fix: rename var sshd -> sshd_config and debug output (#299)

willshersystems · Oct 24, 2024 · da3e33e · da3e33e
1 parent 3331fa7
commit da3e33e
Show file tree

Hide file tree

Showing 37 changed files with 203 additions and 66 deletions.
diff --git a/.ansible-lint b/.ansible-lint
@@ -4,8 +4,8 @@ exclude_paths:
   - .tox/
   - .markdownlint.yaml
 skip_list:
-  - var-naming[no-role-prefix]
   - meta-runtime[unsupported-version]
+  - experimental
 mock_roles:
   - willshersystems.sshd.ansible-sshd
 mock_modules:

diff --git a/README.md b/README.md
@@ -130,17 +130,20 @@ NOTE: `sshd_manage_selinux` is limited to *adding* policy. It cannot be used
 for *removing* policy. If you want to remove ports, you will need to use the
 selinux system role directly.
 
-#### sshd
+#### sshd_config
 
 A dict containing configuration.  e.g.
 
 ```yaml
-sshd:
+sshd_config:
   Compression: delayed
   ListenAddress:
     - 0.0.0.0
 ```
 
+*Note*: This variable was previous called `sshd`. `sshd` is can still be used
+but is deprecated and will be removed in a future release.
+
 #### sshd_`<OptionName>`
 
 Simple variables can be used rather than a dict. Simple values override dict
@@ -344,7 +347,7 @@ Use these variables to set the ownership and permissions for the Authorized Prin
 The SSH server needs this information stored in files so in addition to the above variables, respective configuration options `TrustedUserCAKeys` (mandatory) and `AuthorizedPrincipalsFile` (optional) need to be present the `sshd` dictionary when invoking the role. For example:
 
 ```yaml
-sshd:
+sshd_config:
   TrustedUserCAKeys: /etc/ssh/path-to-trusted-user-ca-keys/trusted-user-ca-keys.pub
   AuthorizedPrincipalsFile: "/etc/ssh/path-to-auth-principals/auth_principals/%u"
 ```
@@ -370,7 +373,7 @@ provides. Running it will likely break your SSH access to the server!
 - hosts: all
   vars:
     sshd_skip_defaults: true
-    sshd:
+    sshd_config:
       Compression: true
       ListenAddress:
         - "0.0.0.0"
@@ -413,7 +416,7 @@ for example:
       name: willshersystems.sshd
     vars:
       sshd_skip_defaults: true
-      sshd:
+      sshd_config:
         Compression: true
         ListenAddress:
           - "0.0.0.0"
@@ -440,7 +443,7 @@ option:
       name: willshersystems.sshd
     vars:
       sshd_config_namespace: accept-env
-      sshd:
+      sshd_config:
         # there are some handy environment variables to accept
         AcceptEnv:
           LANG

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -37,9 +37,6 @@ sshd_sysconfig_override_crypto_policy: false
 # generator
 sshd_sysconfig_use_strong_rng: 0
 
-# Empty dicts to avoid errors
-sshd: {}
-
 # The path to sshd_config file. This is useful when creating an included
 # configuration file snippet or configuring second sshd service
 sshd_config_file: "{{ __sshd_config_file }}"

diff --git a/examples/example-accept-env.yml b/examples/example-accept-env.yml
@@ -7,7 +7,7 @@
         name: ansible-sshd
       vars:
         sshd_config_namespace: accept-env
-        sshd:
+        sshd_config:
           # there are some handy environment variables to accept
           AcceptEnv:
             LANG

diff --git a/examples/example-root-login.yml b/examples/example-root-login.yml
@@ -6,7 +6,7 @@
       ansible.builtin.include_role:
         name: ansible-sshd
       vars:
-        sshd:
+        sshd_config:
           # root login and password login is enabled only from a particular subnet
           PermitRootLogin: false
           PasswordAuthentication: false

