mirror of
https://github.com/willshersystems/ansible-sshd
synced 2025-01-03 14:00:18 +01:00
Update service/socket files to match main OS's defaults
Specifics:
* Debian 12 has no longer the instantiated service using inet, see the
following commit:
0dc73888bb
* I am not matching the Description tag verbosely as I do not find it
crucial for functionality.
* We generate additional -f switch to the sshd CLI pointing go the main
sshd config we manage
* The Before=sshd.service in the socket is not generated as I find it
unnecessary when we conflict the service.
* Recent Ubuntu versions have RuntimeDirectoryPreserve option, which I
set for all Ubuntu/Debian as it should not hurt.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
This commit is contained in:
parent
84e6a71509
commit
f6ae2094fe
16 changed files with 153 additions and 4 deletions
|
@ -10,6 +10,7 @@
|
||||||
group: root
|
group: root
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
notify: reload_sshd
|
notify: reload_sshd
|
||||||
|
|
||||||
- name: Install instanced service unit file
|
- name: Install instanced service unit file
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: "{{ sshd_service_template_at_service }}"
|
src: "{{ sshd_service_template_at_service }}"
|
||||||
|
@ -18,6 +19,9 @@
|
||||||
group: root
|
group: root
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
notify: reload_sshd
|
notify: reload_sshd
|
||||||
|
when:
|
||||||
|
- __sshd_socket_accept | bool
|
||||||
|
|
||||||
- name: Install socket unit file
|
- name: Install socket unit file
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: "{{ sshd_service_template_socket }}"
|
src: "{{ sshd_service_template_socket }}"
|
||||||
|
|
|
@ -1,15 +1,37 @@
|
||||||
[Unit]
|
[Unit]
|
||||||
Description=OpenBSD Secure Shell server
|
Description=OpenBSD Secure Shell server
|
||||||
|
After=network.target{{ (__sshd_service_after is none) | ternary('', ' ' ~ __sshd_service_after) }}
|
||||||
|
{% if __sshd_service_wants is string %}
|
||||||
|
Wants={{ __sshd_service_wants }}
|
||||||
|
{% elif __sshd_service_wants is iterable %}
|
||||||
|
{% for file in __sshd_service_wants %}
|
||||||
|
Wants={{ file }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
Documentation=man:sshd(8) man:sshd_config(5)
|
Documentation=man:sshd(8) man:sshd_config(5)
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=notify
|
Type=notify
|
||||||
|
{% if __sshd_environment_file is string %}
|
||||||
|
EnvironmentFile=-{{ __sshd_environment_file }}
|
||||||
|
{% elif __sshd_environment_file is iterable %}
|
||||||
|
{% for file in __sshd_environment_file %}
|
||||||
|
EnvironmentFile=-{{ file }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
ExecStartPre={{ sshd_binary }} -t
|
ExecStartPre={{ sshd_binary }} -t
|
||||||
ExecStart={{ sshd_binary }} -D -f {{ sshd_config_file }}
|
ExecStart={{ sshd_binary }} -D {{ __sshd_environment_variable }} -f {% if sshd_main_config_file is not none %}
|
||||||
|
{{- sshd_main_config_file }}
|
