mirror of
https://github.com/willshersystems/ansible-sshd
synced 2025-01-18 12:50:19 +01:00
Update service/socket files to match main OS's defaults
Specifics:
* Debian 12 has no longer the instantiated service using inet, see the
following commit:
0dc73888bb
* I am not matching the Description tag verbosely as I do not find it
crucial for functionality.
* We generate additional -f switch to the sshd CLI pointing go the main
sshd config we manage
* The Before=sshd.service in the socket is not generated as I find it
unnecessary when we conflict the service.
* Recent Ubuntu versions have RuntimeDirectoryPreserve option, which I
set for all Ubuntu/Debian as it should not hurt.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
This commit is contained in:
parent
84e6a71509
commit
f6ae2094fe
16 changed files with 153 additions and 4 deletions
|
@ -10,6 +10,7 @@
|
|||
group: root
|
||||
mode: "0644"
|
||||
notify: reload_sshd
|
||||
|
||||
- name: Install instanced service unit file
|
||||
ansible.builtin.template:
|
||||
src: "{{ sshd_service_template_at_service }}"
|
||||
|
@ -18,6 +19,9 @@
|
|||
group: root
|
||||
mode: "0644"
|
||||
notify: reload_sshd
|
||||
when:
|
||||
- __sshd_socket_accept | bool
|
||||
|
||||
- name: Install socket unit file
|
||||
ansible.builtin.template:
|
||||
src: "{{ sshd_service_template_socket }}"
|
||||
|
|
|
@ -1,15 +1,37 @@
|
|||
[Unit]
|
||||
Description=OpenBSD Secure Shell server
|
||||
After=network.target{{ (__sshd_service_after is none) | ternary('', ' ' ~ __sshd_service_after) }}
|
||||
{% if __sshd_service_wants is string %}
|
||||
Wants={{ __sshd_service_wants }}
|
||||
{% elif __sshd_service_wants is iterable %}
|
||||
{% for file in __sshd_service_wants %}
|
||||
Wants={{ file }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
Documentation=man:sshd(8) man:sshd_config(5)
|
||||
|
||||
[Service]
|
||||
Type=notify
|
||||
{% if __sshd_environment_file is string %}
|
||||
EnvironmentFile=-{{ __sshd_environment_file }}
|
||||
{% elif __sshd_environment_file is iterable %}
|
||||
{% for file in __sshd_environment_file %}
|
||||
EnvironmentFile=-{{ file }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
ExecStartPre={{ sshd_binary }} -t
|
||||
ExecStart={{ sshd_binary }} -D -f {{ sshd_config_file }}
|
||||
ExecStart={{ sshd_binary }} -D {{ __sshd_environment_variable }} -f {% if sshd_main_config_file is not none %}
|
||||
{{- sshd_main_config_file }}
|
||||
{% else %}
|
||||
{{- sshd_config_file }}
|
||||
{% endif %}
|
||||
ExecReload={{ sshd_binary }} -t
|
||||
ExecReload=/bin/kill -HUP $MAINPID
|
||||
KillMode=process
|
||||
Restart=on-failure
|
||||
{% if __sshd_service_restart_timeout is not none %}
|
||||
RestartSec={{ __sshd_service_restart_timeout }}
|
||||
{% endif %}
|
||||
RestartPreventExitStatus=255
|
||||
{% if __sshd_runtime_directory is not none %}
|
||||
RuntimeDirectory={{ __sshd_runtime_directory }}
|
||||
|
@ -18,3 +40,6 @@ RuntimeDirectoryMode={{ __sshd_runtime_directory_mode }}
|
|||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
{% if __sshd_service_alias is not none %}
|
||||
Alias={{ __sshd_service_alias }}.service
|
||||
{% endif %}
|
||||
|
|
|
@ -1,12 +1,19 @@
|
|||
[Unit]
|
||||
Description=OpenBSD Secure Shell server socket
|
||||
Documentation=man:sshd(8) man:sshd_config(5)
|
||||
Before={{ sshd_service }}.service
|
||||
{% if __sshd_socket_accept %}
|
||||
Conflicts={{ sshd_service }}.service
|
||||
{% else %}
|
||||
Before=sockets.target
|
||||
{% endif %}
|
||||
|
||||
[Socket]
|
||||
ListenStream=22
|
||||
{% if __sshd_socket_accept %}
|
||||
Accept=yes
|
||||
{% else %}
|
||||
Accept=no
|
||||
{% endif %}
|
||||
|
||||
[Install]
|
||||
WantedBy=sockets.target
|
||||
|
|
|
@ -1,12 +1,33 @@
|
|||
[Unit]
|
||||