diff --git a/examples/example-use-certificates.yml b/examples/example-use-certificates.yml
@@ -6,7 +6,7 @@
       ansible.builtin.include_role:
         name: ansible-sshd
       vars:
-        sshd:
+        sshd_config:
           # Disable password authentication, use SSH Certificates and configure authorized principals
           PasswordAuthentication: false
           TrustedUserCAKeys: /etc/ssh/trusted-user-ca-keys.pub

diff --git a/meta/10_top.j2 b/meta/10_top.j2
@@ -21,8 +21,8 @@
 {%   set value = undefined %}
 {%   if override is defined %}
 {%     set value = override %}
-{%   elif sshd[key] is defined %}
-{%     set value = sshd[key] %}
+{%   elif __sshd_config[key] is defined %}
+{%     set value = __sshd_config[key] %}
 {%   elif sshd_main_config_file is not none
         and sshd_config_file | dirname == sshd_main_config_file ~ '.d' %}
 {#     Do not use the defaults from main file to avoid recursion #}

diff --git a/meta/30_bottom.j2 b/meta/30_bottom.j2
@@ -1,5 +1,5 @@
-{% if sshd['Match'] is defined %}
-{{   match_iterate_block(sshd['Match']) -}}
+{% if __sshd_config['Match'] is defined %}
+{{   match_iterate_block(__sshd_config['Match']) -}}
 {% endif %}
 {% if sshd_match is defined %}
 {{   match_iterate_block(sshd_match) -}}

diff --git a/tasks/certificates.yml b/tasks/certificates.yml
@@ -6,7 +6,7 @@
       {% if sshd_TrustedUserCAKeys is defined %}
         {{ sshd_TrustedUserCAKeys | to_json }}
       {% else %}
-        {{ sshd['TrustedUserCAKeys'] | to_json }}
+        {{ __sshd_config['TrustedUserCAKeys'] | to_json }}
       {% endif %}
   block:
     - name: Create Trusted user CA Keys directory
@@ -32,7 +32,7 @@
       {% if sshd_AuthorizedPrincipalsFile is defined %}
         {{ sshd_AuthorizedPrincipalsFile | to_json }}
       {% else %}
-        {{ sshd['AuthorizedPrincipalsFile'] | to_json }}
+        {{ __sshd_config['AuthorizedPrincipalsFile'] | to_json }}
       {% endif %}
   when: sshd_principals != {}
   block:

diff --git a/tasks/find_ports.yml b/tasks/find_ports.yml
@@ -6,8 +6,8 @@
     __sshd_ports_from_config_tmp: >-
       {% if sshd_Port is defined %}
         {{ sshd_Port | to_json }}
-      {% elif sshd['Port'] is defined %}
-        {{ sshd['Port'] | to_json }}
+      {% elif __sshd_config['Port'] is defined %}
+        {{ __sshd_config['Port'] | to_json }}
       {% elif __sshd_defaults['Port'] is defined and not sshd_skip_defaults %}
         {{ __sshd_defaults['Port'] | to_json }}
       {% else %}

diff --git a/tasks/firewall.yml b/tasks/firewall.yml
@@ -5,7 +5,7 @@
       ansible.builtin.include_role:
         name: fedora.linux_system_roles.firewall
       vars:
-        firewall:
+        firewall: # noqa: var-naming[no-role-prefix]
           - service: ssh
             state: enabled
       when:
@@ -15,11 +15,11 @@
       ansible.builtin.include_role:
         name: fedora.linux_system_roles.firewall
       vars:
-        firewall:
+        firewall: # noqa: var-naming[no-role-prefix]
           - port: "{{ sshd_item }}/tcp"
             state: enabled
       loop: "{{ __sshd_ports_from_config | from_json | d([]) }}"
       loop_control:
-        loop_var: sshd_item  # avoid conflicts with the firewall loops
+        loop_var: sshd_item # avoid conflicts with the firewall loops
       when:
         - __sshd_ports_from_config | from_json != [22]
diff --git a/tasks/install.yml b/tasks/install.yml
@@ -33,8 +33,8 @@
     - __sshd_hostkeys_nofips | d([])
 
