--- - hosts: all vars: __sshd_test_backup_files: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d/00-ansible_system_role.conf tasks: - name: "Backup configuration files" ansible.builtin.include_tasks: tasks/backup.yml - name: Remove include directory from the main config file ansible.builtin.lineinfile: path: "/etc/ssh/sshd_config" regexp: "^Include" state: absent when: - (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8) or (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version']|int >= 22) - name: Create a new configuration in drop-in directory ansible.builtin.include_role: name: ansible-sshd vars: sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf sshd: Banner: /etc/include-issue Ciphers: aes192-ctr when: - (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8) or (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version']|int >= 22) - name: Verify the options are correctly set block: - name: Flush handlers ansible.builtin.meta: flush_handlers - name: Print drop-in configuration file ansible.builtin.slurp: src: /etc/ssh/sshd_config.d/00-ansible_system_role.conf register: config - name: Print the main configuration file ansible.builtin.slurp: src: /etc/ssh/sshd_config register: config_main - name: Check content of drop-in configuration file ansible.builtin.assert: that: - "'Banner /etc/include-issue' in config.content | b64decode" - "'Ciphers aes192-ctr' in config.content | b64decode" - "'Include /etc/ssh/sshd_config.d/*.conf' not in config.content | b64decode" - "'Subsystem sftp /usr/libexec/openssh/sftp-server' not in config.content | b64decode" - "'Subsystem sftp /usr/lib/openssh/sftp-server' not in config.content | b64decode" - name: Check common content of the main configuration file ansible.builtin.assert: that: - "'Banner /etc/include-issue' not in config_main.content | b64decode" - "'Ciphers aes192-ctr' not in config_main.content | b64decode" - "'Include /etc/ssh/sshd_config.d/*.conf' in config_main.content | b64decode" - name: Check RHEL content of the main configuration file ansible.builtin.assert: that: - "config_main.content | b64decode | regex_search('Subsystem\\ssftp\\s/usr/libexec/openssh/sftp-server')" when: ansible_facts['os_family'] == 'RedHat' - name: Check Ubuntu content of the main configuration file ansible.builtin.assert: that: - "config_main.content | b64decode | regex_search('Subsystem\\ssftp\\s/usr/lib/openssh/sftp-server')" when: ansible_facts['os_family'] == 'Ubuntu' when: - (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8) or (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version']|int >= 22) tags: tests::verify - name: "Restore configuration files" ansible.builtin.include_tasks: tasks/restore.yml