mirror of
https://github.com/willshersystems/ansible-sshd
synced 2024-11-24 20:10:20 +01:00
fix: Document and streamline the sshd_main_config_file
The option was introduced in6bb0d7b456
without documentation and intended use. The recent changef6ae2094fe
propagated this option to the generated service files, which is resulting in unexpected results, when a user decided to set only `sshd_config_file` for the second sshd service causing the service file points to the system-wide configuration file. This is an attempt to fix this by introducing some heuristics to guess if the user wants to set up second drop-in directory (ending with .d) or create a standalone configuration file. Fixes: #280
This commit is contained in:
parent
683c07e633
commit
e83cb52ded
8 changed files with 24 additions and 9 deletions
13
README.md
13
README.md
|
@ -209,6 +209,19 @@ When this path points to a drop-in directory (like
|
||||||
with the variable `sshd_main_config_file`) is checked to contain a proper
|
with the variable `sshd_main_config_file`) is checked to contain a proper
|
||||||
`Include` directive.
|
`Include` directive.
|
||||||
|
|
||||||
|
#### sshd_main_config_file
|
||||||
|
|
||||||
|
When the system is using drop-in directory, this option can be used to set
|
||||||
|
a path to the main configuration file and let you configure only the drop-in
|
||||||
|
configuration file using `sshd_config_file`. This is useful in cases when
|
||||||
|
you need to configure second independent sshd service with different
|
||||||
|
configuration file. This is also the file used in the service file.
|
||||||
|
|
||||||
|
On systems without drop-in directory, it defaults to `None`. Otherwise it
|
||||||
|
defaults to `/etc/ssh/sshd_config`. When the `sshd_config_file` is set
|
||||||
|
outside of the drop in directory (its parent directory is not
|
||||||
|
`sshd_main_config_file` ~ '.d'), this variable is ignored.
|
||||||
|
|
||||||
#### sshd_config_namespace
|
#### sshd_config_namespace
|
||||||
|
|
||||||
By default (*null*), the role defines whole content of the configuration file
|
By default (*null*), the role defines whole content of the configuration file
|
||||||
|
|
|
@ -24,7 +24,7 @@
|
||||||
{% elif sshd[key] is defined %}
|
{% elif sshd[key] is defined %}
|
||||||
{% set value = sshd[key] %}
|
{% set value = sshd[key] %}
|
||||||
{% elif sshd_main_config_file is not none
|
{% elif sshd_main_config_file is not none
|
||||||
and sshd_config_file | dirname != sshd_main_config_file | dirname %}
|
and sshd_config_file | dirname == sshd_main_config_file ~ '.d' %}
|
||||||
{# Do not use the defaults from main file to avoid recursion #}
|
{# Do not use the defaults from main file to avoid recursion #}
|
||||||
{% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
|
{% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
|
||||||
{% if key == 'HostKey' and __sshd_fips_mode %}
|
{% if key == 'HostKey' and __sshd_fips_mode %}
|
||||||
|
|
|
@ -6,7 +6,7 @@
|
||||||
mode: "{{ sshd_drop_in_dir_mode }}"
|
mode: "{{ sshd_drop_in_dir_mode }}"
|
||||||
when:
|
when:
|
||||||
- sshd_main_config_file is not none
|
- sshd_main_config_file is not none
|
||||||
- sshd_config_file | dirname != sshd_main_config_file | dirname
|
- sshd_config_file | dirname == sshd_main_config_file ~ '.d'
|
||||||
|
|
||||||
- name: Create the complete configuration file
|
- name: Create the complete configuration file
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
|
@ -46,4 +46,4 @@
|
||||||
notify: reload_sshd
|
notify: reload_sshd
|
||||||
when:
|
when:
|
||||||
- sshd_main_config_file is not none
|
- sshd_main_config_file is not none
|
||||||
- sshd_config_file | dirname != sshd_main_config_file | dirname
|
- sshd_config_file | dirname == sshd_main_config_file ~ '.d'
|
||||||
|
|
|
@ -20,7 +20,8 @@ EnvironmentFile=-{{ file }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
