--- # Copyright 2019 Red Hat, Inc. # All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # found within the "vars/" path. If no OS files are found the task will skip. - name: Gather variables for each operating system include_vars: "{{ item }}" with_first_found: - skip: true files: - "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml" - "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml" - "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml" - "{{ ansible_distribution | lower }}.yml" - "{{ ansible_os_family | lower }}-{{ ansible_distribution_version.split('.')[0] }}.yml" - "{{ ansible_os_family | lower }}.yml" tags: - always - name: Run sshd tasks as root become: true block: - name: Install the OpenSSH server package: name: "{{ tripleo_sshd_packages }}" state: "{{ tripleo_sshd_package_state }}" register: _sshd_install_result # NOTE(mwhahaha): we need this here because in order to validate our generated # config, we need to ensure the host keys exists which happens on initial # startup - name: Start sshd systemd: name: sshd state: restarted enabled: true when: - _sshd_install_result.changed - name: PasswordAuthentication notice debug: msg: >- Notice - The option `tripleo_sshd_password_authentication` is set to "{{ tripleo_sshd_password_authentication }}" but `PermitRootLogin` is undefined. While this may be perfectly valid, the sshd_config options should be reviewed to ensure general user access is functional and meeting expectations. when: - (tripleo_sshd_password_authentication != 'no') and not ('PermitRootLogin' in tripleo_sshd_server_options) - name: PasswordAuthentication duplication notice debug: msg: >- WARNING - The PasswordAuthentication has been configured in `tripleo_sshd_server_options` but the values are different. The `tripleo_sshd_password_authentication` value will be used. when: - ('PasswordAuthentication' in tripleo_sshd_server_options and tripleo_sshd_password_authentication != tripleo_sshd_server_options['PasswordAuthentication']) - name: Motd duplication notice debug: msg: >- WARNING - The Banner or PrintMotd has been configured in `tripleo_sshd_server_options`. These options may be ignored and configured using values from `tripleo_sshd_banner_enabled` and `tripleo_sshd_motd_enabled` when: - ('Banner' in tripleo_sshd_server_options or 'PrintMotd' in tripleo_sshd_server_options) - name: Configure the banner text copy: content: "{{ tripleo_sshd_banner_text }}" dest: /etc/issue when: - tripleo_sshd_banner_enabled | bool - name: Configure the motd banner copy: content: "{{ tripleo_sshd_message_of_the_day }}" dest: /etc/motd when: - tripleo_sshd_motd_enabled | bool - name: Update sshd configuration options from vars set_fact: tripleo_sshd_server_options: |- {% set _ = tripleo_sshd_server_options.__setitem__('PasswordAuthentication', tripleo_sshd_password_authentication) %} {% if tripleo_sshd_banner_enabled %} {% set _ = tripleo_sshd_server_options.__setitem__('Banner', '/etc/issue') %} {% endif %} {% if tripleo_sshd_motd_enabled %} {% set _ = tripleo_sshd_server_options.__setitem__('PrintMotd', 'yes') %} {% endif %} {{ tripleo_sshd_server_options }} - name: Adjust ssh server configuration template: dest: /etc/ssh/sshd_config src: sshd_config_block.j2 validate: '/usr/sbin/sshd -T -f %s' register: _sshd_config_result - name: Restart sshd systemd: name: sshd state: restarted enabled: true when: - _sshd_config_result.changed