 - name: Make sure hostkeys are available and have expected permissions
-  vars: &share_vars
-    # 'MAo=' evaluates to '0\n' in base 64 encoding, which is default
+  vars:
+    &share_vars # 'MAo=' evaluates to '0\n' in base 64 encoding, which is default
     __sshd_fips_mode: >-
       {{ __sshd_hostkeys_nofips | d([]) and
          (__sshd_kernel_fips_mode.content | d('MAo=') | b64decode | trim == '1' or
@@ -44,8 +44,8 @@
     __sshd_hostkeys_from_config: >-
       {% if sshd_HostKey is defined %}
         {{ sshd_HostKey | to_json }}
-      {% elif sshd['HostKey'] is defined %}
-        {{ sshd['HostKey'] | to_json }}
+      {% elif __sshd_config['HostKey'] is defined %}
+        {{ __sshd_config['HostKey'] | to_json }}
       {% elif __sshd_defaults['HostKey'] is defined and not sshd_skip_defaults %}
         {% if __sshd_fips_mode %}
           {{ __sshd_defaults['HostKey'] | difference(__sshd_hostkeys_nofips) | to_json }}

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -1,4 +1,11 @@
 ---
+- name: Print that the sshd variable is deprecated
+  when: sshd is defined
+  ansible.builtin.debug:
+    msg: >-
+      The sshd variable is deprecated and will be removed
+      in a future version. Edit your playbook to use
+      the sshd_config variable instead.
 
 - name: Invoke the role, if enabled
   ansible.builtin.include_tasks: sshd.yml

diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2
@@ -23,8 +23,8 @@
 {%   set value = undefined %}
 {%   if override is defined %}
 {%     set value = override %}
-{%   elif sshd[key] is defined %}
-{%     set value = sshd[key] %}
+{%   elif __sshd_config[key] is defined %}
+{%     set value = __sshd_config[key] %}
 {%   elif sshd_main_config_file is not none
         and sshd_config_file | dirname == sshd_main_config_file ~ '.d' %}
 {#     Do not use the defaults from main file to avoid recursion #}
@@ -250,8 +250,8 @@ Match {{ match["Condition"] }}
 {{ body_option("X11Forwarding",sshd_X11Forwarding) -}}
 {{ body_option("X11UseLocalhost",sshd_X11UseLocalhost) -}}
 {{ body_option("XAuthLocation",sshd_XAuthLocation) -}}
-{% if sshd['Match'] is defined %}
-{{   match_iterate_block(sshd['Match']) -}}
+{% if __sshd_config['Match'] is defined %}
+{{   match_iterate_block(__sshd_config['Match']) -}}
 {% endif %}
 {% if sshd_match is defined %}
 {{   match_iterate_block(sshd_match) -}}

diff --git a/templates/sshd_config_snippet.j2 b/templates/sshd_config_snippet.j2
@@ -21,8 +21,8 @@
 {%   set value = undefined %}
 {%   if override is defined %}
 {%     set value = override %}
-{%   elif sshd[key] is defined %}
-{%     set value = sshd[key] %}
+{%   elif __sshd_config[key] is defined %}
+{%     set value = __sshd_config[key] %}
 {%   elif sshd_main_config_file is not none
         and sshd_config_file | dirname == sshd_main_config_file ~ '.d' %}
 {#     Do not use the defaults from main file to avoid recursion #}
@@ -248,8 +248,8 @@ Match {{ match["Condition"] }}
 {{ body_option("X11Forwarding",sshd_X11Forwarding) -}}
 {{ body_option("X11UseLocalhost",sshd_X11UseLocalhost) -}}
 {{ body_option("XAuthLocation",sshd_XAuthLocation) -}}
-{% if sshd['Match'] is defined %}
-{{   match_iterate_block(sshd['Match']) -}}
+{% if __sshd_config['Match'] is defined %}
+{{   match_iterate_block(__sshd_config['Match']) -}}
 {% endif %}
 {% if sshd_match is defined %}
 {{   match_iterate_block(sshd_match) -}}

diff --git a/tests/tasks/setup.yml b/tests/tasks/setup.yml
@@ -5,6 +5,13 @@
   when:
     - ansible_facts['distribution'] == 'Debian'
 