ExecStartPre={{ sshd_binary }} -t
|
ExecStartPre={{ sshd_binary }} -t
|
||||||
ExecStart={{ sshd_binary }} -D {{ __sshd_environment_variable }} -f {% if sshd_main_config_file is not none %}
|
ExecStart={{ sshd_binary }} -D {{ __sshd_environment_variable }} -f
|
||||||
|
{%- if sshd_main_config_file is not none and sshd_config_file | dirname == sshd_main_config_file ~ '.d' %}
|
||||||
{{- sshd_main_config_file }}
|
{{- sshd_main_config_file }}
|
||||||
{% else %}
|
{% else %}
|
||||||
{{- sshd_config_file }}
|
{{- sshd_config_file }}
|
||||||
|
|
|
@ -20,7 +20,8 @@ EnvironmentFile=-{{ __sshd_environment_file }}
|
||||||
EnvironmentFile=-{{ file }}
|
EnvironmentFile=-{{ file }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
ExecStart=-{{ sshd_binary }} -i {{ __sshd_environment_variable }} -f {% if sshd_main_config_file is not none %}
|
ExecStart=-{{ sshd_binary }} -i {{ __sshd_environment_variable }} -f
|
||||||
|
{%- if sshd_main_config_file is not none and sshd_config_file | dirname == sshd_main_config_file ~ '.d' %}
|
||||||
{{- sshd_main_config_file }}
|
{{- sshd_main_config_file }}
|
||||||
{% else %}
|
{% else %}
|
||||||
{{- sshd_config_file }}
|
{{- sshd_config_file }}
|
||||||
|
|
|
@ -26,7 +26,7 @@
|
||||||
{% elif sshd[key] is defined %}
|
{% elif sshd[key] is defined %}
|
||||||
{% set value = sshd[key] %}
|
{% set value = sshd[key] %}
|
||||||
{% elif sshd_main_config_file is not none
|
{% elif sshd_main_config_file is not none
|
||||||
and sshd_config_file | dirname != sshd_main_config_file | dirname %}
|
and sshd_config_file | dirname == sshd_main_config_file ~ '.d' %}
|
||||||
{# Do not use the defaults from main file to avoid recursion #}
|
{# Do not use the defaults from main file to avoid recursion #}
|
||||||
{% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
|
{% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
|
||||||
{% if key == 'HostKey' and __sshd_fips_mode %}
|
{% if key == 'HostKey' and __sshd_fips_mode %}
|
||||||
|
|
|
@ -24,7 +24,7 @@
|
||||||
{% elif sshd[key] is defined %}
|
{% elif sshd[key] is defined %}
|
||||||
{% set value = sshd[key] %}
|
{% set value = sshd[key] %}
|
||||||
{% elif sshd_main_config_file is not none
|
{% elif sshd_main_config_file is not none
|
||||||
and sshd_config_file | dirname != sshd_main_config_file | dirname %}
|
and sshd_config_file | dirname == sshd_main_config_file ~ '.d' %}
|
||||||
{# Do not use the defaults from main file to avoid recursion #}
|
{# Do not use the defaults from main file to avoid recursion #}
|
||||||
{% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
|
{% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
|
||||||
{% if key == 'HostKey' and __sshd_fips_mode %}
|
{% if key == 'HostKey' and __sshd_fips_mode %}
|
||||||
|
|
|
@ -84,7 +84,7 @@
|
||||||
- name: Verify the ExecStart line contains the configuration file
|
- name: Verify the ExecStart line contains the configuration file
|
||||||
ansible.builtin.assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- "' -f /etc/ssh/' in service.content | b64decode"
|
- "' -f/etc/ssh/' in service.content | b64decode"
|
||||||
|
|
||||||
- name: Decode socket file
|
- name: Decode socket file
|
||||||
ansible.builtin.set_fact:
|
ansible.builtin.set_fact:
|
||||||
|
@ -154,7 +154,7 @@
|
||||||
- name: Verify the ExecStart line contains the configuration file
|
- name: Verify the ExecStart line contains the configuration file
|
||||||
ansible.builtin.assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- "' -f /etc/ssh/' in service_inst.content | b64decode"
|
- "' -f/etc/ssh/' in service_inst.content | b64decode"
|
||||||
|
|
||||||
- name: "Restore configuration files"
|
- name: "Restore configuration files"
|
||||||
ansible.builtin.include_tasks: tasks/restore.yml
|
ansible.builtin.include_tasks: tasks/restore.yml
|
||||||
|
|
Loading…
Reference in a new issue