--- - name: Test managing firewall and selinux from role hosts: all gather_facts: true # needs os_family, etc. vars: __sshd_test_backup_files: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d/00-ansible_system_role.conf tasks: - name: "Backup configuration files" ansible.builtin.include_tasks: tasks/backup.yml - name: Call role with no args to get access to __sshd_skip_virt_env ansible.builtin.include_role: name: ansible-sshd public: true vars: sshd_enable: false # skip everything but loading vars - name: See if we can test firewall or selinux ansible.builtin.set_fact: sshd_enable: true # reset to true __sshd_test_firewall: "{{ ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_version'] is version('7', '>=') and ansible_facts['virtualization_type'] | d(None) not in __sshd_skip_virt_env }}" __sshd_test_selinux: "{{ ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_version'] is version('6', '>=') and ansible_facts['virtualization_type'] | d(None) not in __sshd_skip_virt_env }}" ########## # First test: default port ########## - name: Configure the role on default port and let it handle firewall settings ansible.builtin.include_role: name: ansible-sshd vars: sshd_manage_selinux: "{{ __sshd_test_selinux }}" sshd_manage_firewall: "{{ __sshd_test_firewall }}" sshd_config: Port: 22 - name: Verify the options are correctly set tags: tests::verify block: - name: Flush handlers ansible.builtin.meta: flush_handlers - name: Print current configuration file ansible.builtin.slurp: src: "{{ main_sshd_config }}" register: config - name: Check the options are in configuration file ansible.builtin.assert: that: - "'Port 22' in config.content | b64decode" ########## # Second test: non-default port ########## # is this going to break some tests running ansible through ssh? - name: Configure the role on another port and let it handle firewall settings ansible.builtin.include_role: name: ansible-sshd vars: sshd_manage_firewall: "{{ __sshd_test_firewall }}" sshd_manage_selinux: "{{ __sshd_test_selinux }}" sshd_config: Port: 222 - name: Verify the options are correctly set tags: tests::verify block: - name: Flush handlers ansible.builtin.meta: flush_handlers - name: Print current configuration file ansible.builtin.slurp: src: "{{ main_sshd_config }}" register: config - name: Check the options are in configuration file ansible.builtin.assert: that: - "'Port 222' in config.content | b64decode" ########## # Third test: multiple ports ########## - name: Configure the role on several ports and let it handle firewall settings ansible.builtin.include_role: name: ansible-sshd vars: sshd_manage_firewall: "{{ __sshd_test_firewall }}" sshd_manage_selinux: "{{ __sshd_test_selinux }}" sshd_config: Port: - 22 - 222 - name: Verify the options are correctly set tags: tests::verify block: - name: Flush handlers ansible.builtin.meta: flush_handlers - name: Print current configuration file ansible.builtin.slurp: src: "{{ main_sshd_config }}" register: config - name: Check the options are in configuration file ansible.builtin.assert: that: - "'Port 222' in config.content | b64decode" ########## # Cleanup ########## - name: "Restore configuration files" ansible.builtin.include_tasks: tasks/restore.yml - name: Remove the modification to the firewall rules ansible.builtin.include_role: name: fedora.linux_system_roles.firewall vars: firewall: # noqa: var-naming[no-role-prefix] - port: "222/tcp" state: disabled when: __sshd_test_firewall - name: Remove the modification to the selinux policy ansible.builtin.include_role: name: fedora.linux_system_roles.selinux vars: selinux: # noqa: var-naming[no-role-prefix] port: 222 proto: tcp setype: ssh_port_t state: absent local: true when: __sshd_test_selinux