Make tripleo_sshd more idempontent

This change updates the sshd configuration to occur once rather than
using lineinfile after writing out the template. This should improve
idempontency because we won't be munging a file we wrote out with a
template. Additionally this change switches from using handlers to an
explicit task instead.

Change-Id: Ib53c0dffca24c3aff206911dcada1d27b4351f1b
(cherry picked from commit 6f80b749f5)

tripleo_ansible/roles/tripleo_sshd/handlers/main.yml

@@ -1,23 +0,0 @@
----
-# Copyright 2019 Red Hat, Inc.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-- name: Restart sshd
-  systemd:
-    name: sshd
-    state: restarted
-    enabled: true
-  become: true
-  tags:
-    - handler

tripleo_ansible/roles/tripleo_sshd/tasks/main.yml

@@ -36,19 +36,18 @@
       package:
         name: "{{ tripleo_sshd_packages }}"
         state: "{{ tripleo_sshd_package_state }}"
-      notify:
+      register: _sshd_install_result
-        - Restart sshd
 
-    - name: Flush all handlers
+    # NOTE(mwhahaha): we need this here because in order to validate our generated
-      meta: flush_handlers
+    # config, we need to ensure the host keys exists which happens on initial
-
+    # startup
-    - name: Adjust ssh server configuration
+    - name: Start sshd
-      template:
+      systemd:
-        dest: /etc/ssh/sshd_config
+        name: sshd
-        src: sshd_config_block.j2
+        state: restarted
-        validate: '/usr/sbin/sshd -T -f %s'
+        enabled: true
-      notify:
+      when:
-        - Restart sshd
+        - _sshd_install_result.changed
 
     - name: PasswordAuthentication notice
       debug:
@@ -62,15 +61,25 @@
         - (tripleo_sshd_password_authentication != 'no') and
           not ('PermitRootLogin' in tripleo_sshd_server_options)
 
-    - name: Adjust ssh server auth configuration
+    - name: PasswordAuthentication duplication notice
-      lineinfile:
+      debug:
-        path: /etc/ssh/sshd_config
+        msg: >-
-        state: present
+          WARNING - The PasswordAuthentication has been configured in
-        regexp: '^#?PasswordAuthentication.*'
+          `tripleo_sshd_server_options` but the values are different.
-        line: 'PasswordAuthentication {{ tripleo_sshd_password_authentication }}'
+          The `tripleo_sshd_password_authentication` value will be used.
-        validate: '/usr/sbin/sshd -T -f %s'
+      when:
-      notify:
+        - ('PasswordAuthentication' in tripleo_sshd_server_options and
-        - Restart sshd
+          tripleo_sshd_password_authentication != tripleo_sshd_server_options['PasswordAuthentication'])
+
+    - name: Motd duplication notice
+      debug:
+        msg: >-
+          WARNING - The Banner or PrintMotd has been configured in
+          `tripleo_sshd_server_options`. These options may be ignored and
+          configured using values from `tripleo_sshd_banner_enabled` and
+          `tripleo_sshd_motd_enabled`
+      when:
+        - ('Banner' in tripleo_sshd_server_options or 'PrintMotd' in tripleo_sshd_server_options)
 
     - name: Configure the banner text
       copy:
@@ -79,18 +88,6 @@
       when:
         - tripleo_sshd_banner_enabled | bool
 
-    - name: Adjust ssh server banner configuration
-      lineinfile:
-        path: /etc/ssh/sshd_config
-        state: present
-        regexp: '^#?Banner.*'
-        line: 'Banner /etc/issue'
-        validate: '/usr/sbin/sshd -T -f %s'
-      when:
-        - tripleo_sshd_banner_enabled | bool
-      notify:
-        - Restart sshd
-
     - name: Configure the motd banner
       copy:
         content: "{{ tripleo_sshd_message_of_the_day }}"
@@ -98,17 +95,29 @@
       when:
         - tripleo_sshd_motd_enabled | bool
 
-    - name: Adjust ssh server motd configuration
+    - name: Update sshd configuration options from vars
-      lineinfile:
+      set_fact:
-        path: /etc/ssh/sshd_config
+        tripleo_sshd_server_options: |-
-        state: present
+         {% set _ = tripleo_sshd_server_options.__setitem__('PasswordAuthentication', tripleo_sshd_password_authentication) %}
-        regexp: '^#?PrintMotd.*'
+         {% if tripleo_sshd_banner_enabled %}
-        line: 'PrintMotd yes'
+         {% set _ = tripleo_sshd_server_options.__setitem__('Banner', '/etc/issue') %}
-        validate: '/usr/sbin/sshd -T -f %s'
+         {% endif %}
-      when:
+         {% if tripleo_sshd_motd_enabled %}
-        - tripleo_sshd_motd_enabled | bool
+         {% set _ = tripleo_sshd_server_options.__setitem__('PrintMotd', 'yes') %}
-      notify:
+         {% endif %}
-        - Restart sshd
+         {{ tripleo_sshd_server_options }}
 
-- name: Flush all handlers
+    - name: Adjust ssh server configuration
-  meta: flush_handlers
+      template:
+        dest: /etc/ssh/sshd_config
+        src: sshd_config_block.j2
+        validate: '/usr/sbin/sshd -T -f %s'
+      register: _sshd_config_result
+
+    - name: Restart sshd
+      systemd:
+        name: sshd
+        state: restarted
+        enabled: true
+      when:
+        - _sshd_config_result.changed