fix: fix crypto policy integration

defaults/main.yml

@@ -43,7 +43,7 @@ sshd_max_sessions: 10
 sshd_tcp_keep_alive: "yes"
 sshd_use_dns: "no"
 
-sshd_disable_crypto_policy: False
+sshd_crypto_policy_enabled: True
 
 # @var sshd_challenge_response_authentication:description: >
 # If you disable password auth you should disable ChallengeResponseAuth also.

tasks/ssh_default.yml

@@ -2,7 +2,7 @@
 - name: Gather package facts
   package_facts:
   check_mode: False
-  when: sshd_disable_crypto_policy | bool
+  when: not sshd_crypto_policy_enabled | bool
 
 - block:
     - name: Hardening sshd config
@@ -27,7 +27,7 @@
       notify: __sshd_restart
       when: __sshd_register_moduli.stdout
 
-    - name: Create SSH Usergroup
+    - name: Create SSH usergroup
       group:
         name: "{{ item }}"
         state: present
@@ -40,8 +40,6 @@
         owner: root
         group: root
         mode: 0640
-      when:
+      when: 'crypto-policies' in ansible_facts.packages
-        - sshd_disable_crypto_policy | bool
-        - ('crypto-policies' in ansible_facts.packages)
   become: True
   become_user: root

templates/etc/ssh/sshd_config.j2

@@ -31,7 +31,7 @@ HostKey /etc/ssh/ssh_host_ed25519_key
 # Ciphers and keying
 #RekeyLimit default none
 
-{% if not sshd_disable_crypto_policy | bool %}
+{% if sshd_crypto_policy_enabled | bool %}
 # This system is following system-wide crypto policy. The changes to
 # crypto properties (Ciphers, MACs, ...) will not have any effect here.
 # They will be overridden by command-line options passed to the server

templates/etc/sysconfig/sshd.j2

@@ -14,7 +14,8 @@
 
 SSH_USE_STRONG_RNG=0
 # SSH_USE_STRONG_RNG=1
+{% if not sshd_crypto_policy_enabled | bool %}
 
-# System-wide crypto policy:
+# Disable system-wide crypto policy
-# To opt-out, uncomment the following line
 CRYPTO_POLICY=
+{% endif %}