feat: add test for Rocky Linux 8 (#1)

Co-authored-by: Robert Kaussow <xoxys@rknet.org>
Co-committed-by: Robert Kaussow <xoxys@rknet.org>

.drone.jsonnet

@@ -71,7 +71,7 @@ local PipelineDeployment(scenario='centos7') = {
     'linting',
   ],
   trigger: {
-    ref: ['refs/heads/master', 'refs/tags/**'],
+    ref: ['refs/heads/master', 'refs/tags/**', 'refs/pull/**'],
   },
 };
 
@@ -116,6 +116,7 @@ local PipelineDocumentation = {
   },
   depends_on: [
     'testing-centos7',
+    'testing-rocky8',
   ],
 };
 
@@ -154,6 +155,7 @@ local PipelineNotification = {
 [
   PipelineLinting,
   PipelineDeployment(scenario='centos7'),
+  PipelineDeployment(scenario='rocky8'),
   PipelineDocumentation,
   PipelineNotification,
 ]

.drone.yml

@@ -62,6 +62,40 @@ trigger:
   ref:
     - refs/heads/master
     - refs/tags/**
+    - refs/pull/**
+
+depends_on:
+  - linting
+
+---
+kind: pipeline
+name: testing-rocky8
+
+platform:
+  os: linux
+  arch: amd64
+
+concurrency:
+  limit: 1
+
+workspace:
+  base: /drone/src
+  path: ${DRONE_REPO_NAME}
+
+steps:
+  - name: ansible-molecule
+    image: thegeeklab/molecule:3
+    commands:
+      - molecule test -s rocky8
+    environment:
+      HCLOUD_TOKEN:
+        from_secret: hcloud_token
+
+trigger:
+  ref:
+    - refs/heads/master
+    - refs/tags/**
+    - refs/pull/**
 
 depends_on:
   - linting
@@ -108,6 +142,7 @@ trigger:
 
 depends_on:
   - testing-centos7
+  - testing-rocky8
 
 ---
 kind: pipeline
@@ -147,6 +182,6 @@ depends_on:
 
 ---
 kind: signature
-hmac: 6fb4bbe578d0a67f6def789d5b7a11d422bca42f07695c24fac97950f02cf51a
+hmac: 4e3ffd7002957963c30b32275a59b62e7c19a1ccf7bd40369411bca13d94614e
 
 ...

defaults/main.yml

@@ -1,15 +1,16 @@
 ---
 sshd_protocol: 2
-sshd_permit_root_login: 'yes'
-sshd_permit_empty_passwords: 'no'
-sshd_password_authentication: 'no'
-sshd_gssapi_authentication: 'yes'
-sshd_strict_modes: 'yes'
+sshd_permit_root_login: "yes"
+sshd_permit_empty_passwords: "no"
+sshd_password_authentication: "no"
+sshd_gssapi_authentication: "no"
+sshd_strict_modes: "yes"
 sshd_allow_groups: []
-sshd_ignore_rhosts: 'yes'
-sshd_hostbased_authentication: 'no'
+sshd_ignore_rhosts: "yes"
+sshd_hostbased_authentication: "no"
 sshd_client_alive_interval: 900
 sshd_client_alive_count_max: 0
+
 sshd_ciphers:
   - chacha20-poly1305@openssh.com
   - aes256-gcm@openssh.com
@@ -17,33 +18,37 @@ sshd_ciphers:
   - aes256-ctr
   - aes192-ctr
   - aes128-ctr
+
 sshd_kex:
   - curve25519-sha256@libssh.org
   - diffie-hellman-group-exchange-sha256
+
 sshd_moduli_minimum: 2048
+
 sshd_macs:
   - hmac-sha2-512-etm@openssh.com
   - hmac-sha2-256-etm@openssh.com
-  - hmac-ripemd160-etm@openssh.com
   - umac-128-etm@openssh.com
   - hmac-sha2-512
   - hmac-sha2-256
-  - hmac-ripemd160
-sshd_allow_agent_forwarding: 'no'
-sshd_x11_forwarding: 'yes'
-sshd_allow_tcp_forwarding: 'yes'
+  - umac-128@openssh.com
+
+sshd_allow_agent_forwarding: "no"
+sshd_x11_forwarding: "yes"
+sshd_allow_tcp_forwarding: "yes"
 sshd_compression: delayed
 sshd_log_level: INFO
 sshd_max_auth_tries: 6
 sshd_max_sessions: 10
-sshd_tcp_keep_alive: 'yes'
-sshd_use_dns: 'yes'
+sshd_tcp_keep_alive: "yes"
+sshd_use_dns: "no"
+
+sshd_disable_crypto_policy: False
 
