mirror of
https://github.com/willshersystems/ansible-sshd
synced 2024-11-27 21:30:18 +01:00
feat: Ubuntu noble (#290)
* feat: Add support for Ubuntu Nobel/24.04 LTS * fix: Add missing PrintMotd to Ubuntu 22.04 * fix(tests): Various linting fixes --------- Co-authored-by: Jakub Jelen <jjelen@redhat.com>
This commit is contained in:
parent
7c76e9d6ce
commit
d4eae954c1
20 changed files with 76 additions and 17 deletions
|
@ -5,6 +5,7 @@ exclude_paths:
|
||||||
- .markdownlint.yaml
|
- .markdownlint.yaml
|
||||||
skip_list:
|
skip_list:
|
||||||
- var-naming[no-role-prefix]
|
- var-naming[no-role-prefix]
|
||||||
|
- meta-runtime[unsupported-version]
|
||||||
mock_roles:
|
mock_roles:
|
||||||
- willshersystems.sshd.ansible-sshd
|
- willshersystems.sshd.ansible-sshd
|
||||||
mock_modules:
|
mock_modules:
|
||||||
|
|
|
@ -1,14 +1,14 @@
|
||||||
---
|
---
|
||||||
repos:
|
repos:
|
||||||
- repo: https://github.com/adrienverge/yamllint.git
|
- repo: https://github.com/adrienverge/yamllint.git
|
||||||
rev: v1.27.1
|
rev: 81e9f98ffd059efe8aa9c1b1a42e5cce61b640c6 # frozen: v1.35.1
|
||||||
hooks:
|
hooks:
|
||||||
- id: yamllint
|
- id: yamllint
|
||||||
files: \.(yaml|yml)$
|
files: \.(yaml|yml)$
|
||||||
types: [file, yaml]
|
types: [file, yaml]
|
||||||
entry: yamllint --strict
|
entry: yamllint --strict
|
||||||
- repo: https://github.com/ansible/ansible-lint.git
|
- repo: https://github.com/ansible/ansible-lint.git
|
||||||
rev: v6.5.2
|
rev: 2d9f1ed1e6d08e1f6a18e50f789ab1580220c7db # frozen: v24.6.0
|
||||||
hooks:
|
hooks:
|
||||||
- id: ansible-lint
|
- id: ansible-lint
|
||||||
files: \.(yaml|yml)$
|
files: \.(yaml|yml)$
|
||||||
|
|
|
@ -4,6 +4,12 @@ ignore: |
|
||||||
/.tox/
|
/.tox/
|
||||||
/.github/
|
/.github/
|
||||||
/tests/roles/
|
/tests/roles/
|
||||||
# skip checking line length
|
|
||||||
rules:
|
rules:
|
||||||
|
comments-indentation: false
|
||||||
|
document-start: disable
|
||||||
line-length: disable
|
line-length: disable
|
||||||
|
braces:
|
||||||
|
max-spaces-inside: 1
|
||||||
|
octal-values:
|
||||||
|
forbid-implicit-octal: true
|
||||||
|
forbid-explicit-octal: true
|
||||||
|
|
|
@ -6,7 +6,7 @@ In the interest of fostering an open and welcoming environment, we as
|
||||||
contributors and maintainers pledge to making participation in our project and
|
contributors and maintainers pledge to making participation in our project and
|
||||||
our community a harassment-free experience for everyone, regardless of age, body
|
our community a harassment-free experience for everyone, regardless of age, body
|
||||||
size, disability, ethnicity, sex characteristics, gender identity and expression,
|
size, disability, ethnicity, sex characteristics, gender identity and expression,
|
||||||
level of experience, education, socio-economic status, nationality, personal
|
level of experience, education, socioeconomic status, nationality, personal
|
||||||
appearance, race, religion, or sexual identity and orientation.
|
appearance, race, religion, or sexual identity and orientation.
