feat: Ubuntu noble (#290)

* feat: Add support for Ubuntu Nobel/24.04 LTS
* fix: Add missing PrintMotd to Ubuntu 22.04
* fix(tests): Various linting fixes

---------
Co-authored-by: Jakub Jelen <jjelen@redhat.com>

.ansible-lint

@@ -5,6 +5,7 @@ exclude_paths:
   - .markdownlint.yaml
 skip_list:
   - var-naming[no-role-prefix]
+  - meta-runtime[unsupported-version]
 mock_roles:
   - willshersystems.sshd.ansible-sshd
 mock_modules:

.pre-commit-config.yaml

@@ -1,14 +1,14 @@
 ---
 repos:
   - repo: https://github.com/adrienverge/yamllint.git
-    rev: v1.27.1
+    rev: 81e9f98ffd059efe8aa9c1b1a42e5cce61b640c6  # frozen: v1.35.1
     hooks:
       - id: yamllint
         files: \.(yaml|yml)$
         types: [file, yaml]
         entry: yamllint --strict
   - repo: https://github.com/ansible/ansible-lint.git
-    rev: v6.5.2
+    rev: 2d9f1ed1e6d08e1f6a18e50f789ab1580220c7db  # frozen: v24.6.0
     hooks:
       - id: ansible-lint
         files: \.(yaml|yml)$

.yamllint.yml

@@ -4,6 +4,12 @@ ignore: |
   /.tox/
   /.github/
   /tests/roles/
-# skip checking line length
 rules:
+  comments-indentation: false
+  document-start: disable
   line-length: disable
+  braces:
+    max-spaces-inside: 1
+  octal-values:
+    forbid-implicit-octal: true
+    forbid-explicit-octal: true

CODE_OF_CONDUCT.md

@@ -6,7 +6,7 @@ In the interest of fostering an open and welcoming environment, we as
 contributors and maintainers pledge to making participation in our project and
 our community a harassment-free experience for everyone, regardless of age, body
 size, disability, ethnicity, sex characteristics, gender identity and expression,
-level of experience, education, socio-economic status, nationality, personal
+level of experience, education, socioeconomic status, nationality, personal
 appearance, race, religion, or sexual identity and orientation.
 
 ## Our Standards

README.md

@@ -27,7 +27,7 @@ via simple password. If you need this functionality, be sure to set
 
 Tested on:
 
-* Ubuntu precise, trusty, xenial, bionic, focal, jammy
+* Ubuntu precise, trusty, xenial, bionic, focal, jammy, noble
   * [![Run tests on Ubuntu latest](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-ubuntu.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-ubuntu.yml)
 * Debian wheezy, jessie, stretch, buster, bullseye, bookworm
   * [![Run tests on Debian](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-debian-check.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-debian-check.yml)

handlers/main.yml

@@ -10,7 +10,7 @@
     - ansible_connection != 'chroot'
     - ansible_facts['os_family'] != 'AIX'
     - ansible_facts['os_family'] != 'OpenWrt'
-  listen: reload_sshd
+  listen: Reload_sshd
 
 # sshd on AIX cannot be 'reloaded', it must be Stopped+Started.
 # It's dangerous to do this in two tasks.. you're stopping SSH and then trying to SSH back in to start it.
@@ -25,7 +25,7 @@
     stopsrc -s sshd
     until $(lssrc -s sshd | grep -q inoperative); do sleep 1; done
     startsrc -s sshd
-  listen: reload_sshd
+  listen: Reload_sshd
   changed_when: false
   when:
     - sshd_allow_reload|bool
@@ -39,4 +39,4 @@
   when:
     - sshd_allow_reload|bool
     - ansible_facts['os_family'] == 'OpenWrt'
-  listen: reload_sshd
+  listen: Reload_sshd

meta/main.yml

@@ -24,8 +24,9 @@ galaxy_info:
         - bionic
         - focal
         - jammy
+        - noble
     - name: FreeBSD
-      version:
+      versions:
         - "10.1"
     - name: EL
       versions:

meta/runtime.yml

@@ -0,0 +1,2 @@
+---
+requires_ansible: ">=2.15.0"

tasks/install.yml

@@ -22,7 +22,7 @@
   when:
     - sshd_sysconfig | bool
     - __sshd_sysconfig_supports_use_strong_rng or __sshd_sysconfig_supports_crypto_policy
-  notify: reload_sshd
+  notify: Reload_sshd
 
 - name: Check FIPS mode
   ansible.builtin.include_tasks: check_fips.yml

tasks/install_config.yml

@@ -24,7 +24,7 @@
         {{ sshd_binary }} -t -f %s
       {% endif %}
     backup: "{{ sshd_backup }}"
-  notify: reload_sshd
+  notify: Reload_sshd
 
 - name: Make sure the include path is present in the main sshd_config
   ansible.builtin.lineinfile:
@@ -43,7 +43,7 @@
         {{ sshd_binary }} -t -f %s
       {% endif %}
     backup: "{{ sshd_backup }}"
-  notify: reload_sshd
+  notify: Reload_sshd
   when:
     - sshd_main_config_file is not none
     - sshd_config_file | dirname == sshd_main_config_file ~ '.d'

tasks/install_namespace.yml

@@ -21,4 +21,4 @@
         {{ sshd_binary }} -t -f %s
       {% endif %}
     backup: "{{ sshd_backup }}"
-  notify: reload_sshd
+  notify: Reload_sshd

tasks/install_service.yml

@@ -12,7 +12,7 @@
         owner: root
         group: root
         mode: "0644"
-      notify: reload_sshd
+      notify: Reload_sshd
 