 # @var sshd_challenge_response_authentication:description: >
-# If you disable password auth you should disable
-# ChallengeResponseAuth also.
+# If you disable password auth you should disable ChallengeResponseAuth also.
 # @end
-sshd_challenge_response_authentication: 'no'
+sshd_challenge_response_authentication: "no"
 
 # @var sshd_google_auth_enabled:description: >
 # Google Authenticator required ChallengeResponseAuth!

molecule/default

@@ -1 +1 @@
-centos7
+rocky8

molecule/rocky8/converge.yml

@@ -0,0 +1,5 @@
+---
+- name: Converge
+  hosts: all
+  roles:
+    - role: xoxys.sshd

molecule/rocky8/create.yml

@@ -0,0 +1,120 @@
+---
+- name: Create
+  hosts: localhost
+  connection: local
+  gather_facts: false
+  no_log: "{{ molecule_no_log }}"
+  vars:
+    ssh_port: 22
+    ssh_user: root
+    ssh_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/ssh_key"
+  tasks:
+    - name: Create SSH key
+      user:
+        name: "{{ lookup('env', 'USER') }}"
+        generate_ssh_key: true
+        ssh_key_file: "{{ ssh_path }}"
+        force: true
+      register: generated_ssh_key
+
+    - name: Register the SSH key name
+      set_fact:
+        ssh_key_name: "molecule-generated-{{ 12345 | random | to_uuid }}"
+
+    - name: Register SSH key for test instance(s)
+      hcloud_ssh_key:
+        name: "{{ ssh_key_name }}"
+        public_key: "{{ generated_ssh_key.ssh_public_key }}"
+        state: present
+
+    - name: Create molecule instance(s)
+      hcloud_server:
+        name: "{{ item.name }}"
+        server_type: "{{ item.server_type }}"
+        ssh_keys:
+          - "{{ ssh_key_name }}"
+        image: "{{ item.image }}"
+        location: "{{ item.location | default(omit) }}"
+        datacenter: "{{ item.datacenter | default(omit) }}"
+        user_data: "{{ item.user_data | default(omit) }}"
+        api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
+        state: present
+      register: server
+      loop: "{{ molecule_yml.platforms }}"
+      async: 7200
+      poll: 0
+
+    - name: Wait for instance(s) creation to complete
+      async_status:
+        jid: "{{ item.ansible_job_id }}"
+      register: hetzner_jobs
+      until: hetzner_jobs.finished
+      retries: 300
+      loop: "{{ server.results }}"
+
+    - name: Create volume(s)
+      hcloud_volume:
+        name: "{{ item.name }}"
+        server: "{{ item.name }}"
+        location: "{{ item.location | default(omit) }}"
+        size: "{{ item.volume_size | default(10) }}"
+        api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
+        state: "present"
+      loop: "{{ molecule_yml.platforms }}"
+      when: item.volume | default(False) | bool
+      register: volumes
+      async: 7200
+      poll: 0
+
+    - name: Wait for volume(s) creation to complete
+      async_status:
+        jid: "{{ item.ansible_job_id }}"
+      register: hetzner_volumes
+      until: hetzner_volumes.finished
+      retries: 300
+      when: volumes.changed
+      loop: "{{ volumes.results }}"
+
+    # Mandatory configuration for Molecule to function.
+
+    - name: Populate instance config dict
+      set_fact:
+        instance_conf_dict:
+          {
+            "instance": "{{ item.hcloud_server.name }}",
+            "ssh_key_name": "{{ ssh_key_name }}",
+            "address": "{{ item.hcloud_server.ipv4_address }}",
+            "user": "{{ ssh_user }}",
+            "port": "{{ ssh_port }}",
+            "identity_file": "{{ ssh_path }}",
+            "volume": "{{ item.item.item.volume | default(False) | bool }}",
+          }
+      loop: "{{ hetzner_jobs.results }}"
+      register: instance_config_dict
+      when: server.changed | bool
+
+    - name: Convert instance config dict to a list
+      set_fact:
+        instance_conf: "{{ instance_config_dict.results | map(attribute='ansible_facts.instance_conf_dict') | list }}"
+      when: server.changed | bool
+
+    - name: Dump instance config
+      copy:
+        content: |
+          # Molecule managed
+
+          {{ instance_conf | to_nice_yaml(indent=2) }}
+        dest: "{{ molecule_instance_config }}"
+      when: server.changed | bool
+
+    - name: Wait for SSH
+      wait_for:
+        port: "{{ ssh_port }}"
+        host: "{{ item.address }}"
+        search_regex: SSH
+        delay: 10
+      loop: "{{ lookup('file', molecule_instance_config) | from_yaml }}"
+
+    - name: Wait for VM to settle down
+      pause:
+        seconds: 30

