fix: Document and streamline the sshd_main_config_file

The option was introduced in 6bb0d7b456
without documentation and intended use. The recent change
f6ae2094fe propagated this option to the
generated service files, which is resulting in unexpected results, when
a user decided to set only `sshd_config_file` for the second sshd
service causing the service file points to the system-wide
configuration file.

This is an attempt to fix this by introducing some heuristics to guess
if the user wants to set up second drop-in directory (ending with .d)
or create a standalone configuration file.

Fixes: #280

README.md

@@ -209,6 +209,19 @@ When this path points to a drop-in directory (like
 with the variable `sshd_main_config_file`) is checked to contain a proper
 `Include` directive.
 
+#### sshd_main_config_file
+
+When the system is using drop-in directory, this option can be used to set
+a path to the main configuration file and let you configure only the drop-in
+configuration file using `sshd_config_file`. This is useful in cases when
+you need to configure second independent sshd service with different
+configuration file. This is also the file used in the service file.
+
+On systems without drop-in directory, it defaults to `None`. Otherwise it
+defaults to `/etc/ssh/sshd_config`. When the `sshd_config_file` is set
+outside of the drop in directory (its parent directory is not
+`sshd_main_config_file` ~ '.d'), this variable is ignored.
+
 #### sshd_config_namespace
 
 By default (*null*), the role defines whole content of the configuration file

meta/10_top.j2

@@ -24,7 +24,7 @@
 {%   elif sshd[key] is defined %}
 {%     set value = sshd[key] %}
 {%   elif sshd_main_config_file is not none
-       and sshd_config_file | dirname != sshd_main_config_file | dirname %}
+        and sshd_config_file | dirname == sshd_main_config_file ~ '.d' %}
 {#     Do not use the defaults from main file to avoid recursion #}
 {%   elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
 {%     if key == 'HostKey' and __sshd_fips_mode %}

tasks/install_config.yml

@@ -6,7 +6,7 @@
     mode: "{{ sshd_drop_in_dir_mode }}"
   when:
     - sshd_main_config_file is not none
-    - sshd_config_file | dirname != sshd_main_config_file | dirname
+    - sshd_config_file | dirname == sshd_main_config_file ~ '.d'
 
 - name: Create the complete configuration file
   ansible.builtin.template:
@@ -46,4 +46,4 @@
   notify: reload_sshd
   when:
     - sshd_main_config_file is not none
-    - sshd_config_file | dirname != sshd_main_config_file | dirname
+    - sshd_config_file | dirname == sshd_main_config_file ~ '.d'

templates/sshd.service.j2

@@ -20,7 +20,8 @@ EnvironmentFile=-{{ file }}
 {%   endfor %}
 {% endif %}
 ExecStartPre={{ sshd_binary }} -t
-ExecStart={{ sshd_binary }} -D {{ __sshd_environment_variable }} -f {% if sshd_main_config_file is not none %}
+ExecStart={{ sshd_binary }} -D {{ __sshd_environment_variable }} -f
+{%- if sshd_main_config_file is not none and sshd_config_file | dirname == sshd_main_config_file ~ '.d' %}
 {{- sshd_main_config_file }}
 {% else %}
 {{- sshd_config_file }}

templates/sshd@.service.j2

@@ -20,7 +20,8 @@ EnvironmentFile=-{{ __sshd_environment_file }}
 EnvironmentFile=-{{ file }}
 {%   endfor %}
 {% endif %}
-ExecStart=-{{ sshd_binary }} -i {{ __sshd_environment_variable }} -f {% if sshd_main_config_file is not none %}
+ExecStart=-{{ sshd_binary }} -i {{ __sshd_environment_variable }} -f
+{%- if sshd_main_config_file is not none and sshd_config_file | dirname == sshd_main_config_file ~ '.d' %}
 {{- sshd_main_config_file }}
 {% else %}
 {{- sshd_config_file }}

templates/sshd_config.j2

@@ -26,7 +26,7 @@
 {%   elif sshd[key] is defined %}
 {%     set value = sshd[key] %}
 {%   elif sshd_main_config_file is not none
-       and sshd_config_file | dirname != sshd_main_config_file | dirname %}
+        and sshd_config_file | dirname == sshd_main_config_file ~ '.d' %}
 {#     Do not use the defaults from main file to avoid recursion #}
 {%   elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
 {%     if key == 'HostKey' and __sshd_fips_mode %}

templates/sshd_config_snippet.j2

@@ -24,7 +24,7 @@
 {%   elif sshd[key] is defined %}
 {%     set value = sshd[key] %}
 {%   elif sshd_main_config_file is not none
-       and sshd_config_file | dirname != sshd_main_config_file | dirname %}
+        and sshd_config_file | dirname == sshd_main_config_file ~ '.d' %}
 {#     Do not use the defaults from main file to avoid recursion #}
 {%   elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
 {%     if key == 'HostKey' and __sshd_fips_mode %}

tests/tests_systemd_services.yml

@@ -84,7 +84,7 @@
         - name: Verify the ExecStart line contains the configuration file
           ansible.builtin.assert:
             that:
-              - "' -f /etc/ssh/' in service.content | b64decode"
+              - "' -f/etc/ssh/' in service.content | b64decode"
 
         - name: Decode socket file
           ansible.builtin.set_fact:
@@ -154,7 +154,7 @@
         - name: Verify the ExecStart line contains the configuration file
           ansible.builtin.assert:
             that:
-              - "' -f /etc/ssh/' in service_inst.content | b64decode"
+              - "' -f/etc/ssh/' in service_inst.content | b64decode"
 
     - name: "Restore configuration files"
       ansible.builtin.include_tasks: tasks/restore.yml