sshd_HostbasedAuthentication == false %}
-HostbasedAuthentication no
-{%   else %}
-HostbasedAuthentication {{ HostbasedAuthentication }}
-{%   endif %}
-{% endif %}
-{% if sshd_HostbasedUsesNameFromPacketOnly is defined %}
-{%   if sshd_HostbasedUsesNameFromPacketOnly == true %}
-HostbasedUsesNameFromPacketOnly yes
-{%   elif sshd_HostbasedUsesNameFromPacketOnly == false %}
-HostbasedUsesNameFromPacketOnly no
-{%   else %}
-HostbasedUsesNameFromPacketOnly {{ HostbasedUsesNameFromPacketOnly }}
-{%   endif %}
-{% endif %}
-{% if sshd_IgnoreRhosts is defined %}
-{%   if sshd_IgnoreRhosts == true %}
-IgnoreRhosts yes
-{%   elif sshd_IgnoreRhosts == false %}
-IgnoreRhosts no
-{%   else %}
-IgnoreRhosts {{ IgnoreRhosts }}
-{%   endif %}
-{% endif %}
-{% if sshd_IgnoreUserKnownHosts is defined %}
-{%   if sshd_IgnoreUserKnownHosts == true %}
-IgnoreUserKnownHosts yes
-{%   elif sshd_IgnoreUserKnownHosts == false %}
-IgnoreUserKnownHosts no
-{%   else %}
-IgnoreUserKnownHosts {{ IgnoreUserKnownHosts }}
-{%   endif %}
-{% endif %}
-{% if sshd_KerberosAuthentication is defined %}
-{%   if sshd_KerberosAuthentication == true %}
-KerberosAuthentication yes
-{%   elif sshd_KerberosAuthentication == false %}
-KerberosAuthentication no
-{%   else %}
-KerberosAuthentication {{ KerberosAuthentication }}
-{%   endif %}
-{% endif %}
-{% if sshd_KerberosGetAFSToken is defined %}
-{%   if sshd_KerberosGetAFSToken == true %}
-KerberosGetAFSToken yes
-{%   elif sshd_KerberosGetAFSToken == false %}
-KerberosGetAFSToken no
-{%   else %}
-KerberosGetAFSToken {{ KerberosGetAFSToken }}
-{%   endif %}
-{% endif %}
-{% if sshd_KerberosOrLocalPasswd is defined %}
-{%   if sshd_KerberosOrLocalPasswd == true %}
-KerberosOrLocalPasswd yes
-{%   elif sshd_KerberosOrLocalPasswd == false %}
-KerberosOrLocalPasswd no
-{%   else %}
-KerberosOrLocalPasswd {{ KerberosOrLocalPasswd }}
-{%   endif %}
-{% endif %}
-{% if sshd_KerberosTicketCleanup is defined %}
-{%   if sshd_KerberosTicketCleanup == true %}
-KerberosTicketCleanup yes
-{%   elif sshd_KerberosTicketCleanup == false %}
-KerberosTicketCleanup no
-{%   else %}
-KerberosTicketCleanup {{ KerberosTicketCleanup }}
-{%   endif %}
-{% endif %}
-{% if sshd_NoneEnabled is defined %}
-{%   if sshd_NoneEnabled == true %}
-NoneEnabled yes
-{%   elif sshd_NoneEnabled == false %}
-NoneEnabled no
-{%   else %}
-NoneEnabled {{ NoneEnabled }}
-{%   endif %}
-{% endif %}
-{% if sshd_PasswordAuthentication is defined %}
-{%   if sshd_PasswordAuthentication == true %}
-PasswordAuthentication yes
-{%   elif sshd_PasswordAuthentication == false %}
-PasswordAuthentication no
-{%   else %}
-PasswordAuthentication {{ PasswordAuthentication }}
-{%   endif %}
-{% endif %}
-{% if sshd_PermitEmptyPasswords is defined %}
-{%   if sshd_PermitEmptyPasswords == true %}
-PermitEmptyPasswords yes
-{%   elif sshd_PermitEmptyPasswords == false %}
-PermitEmptyPasswords no
-{%   else %}
-PermitEmptyPasswords {{ PermitEmptyPasswords }}
-{%   endif %}
-{% endif %}
-{% if sshd_PermitRootLogin is defined %}
-{%   if sshd_PermitRootLogin == true %}
-PermitRootLogin yes
-{%   elif sshd_PermitRootLogin == false %}
-PermitRootLogin no
-{%   else %}
-PermitRootLogin {{ PermitRootLogin }}