molecule/rocky8/destroy.yml

@@ -0,0 +1,78 @@
+---
+- name: Destroy
+  hosts: localhost
+  connection: local
+  gather_facts: false
+  no_log: "{{ molecule_no_log }}"
+  tasks:
+    - name: Check existing instance config file
+      stat:
+        path: "{{ molecule_instance_config }}"
+      register: cfg
+
+    - name: Populate the instance config
+      set_fact:
+        instance_conf: "{{ (lookup('file', molecule_instance_config) | from_yaml) if cfg.stat.exists else [] }}"
+
+    - name: Destroy molecule instance(s)
+      hcloud_server:
+        name: "{{ item.instance }}"
+        api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
+        state: absent
+      register: server
+      loop: "{{ instance_conf }}"
+      async: 7200
+      poll: 0
+
+    - name: Wait for instance(s) deletion to complete
+      async_status:
+        jid: "{{ item.ansible_job_id }}"
+      register: hetzner_jobs
+      until: hetzner_jobs.finished
+      retries: 300
+      loop: "{{ server.results }}"
+
+    - pause:
+        seconds: 5
+
+    - name: Destroy volume(s)
+      hcloud_volume:
+        name: "{{ item.instance }}"
+        server: "{{ item.instance }}"
+        api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
+        state: "absent"
+      register: volumes
+      loop: "{{ instance_conf }}"
+      when: item.volume | default(False) | bool
+      async: 7200
+      poll: 0
+
+    - name: Wait for volume(s) deletion to complete
+      async_status:
+        jid: "{{ item.ansible_job_id }}"
+      register: hetzner_volumes
+      until: hetzner_volumes.finished
+      retries: 300
+      when: volumes.changed
+      loop: "{{ volumes.results }}"
+
+    - name: Remove registered SSH key
+      hcloud_ssh_key:
+        name: "{{ instance_conf[0].ssh_key_name }}"
+        state: absent
+      when: (instance_conf | default([])) | length > 0
+
+    # Mandatory configuration for Molecule to function.
+
+    - name: Populate instance config
+      set_fact:
+        instance_conf: {}
+
+    - name: Dump instance config
+      copy:
+        content: |
+          # Molecule managed
+
+          {{ instance_conf | to_nice_yaml(indent=2) }}
+        dest: "{{ molecule_instance_config }}"
+      when: server.changed | bool

