--- - hosts: all vars: __sshd_test_backup_files: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d/00-ansible_system_role.conf - /tmp/ssh_host_rsa_key tasks: - name: "Backup configuration files" ansible.builtin.include_tasks: tasks/backup.yml - name: Remove host key before the test ansible.builtin.file: path: /tmp/ssh_host_rsa_key state: absent - name: Configure sshd # noqa var-naming ansible.builtin.include_role: name: ansible-sshd vars: sshd: Banner: /etc/issue Ciphers: aes256-ctr HostKey: /etc/ssh/ssh_host_rsa_key sshd_Ciphers: aes128-ctr sshd_Banner: /etc/good-issue sshd_HostKey: /tmp/ssh_host_rsa_key - name: Verify the options are correctly set block: - name: Flush metadata ansible.builtin.meta: flush_handlers - name: List effective configuration using sshd -T ansible.builtin.command: sshd -T register: runtime changed_when: false - name: Print current configuration file ansible.builtin.slurp: src: "{{ main_sshd_config }}" register: config - name: Check the sshd_* values are effective in runtime # note, the options are in lower-case here ansible.builtin.assert: that: - "'banner /etc/good-issue' in runtime.stdout" - "'ciphers aes128-ctr' in runtime.stdout" - "'hostkey /tmp/ssh_host_rsa_key' in runtime.stdout" - name: Check the options are in configuration file ansible.builtin.assert: that: - "'Banner /etc/good-issue' in config.content | b64decode" - "'Ciphers aes128-ctr' in config.content | b64decode" - "'HostKey /tmp/ssh_host_rsa_key' in config.content | b64decode" tags: tests::verify - name: "Restore configuration files" ansible.builtin.include_tasks: tasks/restore.yml