||||||
|
{% else %}
|
||||||
|
{{- sshd_config_file }}
|
||||||
|
{% endif %}
|
||||||
ExecReload={{ sshd_binary }} -t
|
ExecReload={{ sshd_binary }} -t
|
||||||
ExecReload=/bin/kill -HUP $MAINPID
|
ExecReload=/bin/kill -HUP $MAINPID
|
||||||
KillMode=process
|
KillMode=process
|
||||||
Restart=on-failure
|
Restart=on-failure
|
||||||
|
{% if __sshd_service_restart_timeout is not none %}
|
||||||
|
RestartSec={{ __sshd_service_restart_timeout }}
|
||||||
|
{% endif %}
|
||||||
RestartPreventExitStatus=255
|
RestartPreventExitStatus=255
|
||||||
{% if __sshd_runtime_directory is not none %}
|
{% if __sshd_runtime_directory is not none %}
|
||||||
RuntimeDirectory={{ __sshd_runtime_directory }}
|
RuntimeDirectory={{ __sshd_runtime_directory }}
|
||||||
|
@ -18,3 +40,6 @@ RuntimeDirectoryMode={{ __sshd_runtime_directory_mode }}
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
{% if __sshd_service_alias is not none %}
|
||||||
|
Alias={{ __sshd_service_alias }}.service
|
||||||
|
{% endif %}
|
||||||
|
|
|
@ -1,12 +1,19 @@
|
||||||
[Unit]
|
[Unit]
|
||||||
Description=OpenBSD Secure Shell server socket
|
Description=OpenBSD Secure Shell server socket
|
||||||
Documentation=man:sshd(8) man:sshd_config(5)
|
Documentation=man:sshd(8) man:sshd_config(5)
|
||||||
Before={{ sshd_service }}.service
|
{% if __sshd_socket_accept %}
|
||||||
Conflicts={{ sshd_service }}.service
|
Conflicts={{ sshd_service }}.service
|
||||||
|
{% else %}
|
||||||
|
Before=sockets.target
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
[Socket]
|
[Socket]
|
||||||
ListenStream=22
|
ListenStream=22
|
||||||
|
{% if __sshd_socket_accept %}
|
||||||
Accept=yes
|
Accept=yes
|
||||||
|
{% else %}
|
||||||
|
Accept=no
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=sockets.target
|
WantedBy=sockets.target
|
||||||
|
|
|
@ -1,12 +1,33 @@
|
||||||
[Unit]
|
[Unit]
|
||||||
Description=OpenBSD Secure Shell server per-connection daemon
|
Description=OpenBSD Secure Shell server per-connection daemon
|
||||||
Documentation=man:sshd(8) man:sshd_config(5)
|
Documentation=man:sshd(8) man:sshd_config(5)
|
||||||
After=auditd.service
|
{% if __sshd_service_after is not none %}
|
||||||
|
After={{ __sshd_service_after }}
|
||||||
|
{% endif %}
|
||||||
|
{% if __sshd_service_wants is string %}
|
||||||
|
Wants={{ __sshd_service_wants }}
|
||||||
|
{% elif __sshd_service_wants is iterable %}
|
||||||
|
{% for file in __sshd_service_wants %}
|
||||||
|
Wants={{ file }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
ExecStart=-{{ sshd_binary }} -i -f {{ sshd_config_file }}
|
{% if __sshd_environment_file is string %}
|
||||||
|
EnvironmentFile=-{{ __sshd_environment_file }}
|
||||||
|
{% elif __sshd_environment_file is iterable %}
|
||||||
|
{% for file in __sshd_environment_file %}
|
||||||
|
EnvironmentFile=-{{ file }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
ExecStart=-{{ sshd_binary }} -i {{ __sshd_environment_variable }} -f {% if sshd_main_config_file is not none %}
|
||||||