molecule/rocky8/molecule.yml

@@ -0,0 +1,24 @@
+---
+dependency:
+  name: galaxy
+  options:
+    role-file: molecule/requirements.yml
+    requirements-file: molecule/requirements.yml
+  env:
+    ANSIBLE_GALAXY_DISPLAY_PROGRESS: "false"
+driver:
+  name: delegated
+platforms:
+  - name: rocky8-sshd
+    image: rocky-8
+    server_type: cx11
+lint: |
+  /usr/local/bin/flake8
+provisioner:
+  name: ansible
+  env:
+    ANSIBLE_FILTER_PLUGINS: ${ANSIBLE_FILTER_PLUGINS:-./plugins/filter}
+    ANSIBLE_LIBRARY: ${ANSIBLE_LIBRARY:-./library}
+  log: False
+verifier:
+  name: testinfra

molecule/rocky8/prepare.yml

@@ -0,0 +1,15 @@
+---
+- name: Prepare
+  hosts: all
+  gather_facts: false
+  tasks:
+    - name: Bootstrap python for Ansible
+      raw: |
+        command -v python3 python || (
+        (test -e /usr/bin/dnf && sudo dnf install -y python3) ||
+        (test -e /usr/bin/apt && (apt -y update && apt install -y python-minimal)) ||
+        (test -e /usr/bin/yum && sudo yum -y -qq install python3) ||
+        echo "Warning: Python not boostrapped due to unknown platform."
+        )
+      become: true
+      changed_when: false

molecule/rocky8/tests/test_default.py

@@ -0,0 +1,16 @@
+import os
+
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ["MOLECULE_INVENTORY_FILE"]
+).get_hosts("all")
+
+
+def test_sshd_config_file(host):
+    sshd = host.file("/etc/ssh/sshd_config")
+
+    assert sshd.exists
+    assert sshd.user == "root"
+    assert sshd.group == "root"
+    assert sshd.mode == 0o600

tasks/ssh_default.yml

@@ -1,4 +1,9 @@
 ---
+- name: Gather package facts
+  package_facts:
+  check_mode: False
+  when: sshd_disable_crypto_policy | bool
+
 - block:
     - name: Hardening sshd config
       template:
@@ -16,8 +21,9 @@
       check_mode: no
 
     - name: Remove all small primes
-      shell: awk '$5 >= {{ sshd_moduli_minimum }}' /etc/ssh/moduli > /etc/ssh/moduli.new ;
-            [ -r /etc/ssh/moduli.new -a -s /etc/ssh/moduli.new ] && mv /etc/ssh/moduli.new /etc/ssh/moduli || true
+      shell:
+        awk '$5 >= {{ sshd_moduli_minimum }}' /etc/ssh/moduli > /etc/ssh/moduli.new ;
+        [ -r /etc/ssh/moduli.new -a -s /etc/ssh/moduli.new ] && mv /etc/ssh/moduli.new /etc/ssh/moduli || true
       notify: __sshd_restart
       when: __sshd_register_moduli.stdout
 
@@ -26,5 +32,16 @@
         name: "{{ item }}"
         state: present
       loop: "{{ sshd_allow_groups }}"
+
+    - name: Disable SSH server CRYPTO_POLICY
+      copy:
+        src: etc/sysconfig/sshd
+        dest: /etc/sysconfig/sshd
+        owner: "root"
+        group: "root"
+        mode: "0640"
+      when:
+        - sshd_disable_crypto_policy | bool
+        - ('crypto-policies' in ansible_facts.packages)
   become: True
   become_user: root