|
||||||
|
|
||||||
## Our Standards
|
## Our Standards
|
||||||
|
|
|
@ -27,7 +27,7 @@ via simple password. If you need this functionality, be sure to set
|
||||||
|
|
||||||
Tested on:
|
Tested on:
|
||||||
|
|
||||||
* Ubuntu precise, trusty, xenial, bionic, focal, jammy
|
* Ubuntu precise, trusty, xenial, bionic, focal, jammy, noble
|
||||||
* [![Run tests on Ubuntu latest](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-ubuntu.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-ubuntu.yml)
|
* [![Run tests on Ubuntu latest](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-ubuntu.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-ubuntu.yml)
|
||||||
* Debian wheezy, jessie, stretch, buster, bullseye, bookworm
|
* Debian wheezy, jessie, stretch, buster, bullseye, bookworm
|
||||||
* [![Run tests on Debian](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-debian-check.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-debian-check.yml)
|
* [![Run tests on Debian](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-debian-check.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-debian-check.yml)
|
||||||
|
|
|
@ -10,7 +10,7 @@
|
||||||
- ansible_connection != 'chroot'
|
- ansible_connection != 'chroot'
|
||||||
- ansible_facts['os_family'] != 'AIX'
|
- ansible_facts['os_family'] != 'AIX'
|
||||||
- ansible_facts['os_family'] != 'OpenWrt'
|
- ansible_facts['os_family'] != 'OpenWrt'
|
||||||
listen: reload_sshd
|
listen: Reload_sshd
|
||||||
|
|
||||||
# sshd on AIX cannot be 'reloaded', it must be Stopped+Started.
|
# sshd on AIX cannot be 'reloaded', it must be Stopped+Started.
|
||||||
# It's dangerous to do this in two tasks.. you're stopping SSH and then trying to SSH back in to start it.
|
# It's dangerous to do this in two tasks.. you're stopping SSH and then trying to SSH back in to start it.
|
||||||
|
@ -25,7 +25,7 @@
|
||||||
stopsrc -s sshd
|
stopsrc -s sshd
|
||||||
until $(lssrc -s sshd | grep -q inoperative); do sleep 1; done
|
until $(lssrc -s sshd | grep -q inoperative); do sleep 1; done
|
||||||
startsrc -s sshd
|
startsrc -s sshd
|
||||||
listen: reload_sshd
|
listen: Reload_sshd
|
||||||
changed_when: false
|
changed_when: false
|
||||||
when:
|
when:
|
||||||
- sshd_allow_reload|bool
|
- sshd_allow_reload|bool
|
||||||
|
@ -39,4 +39,4 @@
|
||||||
when:
|
when:
|
||||||
- sshd_allow_reload|bool
|
- sshd_allow_reload|bool
|
||||||
- ansible_facts['os_family'] == 'OpenWrt'
|
- ansible_facts['os_family'] == 'OpenWrt'
|
||||||
listen: reload_sshd
|
listen: Reload_sshd
|
||||||
|
|
|
@ -24,8 +24,9 @@ galaxy_info:
|
||||||
- bionic
|
- bionic
|
||||||
- focal
|
- focal
|
||||||
- jammy
|
- jammy
|
||||||
|
- noble
|
||||||
- name: FreeBSD
|
- name: FreeBSD
|
||||||
version:
|
versions:
|
||||||
- "10.1"
|
- "10.1"
|
||||||
- name: EL
|
- name: EL
|
||||||
versions:
|
versions:
|
||||||
|
|
2
meta/runtime.yml
Normal file
2
meta/runtime.yml
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
---
|
||||||
|
requires_ansible: ">=2.15.0"
|
|
@ -22,7 +22,7 @@
|
||||||
when:
|
when:
|
||||||
- sshd_sysconfig | bool
|
- sshd_sysconfig | bool
|
||||||
- __sshd_sysconfig_supports_use_strong_rng or __sshd_sysconfig_supports_crypto_policy
|
- __sshd_sysconfig_supports_use_strong_rng or __sshd_sysconfig_supports_crypto_policy
|
||||||
notify: reload_sshd
|
notify: Reload_sshd
|
||||||
|
|
||||||
- name: Check FIPS mode
|
- name: Check FIPS mode
|
||||||
ansible.builtin.include_tasks: check_fips.yml
|
ansible.builtin.include_tasks: check_fips.yml
|
||||||
|
|
|
@ -24,7 +24,7 @@
|
||||||
{{ sshd_binary }} -t -f %s
|
{{ sshd_binary }} -t -f %s
|
||||||
{% endif %}
|
{% endif %}
|
||||||
backup: "{{ sshd_backup }}"
|
backup: "{{ sshd_backup }}"
|
||||||
notify: reload_sshd
|
notify: Reload_sshd
|
||||||
|
|
||||||
- name: Make sure the include path is present in the main sshd_config
|
- name: Make sure the include path is present in the main sshd_config
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
|
@ -43,7 +43,7 @@
|
||||||
{{ sshd_binary }} -t -f %s
|
{{ sshd_binary }} -t -f %s
|
||||||
{% endif %}
|
{% endif %}
|
||||||
backup: "{{ sshd_backup }}"
|
backup: "{{ sshd_backup }}"
|
||||||
notify: reload_sshd
|
notify: Reload_sshd
|
||||||
when:
|
when:
|
||||||
- sshd_main_config_file is not none
|
- sshd_main_config_file is not none
|
||||||
- sshd_config_file | dirname == sshd_main_config_file ~ '.d'
|
- sshd_config_file | dirname == sshd_main_config_file ~ '.d'
|
||||||
|
|
|
@ -21,4 +21,4 @@
|
||||||
{{ sshd_binary }} -t -f %s
|
{{ sshd_binary }} -t -f %s
|
||||||
{% endif %}
|
{% endif %}
|
||||||
backup: "{{ sshd_backup }}"
|
backup: "{{ sshd_backup }}"
|
||||||
notify: reload_sshd
|
notify: Reload_sshd
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
notify: reload_sshd
|
notify: Reload_sshd
|
||||||
|
|
||||||
- name: Install instanced service unit file
|
- name: Install instanced service unit file
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
|
@ -21,7 +21,7 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
notify: reload_sshd
|
notify: Reload_sshd
|
||||||
when:
|
when:
|
||||||
- __sshd_socket_accept | bool
|
- __sshd_socket_accept | bool
|
||||||
|
|
||||||
|
@ -32,7 +32,7 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
notify: reload_sshd
|
notify: Reload_sshd
|
||||||
|
|
||||||
- name: Service enabled and running
|
- name: Service enabled and running
|
||||||
ansible.builtin.service:
|
ansible.builtin.service:
|
||||||
|
|
|
@ -14,6 +14,12 @@ Accept=yes
|
||||||
{% else %}
|
{% else %}
|
||||||
Accept=no
|
Accept=no
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if __sshd_socket_freebind is not none %}
|
||||||
|
FreeBind={{ 'yes' if __sshd_socket_freebind else 'no' }}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=sockets.target
|
WantedBy=sockets.target
|
||||||
|
{% if __sshd_socket_required_by is not none %}
|
||||||
|
RequiredBy={{ __sshd_socket_required_by }}
|
||||||
|
{% endif %}
|
||||||
|
|
|
@ -93,7 +93,7 @@
|
||||||
| grep -o '^\( \| \)[A-Z][A-Za-z0-9]*\(.\| \)' \
|
| grep -o '^\( \| \)[A-Z][A-Za-z0-9]*\(.\| \)' \
|
||||||
| grep -v "[A-Za-z0-9] $" | grep -v "[^A-Za-z0-9 ]$" \
|
| grep -v "[A-Za-z0-9] $" | grep -v "[^A-Za-z0-9 ]$" \
|
||||||
| awk '{ print $1 }' \
|
| awk '{ print $1 }' \
|
||||||
| grep -v '^$' | grep -v "^\(Match\|OpenSSH\|The\|Arguments\|Theo\)$"
|
| grep -v '^$' | grep -v "^\(Match\|OpenSSH\|The\|Arguments\|Theo\|Tatu\|Aaron\|Each\)$"
|
||||||
args:
|
args:
|
||||||
executable: /bin/bash
|
executable: /bin/bash
|
||||||
register: sshd_options
|
register: sshd_options
|
||||||
|
|
|
@ -94,6 +94,7 @@
|
||||||
- ansible_facts['service_mgr'] == 'systemd' or
|
- ansible_facts['service_mgr'] == 'systemd' or
|
||||||
(ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '7')
|
(ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '7')
|
||||||
- ansible_facts['distribution'] != "Debian" or ansible_facts['distribution_major_version'] | int < 12
|
- ansible_facts['distribution'] != "Debian" or ansible_facts['distribution_major_version'] | int < 12
|
||||||
|
- not (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_version'] is version('24.04', '>='))
|
||||||
block:
|
block:
|
||||||
- name: Read the created instantiated service file
|
- name: Read the created instantiated service file
|
||||||
ansible.builtin.slurp:
|
ansible.builtin.slurp:
|
||||||
|
|
|
@ -106,6 +106,7 @@
|
||||||
when:
|
when:
|
||||||
- ansible_facts['service_mgr'] == 'systemd'
|
- ansible_facts['service_mgr'] == 'systemd'
|
||||||
- ansible_facts['distribution'] != "Debian" or ansible_facts['distribution_major_version'] | int < 12
|
- ansible_facts['distribution'] != "Debian" or ansible_facts['distribution_major_version'] | int < 12
|
||||||
|
- not (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_version'] is version('24.04', '>='))
|
||||||
block:
|
block:
|
||||||
- name: Read the created instantiated service file
|
- name: Read the created instantiated service file
|
||||||
ansible.builtin.slurp:
|
ansible.builtin.slurp:
|
||||||
|
|
|
@ -118,6 +118,7 @@
|
||||||
- ansible_facts['service_mgr'] == 'systemd' or
|
- ansible_facts['service_mgr'] == 'systemd' or
|
||||||
(ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '7')
|
(ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '7')
|
||||||
- ansible_facts['distribution'] != "Debian" or ansible_facts['distribution_major_version'] | int < 12
|
- ansible_facts['distribution'] != "Debian" or ansible_facts['distribution_major_version'] | int < 12
|
||||||
|
- not (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_version'] is version('24.04', '>='))
|
||||||
block:
|
block:
|
||||||
- name: Read the distribution instantiated service file
|
- name: Read the distribution instantiated service file
|
||||||
ansible.builtin.slurp:
|
ansible.builtin.slurp:
|
||||||
|
|
|
@ -14,6 +14,7 @@ __sshd_defaults:
|
||||||
Include: /etc/ssh/sshd_config.d/*.conf
|
Include: /etc/ssh/sshd_config.d/*.conf
|
||||||
KbdInteractiveAuthentication: false
|
KbdInteractiveAuthentication: false
|
||||||
UsePAM: true
|
UsePAM: true
|
||||||
|
PrintMotd: false
|
||||||
AcceptEnv: LANG LC_*
|
AcceptEnv: LANG LC_*
|
||||||
Subsystem: "sftp /usr/lib/openssh/sftp-server"
|
Subsystem: "sftp /usr/lib/openssh/sftp-server"
|
||||||
|
|
||||||
|
|
33
vars/Ubuntu_24.yml
Normal file
33
vars/Ubuntu_24.yml
Normal file
|
@ -0,0 +1,33 @@
|
||||||
|
---
|
||||||
|
__sshd_os_supported: true
|
||||||
|
|
||||||
|
__sshd_service: ssh
|
||||||
|
__sshd_packages:
|
||||||
|
- openssh-server
|
||||||
|
- openssh-sftp-server
|
||||||
|
# Ubuntu 22.04 shipped with drop-in directory support so we touch
|
||||||
|
# just included file with highest priority by default
|
||||||
|
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
|
||||||
|
__sshd_config_mode: "0644"
|
||||||
|
# the defaults here represent the defaults shipped in the main sshd_config
|
||||||
|
__sshd_defaults:
|
||||||
|
Include: /etc/ssh/sshd_config.d/*.conf
|
||||||
|
KbdInteractiveAuthentication: false
|
||||||
|
UsePAM: true
|
||||||
|
PrintMotd: false
|
||||||
|
AcceptEnv: LANG LC_*
|
||||||
|
Subsystem: "sftp /usr/lib/openssh/sftp-server"
|
||||||
|
|
||||||
|
__sshd_runtime_directory: sshd
|
||||||
|
|
||||||
|
__sshd_drop_in_dir_mode: '0755'
|
||||||
|
__sshd_main_config_file: /etc/ssh/sshd_config
|
||||||
|
|
||||||
|
__sshd_environment_file: /etc/default/ssh
|
||||||
|
__sshd_environment_variable: $SSHD_OPTS
|
||||||
|
__sshd_service_after: auditd.service
|
||||||
|
__sshd_service_alias: sshd
|
||||||
|
|
||||||
|
__sshd_socket_accept: false
|
||||||
|
__sshd_socket_freebind: true
|
||||||
|
__sshd_socket_required_by: ssh.service
|
|
@ -87,3 +87,9 @@ __sshd_service_restart_timeout: ~
|
||||||
|
|
||||||
# The systemd socket file does not accept the connection
|
# The systemd socket file does not accept the connection
|
||||||
__sshd_socket_accept: true
|
__sshd_socket_accept: true
|
||||||
|
|
||||||
|
# Boolean to control if the systemd socket can be bound to non-local IP addresses
|
||||||
|
__sshd_socket_freebind: ~
|
||||||
|
|
||||||
|
# Space separated list of service names that this socket is required by
|
||||||
|
__sshd_socket_required_by: ~
|
||||||
|
|
Loading…
Reference in a new issue