|
{{- sshd_main_config_file }}
|
||||||
|
{% else %}
|
||||||
|
{{- sshd_config_file }}
|
||||||
|
{% endif %}
|
||||||
StandardInput=socket
|
StandardInput=socket
|
||||||
{% if __sshd_runtime_directory is not none %}
|
{% if __sshd_runtime_directory is not none %}
|
||||||
RuntimeDirectory={{ __sshd_runtime_directory }}
|
RuntimeDirectory={{ __sshd_runtime_directory }}
|
||||||
|
RuntimeDirectoryPreserve=yes
|
||||||
RuntimeDirectoryMode={{ __sshd_runtime_directory_mode }}
|
RuntimeDirectoryMode={{ __sshd_runtime_directory_mode }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
|
@ -45,6 +45,8 @@
|
||||||
- name: Read the instantiated service file
|
- name: Read the instantiated service file
|
||||||
ansible.builtin.slurp:
|
ansible.builtin.slurp:
|
||||||
src: /etc/systemd/system/ssh@.service
|
src: /etc/systemd/system/ssh@.service
|
||||||
|
when:
|
||||||
|
- ansible_facts['distribution_major_version'] | int < 12
|
||||||
register: service_inst
|
register: service_inst
|
||||||
|
|
||||||
- name: Read the main socket file
|
- name: Read the main socket file
|
||||||
|
@ -57,6 +59,12 @@
|
||||||
that:
|
that:
|
||||||
- '"RuntimeDirectory=sshd" in service.content | b64decode'
|
- '"RuntimeDirectory=sshd" in service.content | b64decode'
|
||||||
- '"RuntimeDirectoryMode=0755" in service.content | b64decode'
|
- '"RuntimeDirectoryMode=0755" in service.content | b64decode'
|
||||||
|
|
||||||
|
- name: Check the runtime directory is in instantiated service files
|
||||||
|
when:
|
||||||
|
- ansible_facts['distribution_major_version'] | int < 12
|
||||||
|
ansible.builtin.assert:
|
||||||
|
that:
|
||||||
- '"RuntimeDirectory=sshd" in service_inst.content | b64decode'
|
- '"RuntimeDirectory=sshd" in service_inst.content | b64decode'
|
||||||
- '"RuntimeDirectoryMode=0755" in service_inst.content | b64decode'
|
- '"RuntimeDirectoryMode=0755" in service_inst.content | b64decode'
|
||||||
|
|
||||||
|
|
|
@ -13,3 +13,8 @@ __sshd_defaults:
|
||||||
Subsystem: "sftp {{ __sshd_sftp_server }}"
|
Subsystem: "sftp {{ __sshd_sftp_server }}"
|
||||||
__sshd_os_supported: true
|
__sshd_os_supported: true
|
||||||
__sshd_runtime_directory: sshd
|
__sshd_runtime_directory: sshd
|
||||||
|
|
||||||
|
__sshd_environment_file: /etc/default/ssh
|
||||||
|
__sshd_environment_variable: $SSHD_OPTS
|
||||||
|
__sshd_service_after: auditd.service
|
||||||
|
__sshd_service_alias: sshd
|
||||||
|
|
|
@ -14,3 +14,8 @@ __sshd_defaults:
|
||||||
Subsystem: "sftp {{ __sshd_sftp_server }}"
|
Subsystem: "sftp {{ __sshd_sftp_server }}"
|
||||||
__sshd_os_supported: true
|
__sshd_os_supported: true
|
||||||
__sshd_runtime_directory: sshd
|
__sshd_runtime_directory: sshd
|
||||||
|
|
||||||
|
__sshd_environment_file: /etc/default/ssh
|
||||||
|
__sshd_environment_variable: $SSHD_OPTS
|
||||||
|
__sshd_service_after: auditd.service
|
||||||
|
__sshd_service_alias: sshd
|
||||||
|
|
|
@ -14,3 +14,9 @@ __sshd_defaults:
|
||||||
Subsystem: "sftp {{ __sshd_sftp_server }}"
|