     - name: Install instanced service unit file
       ansible.builtin.template:
@@ -21,7 +21,7 @@
         owner: root
         group: root
         mode: "0644"
-      notify: reload_sshd
+      notify: Reload_sshd
       when:
         - __sshd_socket_accept | bool
 
@@ -32,7 +32,7 @@
         owner: root
         group: root
         mode: "0644"
-      notify: reload_sshd
+      notify: Reload_sshd
 
 - name: Service enabled and running
   ansible.builtin.service:

templates/sshd.socket.j2

@@ -14,6 +14,12 @@ Accept=yes
 {% else %}
 Accept=no
 {% endif %}
+{% if __sshd_socket_freebind is not none %}
+FreeBind={{ 'yes' if __sshd_socket_freebind else 'no' }}
+{% endif %}
 
 [Install]
 WantedBy=sockets.target
+{% if __sshd_socket_required_by is not none %}
+RequiredBy={{ __sshd_socket_required_by }}
+{% endif %}

tests/tests_all_options.yml

@@ -93,7 +93,7 @@
           | grep -o '^\(     \|       \)[A-Z][A-Za-z0-9]*\(.\|  \)' \
           | grep -v "[A-Za-z0-9] $" | grep -v "[^A-Za-z0-9 ]$" \
           | awk '{ print $1 }' \
-          | grep -v '^$' | grep -v "^\(Match\|OpenSSH\|The\|Arguments\|Theo\)$"
+          | grep -v '^$' | grep -v "^\(Match\|OpenSSH\|The\|Arguments\|Theo\|Tatu\|Aaron\|Each\)$"
       args:
         executable: /bin/bash
       register: sshd_options

tests/tests_second_service.yml

@@ -94,6 +94,7 @@
         - ansible_facts['service_mgr'] == 'systemd' or
           (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '7')
         - ansible_facts['distribution'] != "Debian" or ansible_facts['distribution_major_version'] | int < 12
+        - not (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_version'] is version('24.04', '>='))
       block:
         - name: Read the created instantiated service file
           ansible.builtin.slurp:

tests/tests_second_service_drop_in.yml

@@ -106,6 +106,7 @@
           when:
             - ansible_facts['service_mgr'] == 'systemd'
             - ansible_facts['distribution'] != "Debian" or ansible_facts['distribution_major_version'] | int < 12
+            - not (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_version'] is version('24.04', '>='))
           block:
             - name: Read the created instantiated service file
               ansible.builtin.slurp:

tests/tests_systemd_services.yml

@@ -118,6 +118,7 @@
         - ansible_facts['service_mgr'] == 'systemd' or
           (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '7')
         - ansible_facts['distribution'] != "Debian" or ansible_facts['distribution_major_version'] | int < 12
+        - not (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_version'] is version('24.04', '>='))
       block:
         - name: Read the distribution instantiated service file
           ansible.builtin.slurp:

vars/Ubuntu_22.yml

@@ -14,6 +14,7 @@ __sshd_defaults:
   Include: /etc/ssh/sshd_config.d/*.conf
   KbdInteractiveAuthentication: false
   UsePAM: true
+  PrintMotd: false
   AcceptEnv: LANG LC_*
   Subsystem: "sftp  /usr/lib/openssh/sftp-server"
 

vars/Ubuntu_24.yml

@@ -0,0 +1,33 @@
+---
+__sshd_os_supported: true
+
+__sshd_service: ssh
+__sshd_packages:
+  - openssh-server
+  - openssh-sftp-server
+# Ubuntu 22.04 shipped with drop-in directory support so we touch
+# just included file with highest priority by default
+__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
+__sshd_config_mode: "0644"
+# the defaults here represent the defaults shipped in the main sshd_config
+__sshd_defaults:
+  Include: /etc/ssh/sshd_config.d/*.conf
+  KbdInteractiveAuthentication: false
+  UsePAM: true
+  PrintMotd: false
+  AcceptEnv: LANG LC_*
+  Subsystem: "sftp  /usr/lib/openssh/sftp-server"
+
+__sshd_runtime_directory: sshd
+
+__sshd_drop_in_dir_mode: '0755'
+__sshd_main_config_file: /etc/ssh/sshd_config
+
+__sshd_environment_file: /etc/default/ssh
+__sshd_environment_variable: $SSHD_OPTS
+__sshd_service_after: auditd.service
+__sshd_service_alias: sshd
+
+__sshd_socket_accept: false
+__sshd_socket_freebind: true
+__sshd_socket_required_by: ssh.service

vars/main.yml

@@ -87,3 +87,9 @@ __sshd_service_restart_timeout: ~
 
 # The systemd socket file does not accept the connection
 __sshd_socket_accept: true
+
+# Boolean to control if the systemd socket can be bound to non-local IP addresses
+__sshd_socket_freebind: ~
+
+# Space separated list of service names that this socket is required by
+__sshd_socket_required_by: ~