openstack/tripleo-ansible
Code Issues Proposed changes
f0d16eb701
tripleo-ansible/tripleo_ansible/roles/tripleo-sshd/tasks/main.yml
Kevin Carter 578962e83f import missing logic from puppet manifests 
The sshd role now implements the existing logic found within the
legacy puppet manifest. This change will ensure our ssh configs are
managed in the same way was as before, with the same user interface,
resulting the same functional outcomes.

A new molecule test has been added to ensure we're exercising all
available code path's. This new test will run through our banner
and motd configuration options.

Change-Id: I68a12c0992455c5a9dc3362b8121151235f409a2
Signed-off-by: Kevin Carter <kecarter@redhat.com>
2019-09-04 21:48:23 +00:00

115 lines
3.7 KiB
YAML
Raw Blame History

---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
# found within the "vars/" path. If no OS files are found the task will skip.
- name: Gather variables for each operating system
include_vars: "{{ item }}"
with_first_found:
- skip: true
files:
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml"
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
- "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
- "{{ ansible_distribution | lower }}.yml"
- "{{ ansible_os_family | lower }}-{{ ansible_distribution_version.split('.')[0] }}.yml"
- "{{ ansible_os_family | lower }}.yml"
tags:
- always
- name: Run sshd tasks as root
become: true
block:
- name: Install the OpenSSH server
package:
name: "{{ tripleo_sshd_packages }}"
state: "{{ tripleo_sshd_package_state }}"
notify:
- Restart sshd
- name: Flush all handlers
meta: flush_handlers
- name: Adjust ssh server configuration
template:
dest: /etc/ssh/sshd_config
src: sshd_config_block.j2
validate: '/usr/sbin/sshd -T -f %s'
notify:
- Restart sshd
- name: PasswordAuthentication notice
debug:
msg: >-
Notice - The option `tripleo_sshd_password_authentication` is set to
"{{ tripleo_sshd_password_authentication }}" but `PermitRootLogin` is
undefined. While this may be perfectly valid, the sshd_config options
should be reviewed to ensure general user access is functional and
meeting expectations.
when:
- (tripleo_sshd_password_authentication != 'no') and
not (PermitRootLogin in tripleo_sshd_server_options)
- name: Adjust ssh server auth configuration
lineinfile:
path: /etc/ssh/sshd_config
state: present
regexp: '^#?PasswordAuthentication.*'
line: 'PasswordAuthentication {{ tripleo_sshd_password_authentication }}'
validate: '/usr/sbin/sshd -T -f %s'
notify:
- Restart sshd
- name: Configure the banner text
copy:
content: "{{ tripleo_sshd_banner_text }}"
dest: /etc/issue
when:
- tripleo_sshd_banner_enabled | bool
- name: Adjust ssh server banner configuration
lineinfile:
path: /etc/ssh/sshd_config
state: present
regexp: '^#?Banner.*'
line: 'Banner /etc/issue'
validate: '/usr/sbin/sshd -T -f %s'
when:
- tripleo_sshd_banner_enabled | bool
notify:
- Restart sshd
- name: Configure the motd banner
copy:
content: "{{ tripleo_sshd_message_of_the_day }}"
dest: /etc/motd
when:
- tripleo_sshd_motd_enabled | bool
- name: Adjust ssh server motd configuration
lineinfile:
path: /etc/ssh/sshd_config
state: present
regexp: '^#?PrintMotd.*'
line: 'PrintMotd yes'
validate: '/usr/sbin/sshd -T -f %s'
when:
- tripleo_sshd_motd_enabled | bool
notify:
- Restart sshd
- name: Flush all handlers
meta: flush_handlers
View Git Blame Copy Permalink