Subsystem: "sftp {{ __sshd_sftp_server }}"
|
||||||
__sshd_os_supported: true
|
__sshd_os_supported: true
|
||||||
__sshd_runtime_directory: sshd
|
__sshd_runtime_directory: sshd
|
||||||
|
|
||||||
|
__sshd_environment_file: /etc/default/ssh
|
||||||
|
__sshd_environment_variable: $SSHD_OPTS
|
||||||
|
__sshd_service_after: auditd.service
|
||||||
|
__sshd_service_alias: sshd
|
||||||
|
__sshd_socket_accept: false
|
||||||
|
|
|
@ -23,3 +23,11 @@ __sshd_hostkeys_nofips:
|
||||||
|
|
||||||
__sshd_drop_in_dir_mode: '0700'
|
__sshd_drop_in_dir_mode: '0700'
|
||||||
__sshd_main_config_file: /etc/ssh/sshd_config
|
__sshd_main_config_file: /etc/ssh/sshd_config
|
||||||
|
|
||||||
|
__sshd_environment_file: /etc/sysconfig/sshd
|
||||||
|
__sshd_environment_variable: $OPTIONS
|
||||||
|
__sshd_service_after: sshd-keygen.target
|
||||||
|
__sshd_service_wants:
|
||||||
|
- sshd-keygen.target
|
||||||
|
- ssh-host-keys-migration.service
|
||||||
|
__sshd_service_restart_timeout: 42s
|
||||||
|
|
|
@ -20,8 +20,15 @@ __sshd_verify_hostkeys_default:
|
||||||
- /etc/ssh/ssh_host_ed25519_key
|
- /etc/ssh/ssh_host_ed25519_key
|
||||||
__sshd_hostkeys_nofips:
|
__sshd_hostkeys_nofips:
|
||||||
- /etc/ssh/ssh_host_ed25519_key
|
- /etc/ssh/ssh_host_ed25519_key
|
||||||
|
|
||||||
__sshd_hostkey_group: ssh_keys
|
__sshd_hostkey_group: ssh_keys
|
||||||
__sshd_hostkey_mode: "0640"
|
__sshd_hostkey_mode: "0640"
|
||||||
|
|
||||||
__sshd_drop_in_dir_mode: '0700'
|
__sshd_drop_in_dir_mode: '0700'
|
||||||
__sshd_main_config_file: /etc/ssh/sshd_config
|
__sshd_main_config_file: /etc/ssh/sshd_config
|
||||||
|
|
||||||
|
__sshd_environment_file: /etc/sysconfig/sshd
|
||||||
|
__sshd_environment_variable: $OPTIONS
|
||||||
|
__sshd_service_after: sshd-keygen.target
|
||||||
|
__sshd_service_wants: sshd-keygen.target
|
||||||
|
__sshd_service_restart_timeout: 42s
|
||||||
|
|
|
@ -31,3 +31,9 @@ __sshd_hostkey_group: ssh_keys
|
||||||
__sshd_hostkey_mode: "0640"
|
__sshd_hostkey_mode: "0640"
|
||||||
__sshd_hostkeys_nofips:
|
__sshd_hostkeys_nofips:
|
||||||
- /etc/ssh/ssh_host_ed25519_key
|
- /etc/ssh/ssh_host_ed25519_key
|
||||||
|
|
||||||
|
__sshd_environment_file: /etc/sysconfig/sshd
|
||||||
|
__sshd_environment_variable: $OPTIONS
|
||||||
|
__sshd_service_after: sshd-keygen.service
|
||||||
|
__sshd_service_wants: sshd-keygen.service
|
||||||
|
__sshd_service_restart_timeout: 42s
|
||||||
|
|
|
@ -33,3 +33,11 @@ __sshd_hostkey_group: ssh_keys
|
||||||
__sshd_hostkey_mode: "0640"
|
__sshd_hostkey_mode: "0640"
|
||||||
__sshd_hostkeys_nofips:
|
__sshd_hostkeys_nofips:
|
||||||
- /etc/ssh/ssh_host_ed25519_key
|
- /etc/ssh/ssh_host_ed25519_key
|
||||||
|
|
||||||
|
__sshd_environment_file:
|
||||||
|
- /etc/crypto-policies/back-ends/opensshserver.config
|
||||||
|
- /etc/sysconfig/sshd
|
||||||
|
__sshd_environment_variable: $OPTIONS $CRYPTO_POLICY
|
||||||
|
__sshd_service_after: sshd-keygen.target
|
||||||
|
__sshd_service_wants: sshd-keygen.target ssh-host-keys-migration.service
|
||||||
|
__sshd_service_restart_timeout: 42s
|
||||||
|
|
|
@ -25,3 +25,9 @@ __sshd_hostkey_mode: "0640"
|
||||||
|
|
||||||
__sshd_drop_in_dir_mode: '0700'
|
__sshd_drop_in_dir_mode: '0700'
|
||||||
__sshd_main_config_file: /etc/ssh/sshd_config
|
__sshd_main_config_file: /etc/ssh/sshd_config
|
||||||
|
|
||||||
|
__sshd_environment_file: /etc/sysconfig/sshd
|
||||||
|
__sshd_environment_variable: $OPTIONS
|
||||||
|
__sshd_service_after: sshd-keygen.target
|
||||||
|
__sshd_service_wants: sshd-keygen.target
|
||||||
|
__sshd_service_restart_timeout: 42s
|
||||||
|
|
|
@ -23,3 +23,9 @@ __sshd_runtime_directory: sshd
|
||||||
|
|
||||||
__sshd_drop_in_dir_mode: '0755'
|
__sshd_drop_in_dir_mode: '0755'
|
||||||
__sshd_main_config_file: /etc/ssh/sshd_config
|
__sshd_main_config_file: /etc/ssh/sshd_config
|
||||||
|
|
||||||
|
__sshd_environment_file: /etc/default/ssh
|
||||||
|
__sshd_environment_variable: $SSHD_OPTS
|
||||||
|
# the defaults here represent the defaults shipped in the main sshd_config
|
||||||
|
__sshd_service_after: auditd.service
|
||||||
|
__sshd_service_alias: sshd
|
||||||
|
|
|
@ -21,3 +21,8 @@ __sshd_runtime_directory: sshd
|
||||||
|
|
||||||
__sshd_drop_in_dir_mode: '0755'
|
__sshd_drop_in_dir_mode: '0755'
|
||||||
__sshd_main_config_file: /etc/ssh/sshd_config
|
__sshd_main_config_file: /etc/ssh/sshd_config
|
||||||
|
|
||||||
|
__sshd_environment_file: /etc/default/ssh
|
||||||
|
__sshd_environment_variable: $SSHD_OPTS
|
||||||
|
__sshd_service_after: auditd.service
|
||||||
|
__sshd_service_alias: sshd
|
||||||
|
|
|
@ -64,3 +64,25 @@ __sshd_verify_hostkeys_default: []
|
||||||
# This switch can control if the validate step is supported by the target OS.
|
# This switch can control if the validate step is supported by the target OS.
|
||||||
# This is useful for very old OpenSSH or for tests that generate invalid configurations
|
# This is useful for very old OpenSSH or for tests that generate invalid configurations
|
||||||
__sshd_supports_validate: true
|
__sshd_supports_validate: true
|
||||||
|
|
||||||
|
# The path to an environment file for the SSHD service
|
||||||
|
__sshd_environment_file: ~
|
||||||
|
|
||||||
|
# The variable name we are passing from the environment file as an argument to the sshd
|
||||||
|
__sshd_environment_variable: $OPTIONS
|
||||||
|
|
||||||
|
# The systemd targets that need to be up before starting the service.
|
||||||
|
# The `network.target` is included by default in the main sshd.service (not the instantiated one)
|
||||||
|
__sshd_service_after: ~
|
||||||
|
|
||||||
|
# The systemd service name alias
|
||||||
|
__sshd_service_alias: ~
|
||||||
|
|
||||||
|
# The systemd service wants directive
|
||||||
|
__sshd_service_wants: ~
|
||||||
|
|
||||||
|
# The systemd service RestartSec directive
|
||||||
|
__sshd_service_restart_timeout: ~
|
||||||
|
|
||||||
|
# The systemd socket file does not accept the connection
|
||||||
|
__sshd_socket_accept: true
|
||||||
|
|
Loading…
Reference in a new issue