--- - hosts: all vars: __sshd_test_backup_files: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d/00-ansible_system_role.conf - /tmp/ssh_host_rsa_key tasks: - name: "Backup configuration files" include_tasks: tasks/backup.yml - name: Remove host key before the test file: path: /tmp/ssh_host_rsa_key state: absent - name: Configure sshd include_role: name: ansible-sshd vars: sshd: Banner: /etc/issue Ciphers: aes256-ctr HostKey: /etc/ssh/ssh_host_rsa_key sshd_Ciphers: aes128-ctr sshd_Banner: /etc/good-issue sshd_HostKey: /tmp/ssh_host_rsa_key - name: Verify the options are correctly set vars: main_sshd_config: >- {{ "/etc/ssh/sshd_config.d/00-ansible_system_role.conf" if ansible_facts['distribution'] == 'Fedora' else "/etc/ssh/sshd_config" }} block: - meta: flush_handlers - name: List effective configuration using sshd -T command: sshd -T register: runtime - name: Print current configuration file slurp: src: "{{ main_sshd_config }}" register: config - name: Check the sshd_* values are effective in runtime # note, the options are in lower-case here assert: that: - "'banner /etc/good-issue' in runtime.stdout" - "'ciphers aes128-ctr' in runtime.stdout" - "'hostkey /tmp/ssh_host_rsa_key' in runtime.stdout" - name: Check the options are in configuration file assert: that: - "'Banner /etc/good-issue' in config.content | b64decode" - "'Ciphers aes128-ctr' in config.content | b64decode" - "'HostKey /tmp/ssh_host_rsa_key' in config.content | b64decode" tags: tests::verify - name: "Restore configuration files" include_tasks: tasks/restore.yml