tasks/ssh_univention.yml

@@ -5,18 +5,30 @@
         path: "{{ item.path }}"
         value: "{{ item.value }}"
       loop:
-        - { path: sshd/permitroot, value: "{{ sshd_permit_root_login | default('') }}" }
-        - { path: sshd/PermitEmptyPasswords, value: "{{ sshd_permit_empty_passwords | default('') }}" }
-        - { path: sshd/permitroot, value: "{{ sshd_permit_root_login | default('') }}" }
-        - { path: sshd/passwordauthentication, value: "{{ sshd_password_authentication | default('') }}" }
-        - { path: sshd/challengeresponse, value: "{{ sshd_password_authentication | default('') }}" }
-        - { path: sshd/IgnoreRhosts, value: "{{ sshd_ignore_rhosts | default('') }}" }
-        - { path: sshd/HostbasedAuthentication, value: "{{ sshd_hostbased_authentication | default('') }}" }
-        - { path: sshd/ClientAliveInterval, value: "{{ sshd_client_alive_interval | default('') }}" }
-        - { path: sshd/ClientAliveCountMax, value: "{{ sshd_client_alive_count_max | default('') }}" }
-        - { path: sshd/Ciphers, value: "{{ sshd_ciphers | default('[]') | join(',') }}" }
-        - { path: sshd/KexAlgorithms, value: "{{ sshd_kex | default('[]') | join(',') }}" }
-        - { path: sshd/MACs, value: "{{ sshd_macs | default('[]') | join(',') }}" }
+        - path: sshd/permitroot
+          value: "{{ sshd_permit_root_login | default('') }}"
+        - path: sshd/PermitEmptyPasswords
+          value: "{{ sshd_permit_empty_passwords | default('') }}"
+        - path: sshd/permitroot
+          value: "{{ sshd_permit_root_login | default('') }}"
+        - path: sshd/passwordauthentication
+          value: "{{ sshd_password_authentication | default('') }}"
+        - path: sshd/challengeresponse
+          value: "{{ sshd_password_authentication | default('') }}"
+        - path: sshd/IgnoreRhosts
+          value: "{{ sshd_ignore_rhosts | default('') }}"
+        - path: sshd/HostbasedAuthentication
+          value: "{{ sshd_hostbased_authentication | default('') }}"
+        - path: sshd/ClientAliveInterval
+          value: "{{ sshd_client_alive_interval | default('') }}"
+        - path: sshd/ClientAliveCountMax
+          value: "{{ sshd_client_alive_count_max | default('') }}"
+        - path: sshd/Ciphers
+          value: "{{ sshd_ciphers | default('[]') | join(',') }}"
+        - path: sshd/KexAlgorithms
+          value: "{{ sshd_kex | default('[]') | join(',') }}"
+        - path: sshd/MACs
+          value: "{{ sshd_macs | default('[]') | join(',') }}"
       loop_control:
         label: "variable: {{ item.path }}={{ item.value }}"
       notify: __sshd_restart
@@ -30,7 +42,7 @@
     - name: Create SSH Usergroup
       group:
         name: "{{ item }}"
-        system: 'yes'
+        system: "yes"
         state: present
       loop: "{{ sshd_allow_groups }}"
   become: True

templates/etc/ssh/sshd_config.j2

@@ -1,9 +1,8 @@
 #jinja2: lstrip_blocks: True
 {{ ansible_managed | comment }}
-#	$OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
 
-# This is the sshd server system-wide configuration file.  See
-# sshd_config(5) for more information.
+# This is the sshd server system-wide configuration file.
+# See sshd_config(5) for more information.
 
