openstack
/
tripleo-ansible
Code Issues Proposed changes
tripleo-ansible/tripleo_ansible/roles/tripleo-sshd/tasks/main.yml

124 lines
4.7 KiB
YAML
Raw Blame History

---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
# found within the "vars/" path. If no OS files are found the task will skip.
- name: Gather variables for each operating system
include_vars: "{{ item }}"
with_first_found:
- skip: true
files:
- "{{ ansible_facts['distribution'] | lower }}-{{ ansible_facts['distribution_version'] | lower }}.yml"
- "{{ ansible_facts['distribution'] | lower }}-{{ ansible_facts['distribution_major_version'] | lower }}.yml"
- "{{ ansible_facts['os_family'] | lower }}-{{ ansible_facts['distribution_major_version'] | lower }}.yml"
- "{{ ansible_facts['distribution'] | lower }}.yml"
- "{{ ansible_facts['os_family'] | lower }}-{{ ansible_facts['distribution_version'].split('.')[0] }}.yml"
- "{{ ansible_facts['os_family'] | lower }}.yml"
tags:
- always
- name: Run sshd tasks as root
become: true
block:
- name: Install the OpenSSH server
package:
name: "{{ tripleo_sshd_packages }}"
state: "{{ tripleo_sshd_package_state }}"
register: _sshd_install_result
# NOTE(mwhahaha): we need this here because in order to validate our generated
# config, we need to ensure the host keys exists which happens on initial
# startup
- name: Start sshd
systemd:
name: sshd
state: restarted
enabled: true
when:
- _sshd_install_result.changed
- name: PasswordAuthentication notice
debug:
msg: >-
Notice - The option `tripleo_sshd_password_authentication` is set to
"{{ tripleo_sshd_password_authentication }}" but `PermitRootLogin` is
undefined. While this may be perfectly valid, the sshd_config options
should be reviewed to ensure general user access is functional and
meeting expectations.
when:
- (tripleo_sshd_password_authentication != 'no') and
not (PermitRootLogin in tripleo_sshd_server_options)
- name: PasswordAuthentication duplication notice
debug:
msg: >-
WARNING - The PasswordAuthentication has been configured in
`tripleo_sshd_server_options` but the values are different.
The `tripleo_sshd_password_authentication` value will be used.
when:
- ('PasswordAuthentication' in tripleo_sshd_server_options and
tripleo_sshd_password_authentication != tripleo_sshd_server_options['PasswordAuthentication'])
- name: Motd duplication notice
debug:
msg: >-
WARNING - The Banner or PrintMotd has been configured in
`tripleo_sshd_server_options`. These options may be ignored and
configured using values from `tripleo_sshd_banner_enabled` and
`tripleo_sshd_motd_enabled`
when:
- ('Banner' in tripleo_sshd_server_options or 'PrintMotd' in tripleo_sshd_server_options)
- name: Configure the banner text
copy:
content: "{{ tripleo_sshd_banner_text }}"
dest: /etc/issue
when:
- tripleo_sshd_banner_enabled | bool
- name: Configure the motd banner
copy:
content: "{{ tripleo_sshd_message_of_the_day }}"
dest: /etc/motd
when:
- tripleo_sshd_motd_enabled | bool
- name: Update sshd configuration options from vars
set_fact:
tripleo_sshd_server_options: |-
{% set _ = tripleo_sshd_server_options.__setitem__('PasswordAuthentication', tripleo_sshd_password_authentication) %}
{% if tripleo_sshd_banner_enabled %}
{% set _ = tripleo_sshd_server_options.__setitem__('Banner', '/etc/issue') %}
{% endif %}
{% if tripleo_sshd_motd_enabled %}
{% set _ = tripleo_sshd_server_options.__setitem__('PrintMotd', 'yes') %}
{% endif %}
{{ tripleo_sshd_server_options }}
- name: Adjust ssh server configuration
template:
dest: /etc/ssh/sshd_config
src: sshd_config_block.j2
validate: '/usr/sbin/sshd -T -f %s'
register: _sshd_config_result
- name: Restart sshd
systemd:
name: sshd
state: restarted
enabled: true
when:
- _sshd_config_result.changed
View Git Blame Copy Permalink