--- - name: Test match blocks hosts: all vars: __sshd_test_backup_files: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d/00-ansible_system_role.conf tasks: - name: "Backup configuration files" ansible.builtin.include_tasks: tasks/backup.yml - name: Configure sshd ansible.builtin.include_role: name: ansible-sshd vars: # For Fedora containers, we need to make sure we have keys for sshd -T below sshd_verify_hostkeys: - /etc/ssh/ssh_host_rsa_key sshd_config: Match: Condition: "User xusers" X11Forwarding: true Banner: /tmp/xusers-banner sshd_match: - Condition: "User bot" AllowTcpForwarding: false Banner: /tmp/bot-banner sshd_match_1: - Condition: "User sftponly" ForceCommand: "internal-sftp" ChrootDirectory: "/var/uploads/" sshd_match_2: - Condition: "User root" PasswordAuthentication: false AllowTcpForwarding: true - name: Verify the options are correctly set tags: tests::verify block: - name: Flush handlers ansible.builtin.meta: flush_handlers - name: List effective configuration using sshd -T for xusers ansible.builtin.command: sshd -T -C user=xusers,addr=127.0.0.1,host=example.com register: xusers_effective changed_when: false - name: List effective configuration using sshd -T for bot ansible.builtin.command: sshd -T -C user=bot,addr=127.0.0.1,host=example.com register: bot_effective changed_when: false - name: List effective configuration using sshd -T for sftponly ansible.builtin.command: sshd -T -C user=sftponly,addr=127.0.0.1,host=example.com register: sftponly_effective changed_when: false - name: List effective configuration using sshd -T for root ansible.builtin.command: sshd -T -C user=root,addr=127.0.0.1,host=example.com register: root_effective changed_when: false - name: Print current configuration file ansible.builtin.slurp: src: "{{ main_sshd_config }}" register: config - name: Check the options are effective # note, the options are in lower-case here ansible.builtin.assert: that: - "'x11forwarding yes' in xusers_effective.stdout" - "'banner /tmp/xusers-banner' in xusers_effective.stdout" - "'allowtcpforwarding no' in bot_effective.stdout" - "'banner /tmp/bot-banner' in bot_effective.stdout" - "'forcecommand internal-sftp' in sftponly_effective.stdout" - "'chrootdirectory /var/uploads/' in sftponly_effective.stdout" - "'passwordauthentication no' in root_effective.stdout" - "'allowtcpforwarding yes' in root_effective.stdout" - name: Check the options are in configuration file ansible.builtin.assert: that: - "'Match User xusers' in config.content | b64decode" - "'Match User bot' in config.content | b64decode" - "'Match User sftponly' in config.content | b64decode" - "'Match User root' in config.content | b64decode" - name: "Restore configuration files" ansible.builtin.include_tasks: tasks/restore.yml