-{%   endif %}
-{% endif %}
-{% if sshd_PermitTunnel is defined %}
-{%   if sshd_PermitTunnel == true %}
-PermitTunnel yes
-{%   elif sshd_PermitTunnel == false %}
-PermitTunnel no
-{%   else %}
-PermitTunnel {{ PermitTunnel }}
-{%   endif %}
-{% endif %}
-{% if sshd_PermitUserEnvironment is defined %}
-{%   if sshd_PermitUserEnvironment == true %}
-PermitUserEnvironment yes
-{%   elif sshd_PermitUserEnvironment == false %}
-PermitUserEnvironment no
-{%   else %}
-PermitUserEnvironment {{ PermitUserEnvironment }}
-{%   endif %}
-{% endif %}
-{% if sshd_PrintLastLog is defined %}
-{%   if sshd_PrintLastLog == true %}
-PrintLastLog yes
-{%   elif sshd_PrintLastLog == false %}
-PrintLastLog no
-{%   else %}
-PrintLastLog {{ PrintLastLog }}
-{%   endif %}
-{% endif %}
-{% if sshd_PrintMotd is defined %}
-{%   if sshd_PrintMotd == true %}
-PrintMotd yes
-{%   elif sshd_PrintMotd == false %}
-PrintMotd no
-{%   else %}
-PrintMotd {{ PrintMotd }}
-{%   endif %}
-{% endif %}
-{% if sshd_PubkeyAuthentication is defined %}
-{%   if sshd_PubkeyAuthentication == true %}
-PubkeyAuthentication yes
-{%   elif sshd_PubkeyAuthentication == false %}
-PubkeyAuthentication no
-{%   else %}
-PubkeyAuthentication {{ PubkeyAuthentication }}
-{%   endif %}
-{% endif %}
-{% if sshd_RSAAuthentication is defined %}
-{%   if sshd_RSAAuthentication == true %}
-RSAAuthentication yes
-{%   elif sshd_RSAAuthentication == false %}
-RSAAuthentication no
-{%   else %}
-RSAAuthentication {{ RSAAuthentication }}
-{%   endif %}
-{% endif %}
-{% if sshd_RhostsRSAAuthentication is defined %}
-{%   if sshd_RhostsRSAAuthentication == true %}
-RhostsRSAAuthentication yes
-{%   elif sshd_RhostsRSAAuthentication == false %}
-RhostsRSAAuthentication no
-{%   else %}
-RhostsRSAAuthentication {{ RhostsRSAAuthentication }}
-{%   endif %}
-{% endif %}
-{% if sshd_StrictModes is defined %}
-{%   if sshd_StrictModes == true %}
-StrictModes yes
-{%   elif sshd_StrictModes == false %}
-StrictModes no
-{%   else %}
-StrictModes {{ StrictModes }}
-{%   endif %}
-{% endif %}
-{% if sshd_TCPKeepAlive is defined %}
-{%   if sshd_TCPKeepAlive == true %}
-TCPKeepAlive yes
-{%   elif sshd_TCPKeepAlive == false %}
-TCPKeepAlive no
-{%   else %}
-TCPKeepAlive {{ TCPKeepAlive }}
-{%   endif %}
-{% endif %}
-{% if sshd_TcpRcvBufPoll is defined %}
-{%   if sshd_TcpRcvBufPoll == true %}
-TcpRcvBufPoll yes
-{%   elif sshd_TcpRcvBufPoll == false %}
-TcpRcvBufPoll no
-{%   else %}
-TcpRcvBufPoll {{ TcpRcvBufPoll }}
-{%   endif %}
-{% endif %}
-{% if sshd_UseDNS is defined %}
-{%   if sshd_UseDNS == true %}
-UseDNS yes
-{%   elif sshd_UseDNS == false %}
-UseDNS no
-{%   else %}
-UseDNS {{ UseDNS }}
-{%   endif %}
-{% endif %}
-{% if sshd_UseLogin is defined %}
-{%   if sshd_UseLogin == true %}
-UseLogin yes
-{%   elif sshd_UseLogin == false %}
-UseLogin no
-{%   else %}
-UseLogin {{ UseLogin }}
-{%   endif %}
-{% endif %}
-{% if sshd_UsePAM is defined %}
-{%   if sshd_UsePAM == true %}
-UsePAM yes
-{%   elif sshd_UsePAM == false %}
-UsePAM no
-{%   else %}
-UsePAM {{ UsePAM }}
-{%   endif %}
-{% endif %}
-{% if sshd_UsePrivilegeSeparation is defined %}
-{%   if sshd_UsePrivilegeSeparation == true %}
-UsePrivilegeSeparation yes
-{%   elif sshd_UsePrivilegeSeparation == false %}
-UsePrivilegeSeparation no
-{%   else %}
-UsePrivilegeSeparation {{ UsePrivilegeSeparation }}
-{%   endif %}
-{% endif %}
-{% if sshd_X11Forwarding is defined %}
-{%   if sshd_X11Forwarding == true %}
-X11Forwarding yes
-{%   elif sshd_X11Forwarding == false %}
-X11Forwarding no
-{%   else %}
-X11Forwarding {{ X11Forwarding }}
-{%   endif %}
-{% endif %}
-{% if sshd_X11UseLocalhost is defined %}
-{%   if sshd_X11UseLocalhost == true %}
-X11UseLocalhost yes
-{%   elif sshd_X11UseLocalhost == false %}
-X11UseLocalhost no
-{%   else %}
-X11UseLocalhost {{ X11UseLocalhost }}
-{%   endif %}
-{% endif %}
+{% endmacro -%}
+{% macro sshd_value(key,override) -%}
+{%   if override is defined -%}
+{%     set value = override -%}
+{%   elif sshd[key] is defined -%}
+{%     set value = sshd[key] -%}
+{%   endif -%}
+{%   if value is defined -%}
+{{ key }} {{ value }}
+{%   endif -%}
+{% endmacro -%}
+{{ sshd_multiline("HostKey",sshd_HostKey) }}
+{{ sshd_multiline("ListenAddress",sshd_ListenAddress) }}
+{{ sshd_multiline("Subsystem",sshd_Subsystem) }}
+{{ sshd_value("AcceptEnv",sshd_AcceptEnv) }}
+{{ sshd_value("AddressFamily",sshd_AddressFamily) }}
+{{ sshd_value("AllowGroups",sshd_AllowGroups) }}
+{{ sshd_value("AllowUsers",sshd_AllowUsers) }}
+{{ sshd_value("AuthenticationMethods",sshd_AuthenticationMethods) }}
+{{ sshd_value("AuthorizedKeysCommand",sshd_AuthorizedKeysCommand) }}
+{{ sshd_value("AuthorizedKeysCommandUser",sshd_AuthorizedKeysCommandUser) }}
+{{ sshd_value("AuthorizedKeysFile",sshd_AuthorizedKeysFile) }}
+{{ sshd_value("AuthorizedPrincipalsFile",sshd_AuthorizedPrincipalsFile) }}
+{{ sshd_value("Banner",sshd_Banner) }}
+{{ sshd_value("ChrootDirectory",sshd_ChrootDirectory) }}
+{{ sshd_value("Ciphers",sshd_Ciphers) }}
+{{ sshd_value("ClientAliveCountMax",sshd_ClientAliveCountMax) }}
+{{ sshd_value("ClientAliveInterval",sshd_ClientAliveInterval) }}
+{{ sshd_value("DenyGroups",sshd_DenyGroups) }}
+{{ sshd_value("DenyUsers",sshd_DenyUsers) }}
+{{ sshd_value("ForceCommand",sshd_ForceCommand) }}
+{{ sshd_value("GSSAPIAuthentication",sshd_GSSAPIAuthentication) }}
+{{ sshd_value("GSSAPIKeyExchange",sshd_GSSAPIKeyExchange) }}
+{{ sshd_value("HPNBufferSize",sshd_HPNBufferSize) }}
+{{ sshd_value("HostCertificate",sshd_HostCertificate) }}
+{{ sshd_value("HostKeyAgent",sshd_HostKeyAgent) }}
+{{ sshd_value("IPQoS",sshd_IPQoS) }}
+{{ sshd_value("KbdInteractiveAuthentication",sshd_KbdInteractiveAuthentication) }}
+{{ sshd_value("KexAlgorithms",sshd_KexAlgorithms) }}
+{{ sshd_value("KeyRegenerationInterval",sshd_KeyRegenerationInterval) }}
+{{ sshd_value("LogLevel",sshd_LogLevel) }}
+{{ sshd_value("LoginGraceTime",sshd_LoginGraceTime) }}
+{{ sshd_value("MACs",sshd_MACs) }}
+{{ sshd_value("MaxAuthTries",sshd_MaxAuthTries) }}
+{{ sshd_value("MaxSessions",sshd_MaxSessions) }}
+{{ sshd_value("MaxStartups",sshd_MaxStartups) }}
+{{ sshd_value("PermitOpen",sshd_PermitOpen) }}
+{{ sshd_value("PermitTTY",sshd_PermitTTY) }}
+{{ sshd_value("PidFile",sshd_PidFile) }}
+{{ sshd_value("Port",sshd_Port) }}
+{{ sshd_value("Protocol",sshd_Protocol) }}
+{{ sshd_value("RekeyLimit",sshd_RekeyLimit) }}
+{{ sshd_value("RevokedKeys",sshd_RevokedKeys) }}
+{{ sshd_value("ServerKeyBits",sshd_ServerKeyBits) }}
+{{ sshd_value("SyslogFacility",sshd_SyslogFacility) }}
+{{ sshd_value("TrustedUserCAKeys",sshd_TrustedUserCAKeys) }}
+{{ sshd_value("VersionAddendum",sshd_VersionAddendum) }}
+{{ sshd_value("X11DisplayOffset",sshd_X11DisplayOffset) }}
+{{ sshd_value("XAuthLocation",sshd_XAuthLocation) }}
+{{ sshd_boolean("AllowAgentForwarding",sshd_AllowAgentForwarding) }}
+{{ sshd_boolean("AllowTcpForwarding",sshd_AllowTcpForwarding) }}
+{{ sshd_boolean("ChallengeResponseAuthentication",sshd_ChallengeResponseAuthentication) }}
+{{ sshd_boolean("Compression",sshd_Compression) }}
+{{ sshd_boolean("GSSAPICleanupCredentials",sshd_GSSAPICleanupCredentials) }}
+{{ sshd_boolean("GSSAPIStoreCredentialsOnRekey",sshd_GSSAPIStoreCredentialsOnRekey) }}
+{{ sshd_boolean("GSSAPIStrictAcceptorCheck",sshd_GSSAPIStrictAcceptorCheck) }}
+{{ sshd_boolean("GatewayPorts",sshd_GatewayPorts) }}
+{{ sshd_boolean("HPNDisabled",sshd_HPNDisabled) }}
+{{ sshd_boolean("HostbasedAuthentication",sshd_HostbasedAuthentication) }}
+{{ sshd_boolean("HostbasedUsesNameFromPacketOnly",sshd_HostbasedUsesNameFromPacketOnly) }}
+{{ sshd_boolean("IgnoreRhosts",sshd_IgnoreRhosts) }}
+{{ sshd_boolean("IgnoreUserKnownHosts",sshd_IgnoreUserKnownHosts) }}
+{{ sshd_boolean("KerberosAuthentication",sshd_KerberosAuthentication) }}
+{{ sshd_boolean("KerberosGetAFSToken",sshd_KerberosGetAFSToken) }}
+{{ sshd_boolean("KerberosOrLocalPasswd",sshd_KerberosOrLocalPasswd) }}
+{{ sshd_boolean("KerberosTicketCleanup",sshd_KerberosTicketCleanup) }}
+{{ sshd_boolean("NoneEnabled",sshd_NoneEnabled) }}
+{{ sshd_boolean("PasswordAuthentication",sshd_PasswordAuthentication) }}
+{{ sshd_boolean("PermitEmptyPasswords",sshd_PermitEmptyPasswords) }}
+{{ sshd_boolean("PermitRootLogin",sshd_PermitRootLogin) }}
+{{ sshd_boolean("PermitTunnel",sshd_PermitTunnel) }}
+{{ sshd_boolean("PermitUserEnvironment",sshd_PermitUserEnvironment) }}
+{{ sshd_boolean("PrintLastLog",sshd_PrintLastLog) }}
+{{ sshd_boolean("PrintMotd",sshd_PrintMotd) }}
+{{ sshd_boolean("PubkeyAuthentication",sshd_PubkeyAuthentication) }}
+{{ sshd_boolean("RSAAuthentication",sshd_RSAAuthentication) }}
+{{ sshd_boolean("RhostsRSAAuthentication",sshd_RhostsRSAAuthentication) }}
+{{ sshd_boolean("StrictModes",sshd_StrictModes) }}
+{{ sshd_boolean("TCPKeepAlive",sshd_TCPKeepAlive) }}
+{{ sshd_boolean("TcpRcvBufPoll",sshd_TcpRcvBufPoll) }}
+{{ sshd_boolean("UseDNS",sshd_UseDNS) }}
+{{ sshd_boolean("UseLogin",sshd_UseLogin) }}
+{{ sshd_boolean("UsePAM",sshd_UsePAM) }}
+{{ sshd_boolean("UsePrivilegeSeparation",sshd_UsePrivilegeSeparation) }}
+{{ sshd_boolean("X11Forwarding",sshd_X11Forwarding) }}
+{{ sshd_boolean("X11UseLocalhost",sshd_X11UseLocalhost) }}

vars/Debian.yml

@@ -1,4 +1,8 @@
 ---
-sshd_config_file: /etc/ssh/sshd_config
 sshd_service: ssh
-sshd_binary: /usr/sbin/sshd
+sshd_packages:
+  - openssh-server
+  - openssh-blacklist
+  - openssh-blacklist-extra
+  - openssh-sftp-server
+sshd_sftp_server: /usr/lib/openssh/sftp-server

vars/FreeBSD.yml

@@ -0,0 +1,5 @@
+---
+sshd_service: sshd
+sshd_packages: []
+sshd_group: wheel
+sshd_sftp_server: /usr/libexec/sftp-server