 # This sshd was compiled with PATH=/usr/local/bin:/usr/bin
 
@@ -20,30 +19,31 @@
 #AddressFamily any
 #ListenAddress 0.0.0.0
 #ListenAddress ::
+{% if ansible_distribution_major_version is version('8', '<') %}
 
-# The default requires explicit activation of protocol 1
 Protocol {{ sshd_protocol }}
+{% endif %}
 
-# HostKey for protocol version 1
-#HostKey /etc/ssh/ssh_host_key
-# HostKeys for protocol version 2
 HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_dsa_key
 HostKey /etc/ssh/ssh_host_ecdsa_key
 HostKey /etc/ssh/ssh_host_ed25519_key
 
-# Lifetime and size of ephemeral version 1 server key
-#KeyRegenerationInterval 1h
-#ServerKeyBits 1024
-
 # Ciphers and keying
 #RekeyLimit default none
+
+{% if not sshd_disable_crypto_policy | bool %}
+# This system is following system-wide crypto policy. The changes to
+# crypto properties (Ciphers, MACs, ...) will not have any effect here.
+# They will be overridden by command-line options passed to the server
+# on command line.
+# Please, check manual pages for update-crypto-policies(8) and sshd_config(5).
+{% else %}
 Ciphers {{ sshd_ciphers | join(',') }}
 KexAlgorithms {{ sshd_kex | join(',') }}
 MACs {{ sshd_macs | join(',') }}
+{% endif %}
 
 # Logging
-# obsoletes QuietMode and FascistLogging
 #SyslogFacility AUTH
 SyslogFacility AUTHPRIV
 LogLevel {{ sshd_log_level }}
@@ -59,7 +59,6 @@ AllowGroups {{ sshd_allow_groups|join(',') }}
 MaxAuthTries {{ sshd_max_auth_tries }}
 MaxSessions {{ sshd_max_sessions }}
 
-#RSAAuthentication yes
 #PubkeyAuthentication yes
 
 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
@@ -71,12 +70,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #AuthorizedKeysCommand none
 #AuthorizedKeysCommandUser nobody
 
-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#RhostsRSAAuthentication no
-# similar for protocol version 2
 HostbasedAuthentication {{ sshd_hostbased_authentication }}
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# RhostsRSAAuthentication and HostbasedAuthentication
 #IgnoreUserKnownHosts no
 # Don't read the user's ~/.rhosts and ~/.shosts files
 IgnoreRhosts {{ sshd_ignore_rhosts }}
@@ -116,8 +110,8 @@ GSSAPICleanupCredentials no
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
-# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
-# problems.
+# WARNING: 'UsePAM no' is not supported on RH based systems and may
+# cause several problems.
 UsePAM yes
 
 AllowAgentForwarding {{ sshd_allow_agent_forwarding }}
@@ -131,12 +125,13 @@ X11Forwarding {{ sshd_x11_forwarding }}
 #PrintLastLog no
 TCPKeepAlive {{ sshd_tcp_keep_alive }}
 #UseLogin no
+{% if ansible_distribution_major_version is version('8', '<') %}
 UsePrivilegeSeparation sandbox
+{% endif %}
 #PermitUserEnvironment no
 Compression {{ sshd_compression }}
 ClientAliveInterval {{ sshd_client_alive_interval }}
 ClientAliveCountMax {{ sshd_client_alive_count_max }}
-#ShowPatchLevel no
 UseDNS {{ sshd_use_dns }}
 #PidFile /var/run/sshd.pid
 #MaxStartups 10:30:100

templates/etc/sysconfig/sshd.j2

@@ -0,0 +1,20 @@
+#jinja2: lstrip_blocks: True
+{{ ansible_managed | comment }}
+
+# Configuration file for the sshd service.
+
+# The server keys are automatically generated if they are missing.
+# To change the automatic creation, adjust sshd.service options for
+# example using  systemctl enable sshd-keygen@dsa.service  to allow creation
+# of DSA key or  systemctl mask sshd-keygen@rsa.service  to disable RSA key
+# creation.
+
+# Do not change this option unless you have hardware random
+# generator and you REALLY know what you are doing
+
+SSH_USE_STRONG_RNG=0
+# SSH_USE_STRONG_RNG=1
+
+# System-wide crypto policy:
+# To opt-out, uncomment the following line
+CRYPTO_POLICY=