Description=OpenBSD Secure Shell server per-connection daemon
|
||||
Documentation=man:sshd(8) man:sshd_config(5)
|
||||
After=auditd.service
|
||||
{% if __sshd_service_after is not none %}
|
||||
After={{ __sshd_service_after }}
|
||||
{% endif %}
|
||||
{% if __sshd_service_wants is string %}
|
||||
Wants={{ __sshd_service_wants }}
|
||||
{% elif __sshd_service_wants is iterable %}
|
||||
{% for file in __sshd_service_wants %}
|
||||
Wants={{ file }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
[Service]
|
||||
ExecStart=-{{ sshd_binary }} -i -f {{ sshd_config_file }}
|
||||
{% if __sshd_environment_file is string %}
|
||||
EnvironmentFile=-{{ __sshd_environment_file }}
|
||||
{% elif __sshd_environment_file is iterable %}
|
||||
{% for file in __sshd_environment_file %}
|
||||
EnvironmentFile=-{{ file }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
ExecStart=-{{ sshd_binary }} -i {{ __sshd_environment_variable }} -f {% if sshd_main_config_file is not none %}
|
||||
{{- sshd_main_config_file }}
|
||||
{% else %}
|
||||
{{- sshd_config_file }}
|
||||
{% endif %}
|
||||
StandardInput=socket
|
||||
{% if __sshd_runtime_directory is not none %}
|
||||
RuntimeDirectory={{ __sshd_runtime_directory }}
|
||||
RuntimeDirectoryPreserve=yes
|
||||
RuntimeDirectoryMode={{ __sshd_runtime_directory_mode }}
|
||||
{% endif %}
|
||||
|
|
|
@ -45,6 +45,8 @@
|
|||
- name: Read the instantiated service file
|
||||
ansible.builtin.slurp:
|
||||
src: /etc/systemd/system/ssh@.service
|
||||
when:
|
||||
- ansible_facts['distribution_major_version'] | int < 12
|
||||
register: service_inst
|
||||
|
||||
- name: Read the main socket file
|
||||
|
@ -57,6 +59,12 @@
|
|||
that:
|
||||
- '"RuntimeDirectory=sshd" in service.content | b64decode'
|
||||
- '"RuntimeDirectoryMode=0755" in service.content | b64decode'
|
||||
|
||||
- name: Check the runtime directory is in instantiated service files
|
||||
when:
|
||||
- ansible_facts['distribution_major_version'] | int < 12
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- '"RuntimeDirectory=sshd" in service_inst.content | b64decode'
|
||||
- '"RuntimeDirectoryMode=0755" in service_inst.content | b64decode'
|
||||
|
||||
|
|
|
@ -13,3 +13,8 @@ __sshd_defaults:
|
|||
Subsystem: "sftp {{ __sshd_sftp_server }}"
|
||||
__sshd_os_supported: true
|
||||
__sshd_runtime_directory: sshd
|
||||
|
||||
__sshd_environment_file: /etc/default/ssh
|
||||
__sshd_environment_variable: $SSHD_OPTS
|
||||
__sshd_service_after: auditd.service
|
||||
__sshd_service_alias: sshd
|
||||
|
|
|
@ -14,3 +14,8 @@ __sshd_defaults:
|
|||
Subsystem: "sftp {{ __sshd_sftp_server }}"
|
||||
__sshd_os_supported: true
|
||||
__sshd_runtime_directory: sshd
|
||||
|
||||
__sshd_environment_file: /etc/default/ssh
|
||||
__sshd_environment_variable: $SSHD_OPTS
|
||||
__sshd_service_after: auditd.service
|
||||
__sshd_service_alias: sshd
|
||||
|
|
|
@ -14,3 +14,9 @@ __sshd_defaults:
|
|||
Subsystem: "sftp {{ __sshd_sftp_server }}"
|
||||
__sshd_os_supported: true
|
||||
__sshd_runtime_directory: sshd
|
||||
|
||||
__sshd_environment_file: /etc/default/ssh
|
||||
__sshd_environment_variable: $SSHD_OPTS
|
||||
__sshd_service_after: auditd.service
|
||||
__sshd_service_alias: sshd
|
||||
__sshd_socket_accept: false
|
||||
|
|
|
@ -23,3 +23,11 @@ __sshd_hostkeys_nofips:
|
|||
|
||||
__sshd_drop_in_dir_mode: '0700'
|
||||
__sshd_main_config_file: /etc/ssh/sshd_config
|
||||
|
||||
__sshd_environment_file: /etc/sysconfig/sshd
|
||||
__sshd_environment_variable: $OPTIONS
|
||||
__sshd_service_after: sshd-keygen.target
|
||||
__sshd_service_wants:
|
||||
- sshd-keygen.target
|
||||
- ssh-host-keys-migration.service
|
||||
__sshd_service_restart_timeout: 42s
|
||||
|
|
|
@ -20,8 +20,15 @@ __sshd_verify_hostkeys_default:
|
|||