+- name: Ensure unminimize package is installed
+  ansible.builtin.apt:
+    pkg:
+      - unminimize
+  when:
+    - ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version'] | int >= 24
+
 - name: Determine if system is ostree and set flag
   when: not __sshd_is_ostree is defined
   block:

diff --git a/tests/tests_all_options.yml b/tests/tests_all_options.yml
@@ -120,7 +120,7 @@
         # The hostkeys are not valid either so do not validate them
         sshd_verify_hostkeys: []
         sshd_config_file: /tmp/sshd_config
-        sshd:
+        sshd_config:
           "{{ sshd_c }}"
       when: not sshd_skip_test
 

diff --git a/tests/tests_alternative_file.yml b/tests/tests_alternative_file.yml
@@ -33,7 +33,7 @@
         sshd_config_owner: "nobody"
         sshd_config_group: "nobody"
         sshd_config_mode: "660"
-        sshd:
+        sshd_config:
           AcceptEnv: LANG
           Banner: /etc/issue
           Ciphers: aes256-ctr
@@ -46,7 +46,7 @@
         # just anything -- will not get processed by sshd
         sshd_config_file: /etc/ssh/sshd_config_custom_second
         sshd_skip_defaults: true
-        sshd:
+        sshd_config:
           Banner: /etc/issue2
           Ciphers: aes128-ctr
         sshd_MaxStartups: 100  # noqa var-naming
@@ -56,7 +56,7 @@
         name: ansible-sshd
       vars:
         sshd_config_file: /etc/ssh/sshd_config
-        sshd:
+        sshd_config:
           Banner: /etc/issue
           Ciphers: aes192-ctr
           HostKey:

diff --git a/tests/tests_alternative_file_role.yml b/tests/tests_alternative_file_role.yml
@@ -35,7 +35,7 @@
     sshd_config_owner: "nobody"
     sshd_config_group: "nobody"
     sshd_config_mode: "660"
-    sshd:
+    sshd_config:
       AcceptEnv: LANG
       Banner: /etc/issue
       Ciphers: aes256-ctr
@@ -50,7 +50,7 @@
     # just anything -- will not get processed by sshd
     sshd_config_file: /etc/ssh/sshd_config_custom_second
     sshd_skip_defaults: true
-    sshd:
+    sshd_config:
       Banner: /etc/issue2
       Ciphers: aes128-ctr
     sshd_MaxStartups: 100  # noqa var-naming
@@ -62,7 +62,7 @@
     - ansible-sshd
   vars:
     sshd_config_file: /etc/ssh/sshd_config
-    sshd:
+    sshd_config:
       Banner: /etc/issue
       Ciphers: aes192-ctr
       HostKey:

diff --git a/tests/tests_certificates.yml b/tests/tests_certificates.yml
@@ -25,7 +25,7 @@
       ansible.builtin.include_role:
         name: ansible-sshd
       vars:
-        sshd:
+        sshd_config:
           PasswordAuthentication: false
           TrustedUserCAKeys: /etc/ssh/ca-keys/trusted-user-ca-keys.pub
           AuthorizedPrincipalsFile: "/etc/ssh/auth_principals/%u"

diff --git a/tests/tests_config_namespace.yml b/tests/tests_config_namespace.yml
@@ -16,7 +16,7 @@
       vars:
         sshd_config_file: /etc/ssh/sshd_config
         sshd_config_namespace: nm1
-        sshd:
+        sshd_config:
           PasswordAuthentication: true
           PermitRootLogin: true
           Match:
@@ -29,7 +29,7 @@
       vars:
         sshd_config_file: /etc/ssh/sshd_config
         sshd_config_namespace: nm2
-        sshd:
+        sshd_config:
           PasswordAuthentication: false
           PermitRootLogin: false
           Match: