Moves internal non-overridable variables out of defaults

2024-11-04 19:03:29 +01:00 · 2022-08-17 12:05:10 +00:00 · 2022-08-17 12:05:10 +00:00 · db39a733aa
commit db39a733aa
parent d5b2f8df02
8 changed files with 43 additions and 52 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -37,7 +37,6 @@ sshd_sysconfig_override_crypto_policy: false
 # generator
 sshd_sysconfig_use_strong_rng: 0

-
 # Empty dicts to avoid errors
 sshd: {}

@ -47,7 +46,9 @@ sshd_config_file: "{{ __sshd_config_file }}"

 ### VARS DEFAULTS
 ### The following are defaults for OS specific configuration in var files in
-### this role. They should not be set directly by role users.
+### this role. They should not be set directly by role users, unless they know
+### what they are doing, e.g. installing extra packages or installing an
+### alternative SystemD service file
 sshd_packages: "{{ __sshd_packages }}"
 sshd_config_owner: "{{ __sshd_config_owner }}"
 sshd_config_group: "{{ __sshd_config_group }}"
@ -62,10 +63,7 @@ sshd_sftp_server: "{{ __sshd_sftp_server }}"
 # configuration or restarting), we make sure the keys exist and have correct
 # permissions. To disable this check, set sshd_verify_hostkeys to false
 sshd_verify_hostkeys: "auto"
-# The list of hostkeys to check when there are none listed in configuration file.
-# This is usually the case when the selection is up to the OpenSSH defaults or
-# drop-in directory is used.
-__sshd_verify_hostkeys_default: []
+
 sshd_hostkey_owner: "{{ __sshd_hostkey_owner }}"
 sshd_hostkey_group: "{{ __sshd_hostkey_group }}"
 sshd_hostkey_mode: "{{ __sshd_hostkey_mode }}"
@ -73,19 +71,3 @@ sshd_hostkey_mode: "{{ __sshd_hostkey_mode }}"
 # instead of replacing the whole configuration file, just add a specified
 # snippet
 sshd_config_namespace: null
-
-### These variables are used by role internals and should not be used.
-__sshd_defaults: {}
-__sshd_os_supported: no
-__sshd_sysconfig_supports_crypto_policy: false
-__sshd_sysconfig_supports_use_strong_rng: false
-
-__sshd_runtime_directory: false
-__sshd_runtime_directory_mode: "0755"
-
-# If the system supports drop-in directory, it is configured in this variable. It is used
-# to distinguish if we are writing a configuration snippet or we should write defaults.
-__sshd_drop_in_dir: false
-# this is the path to the main sshd_config which is checked for Include directive when
-# drop-in directory is used
-__sshd_main_config_file: false
--- a/tasks/set_common_vars.yml
+++ b/tasks/set_common_vars.yml
@ -1,9 +0,0 @@
---
- name: Ensure ansible_facts used by role
-  ansible.builtin.setup:
-    gather_subset: min
-  when: not ansible_facts.keys() | list |
-    intersect(__sshd_required_facts) == __sshd_required_facts
-
- name: Include common vars
-  ansible.builtin.include_vars: vars/common.yml
--- a/tasks/sshd.yml
+++ b/tasks/sshd.yml
@ -1,7 +1,4 @@
 ---
- name: Set common variables and ensure basic facts are gathered
-  ansible.builtin.include_tasks: set_common_vars.yml
-
 - name: Set platform/version specific variables
  ansible.builtin.include_tasks: variables.yml

--- a/tasks/variables.yml
+++ b/tasks/variables.yml
@ -1,6 +1,9 @@
 ---
- name: Set common vars
-  ansible.builtin.include_vars: vars/common.yml
+- name: Ensure ansible_facts used by role
+  ansible.builtin.setup:
+    gather_subset: min
+  when: not ansible_facts.keys() | list |
+    intersect(__sshd_required_facts) == __sshd_required_facts

 - name: Set OS dependent variables
  ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
@ -24,7 +27,7 @@
        - "{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml"
        - "{{ ansible_distribution }}.yml"
        - "{{ ansible_os_family }}.yml"
-        - default.yml
+        - main.yml  # fallback, vars/main.yml is always loaded by Ansible
      paths:
        - "{{ role_path }}/vars"
        - "{{ playbook_dir }}/vars"
--- a/tests/tasks/restore.yml
+++ b/tests/tasks/restore.yml
@ -26,10 +26,8 @@
    - __sshd_test_backup.path is defined

 - name: Include common variables
-  ansible.builtin.include_role:
-    name: ansible-sshd
-    tasks_from: set_common_vars.yml
-    public: true
+  ansible.builtin.include_vars:
+    file: ../../vars/main.yml

 - name: Restart sshd service
  ansible.builtin.service:
--- a/vars/common.yml
+++ b/vars/common.yml
@ -1,10 +0,0 @@
-__sshd_skip_virt_env:
-  - docker
-  - podman
-  - container
-  - containerd
-  - VirtualPC
-
-__sshd_binary: /usr/sbin/sshd
-__sshd_service: sshd
-__sshd_sftp_server: /usr/lib/openssh/sftp-server
--- a/vars/default.yml
+++ b/vars/default.yml
@ -1 +0,0 @@
---
--- a/vars/main.yml
+++ b/vars/main.yml
@ -14,3 +14,34 @@ __sshd_required_facts:
  - distribution
  - distribution_major_version
  - os_family
+
+__sshd_skip_virt_env:
+  - docker
+  - podman
+  - container
+  - containerd
+  - VirtualPC
+
+__sshd_binary: /usr/sbin/sshd
+__sshd_service: sshd
+__sshd_sftp_server: /usr/lib/openssh/sftp-server
+
+__sshd_defaults: {}
+__sshd_os_supported: no
+__sshd_sysconfig_supports_crypto_policy: false
+__sshd_sysconfig_supports_use_strong_rng: false
+
+__sshd_runtime_directory: false
+__sshd_runtime_directory_mode: "0755"
+
+# If the system supports drop-in directory, it is configured in this variable. It is used
+# to distinguish if we are writing a configuration snippet or we should write defaults.
+__sshd_drop_in_dir: false
+# this is the path to the main sshd_config which is checked for Include directive when
+# drop-in directory is used
+__sshd_main_config_file: false
+
+# The list of hostkeys to check when there are none listed in configuration file.
+# This is usually the case when the selection is up to the OpenSSH defaults or
+# drop-in directory is used.
+__sshd_verify_hostkeys_default: []