- /etc/ssh/ssh_host_ed25519_key
|
||||
__sshd_hostkeys_nofips:
|
||||
- /etc/ssh/ssh_host_ed25519_key
|
||||
|
||||
__sshd_hostkey_group: ssh_keys
|
||||
__sshd_hostkey_mode: "0640"
|
||||
|
||||
__sshd_drop_in_dir_mode: '0700'
|
||||
__sshd_main_config_file: /etc/ssh/sshd_config
|
||||
|
||||
__sshd_environment_file: /etc/sysconfig/sshd
|
||||
__sshd_environment_variable: $OPTIONS
|
||||
__sshd_service_after: sshd-keygen.target
|
||||
__sshd_service_wants: sshd-keygen.target
|
||||
__sshd_service_restart_timeout: 42s
|
||||
|
|
|
@ -31,3 +31,9 @@ __sshd_hostkey_group: ssh_keys
|
|||
__sshd_hostkey_mode: "0640"
|
||||
__sshd_hostkeys_nofips:
|
||||
- /etc/ssh/ssh_host_ed25519_key
|
||||
|
||||
__sshd_environment_file: /etc/sysconfig/sshd
|
||||
__sshd_environment_variable: $OPTIONS
|
||||
__sshd_service_after: sshd-keygen.service
|
||||
__sshd_service_wants: sshd-keygen.service
|
||||
__sshd_service_restart_timeout: 42s
|
||||
|
|
|
@ -33,3 +33,11 @@ __sshd_hostkey_group: ssh_keys
|
|||
__sshd_hostkey_mode: "0640"
|
||||
__sshd_hostkeys_nofips:
|
||||
- /etc/ssh/ssh_host_ed25519_key
|
||||
|
||||
__sshd_environment_file:
|
||||
- /etc/crypto-policies/back-ends/opensshserver.config
|
||||
- /etc/sysconfig/sshd
|
||||
__sshd_environment_variable: $OPTIONS $CRYPTO_POLICY
|
||||
__sshd_service_after: sshd-keygen.target
|
||||
__sshd_service_wants: sshd-keygen.target ssh-host-keys-migration.service
|
||||
__sshd_service_restart_timeout: 42s
|
||||
|
|
|
@ -25,3 +25,9 @@ __sshd_hostkey_mode: "0640"
|
|||
|
||||
__sshd_drop_in_dir_mode: '0700'
|
||||
__sshd_main_config_file: /etc/ssh/sshd_config
|
||||
|
||||
__sshd_environment_file: /etc/sysconfig/sshd
|
||||
__sshd_environment_variable: $OPTIONS
|
||||
__sshd_service_after: sshd-keygen.target
|
||||
__sshd_service_wants: sshd-keygen.target
|
||||
__sshd_service_restart_timeout: 42s
|
||||
|
|
|
@ -23,3 +23,9 @@ __sshd_runtime_directory: sshd
|
|||
|
||||
__sshd_drop_in_dir_mode: '0755'
|
||||
__sshd_main_config_file: /etc/ssh/sshd_config
|
||||
|
||||
__sshd_environment_file: /etc/default/ssh
|
||||
__sshd_environment_variable: $SSHD_OPTS
|
||||
# the defaults here represent the defaults shipped in the main sshd_config
|
||||
__sshd_service_after: auditd.service
|
||||
__sshd_service_alias: sshd
|
||||
|
|
|
@ -21,3 +21,8 @@ __sshd_runtime_directory: sshd
|
|||
|
||||
__sshd_drop_in_dir_mode: '0755'
|
||||
__sshd_main_config_file: /etc/ssh/sshd_config
|
||||
|
||||
__sshd_environment_file: /etc/default/ssh
|
||||
__sshd_environment_variable: $SSHD_OPTS
|
||||
__sshd_service_after: auditd.service
|
||||
__sshd_service_alias: sshd
|
||||
|
|
|
@ -64,3 +64,25 @@ __sshd_verify_hostkeys_default: []
|
|||
# This switch can control if the validate step is supported by the target OS.
|
||||
# This is useful for very old OpenSSH or for tests that generate invalid configurations
|
||||
__sshd_supports_validate: true
|
||||
|
||||
# The path to an environment file for the SSHD service
|
||||
__sshd_environment_file: ~
|
||||
|
||||
# The variable name we are passing from the environment file as an argument to the sshd
|
||||
__sshd_environment_variable: $OPTIONS
|
||||
|
||||
# The systemd targets that need to be up before starting the service.
|
||||
# The `network.target` is included by default in the main sshd.service (not the instantiated one)
|
||||
__sshd_service_after: ~
|
||||
|
||||
# The systemd service name alias
|
||||
__sshd_service_alias: ~
|
||||
|
||||
# The systemd service wants directive
|
||||
__sshd_service_wants: ~
|
||||
|
||||
# The systemd service RestartSec directive
|
||||
__sshd_service_restart_timeout: ~
|
||||
|
||||
# The systemd socket file does not accept the connection
|
||||
__sshd_socket_accept: true
|
||||
|
|
Loading…
Reference in a new issue