feat: add test for Rocky Linux 8 #1
@ -71,7 +71,7 @@ local PipelineDeployment(scenario='centos7') = {
|
|||||||
'linting',
|
'linting',
|
||||||
],
|
],
|
||||||
trigger: {
|
trigger: {
|
||||||
ref: ['refs/heads/master', 'refs/tags/**'],
|
ref: ['refs/heads/master', 'refs/tags/**', 'refs/pull/**'],
|
||||||
},
|
},
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -116,6 +116,7 @@ local PipelineDocumentation = {
|
|||||||
},
|
},
|
||||||
depends_on: [
|
depends_on: [
|
||||||
'testing-centos7',
|
'testing-centos7',
|
||||||
|
'testing-rocky8',
|
||||||
],
|
],
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -154,6 +155,7 @@ local PipelineNotification = {
|
|||||||
[
|
[
|
||||||
PipelineLinting,
|
PipelineLinting,
|
||||||
PipelineDeployment(scenario='centos7'),
|
PipelineDeployment(scenario='centos7'),
|
||||||
|
PipelineDeployment(scenario='rocky8'),
|
||||||
PipelineDocumentation,
|
PipelineDocumentation,
|
||||||
PipelineNotification,
|
PipelineNotification,
|
||||||
]
|
]
|
||||||
|
37
.drone.yml
37
.drone.yml
@ -62,6 +62,40 @@ trigger:
|
|||||||
ref:
|
ref:
|
||||||
- refs/heads/master
|
- refs/heads/master
|
||||||
- refs/tags/**
|
- refs/tags/**
|
||||||
|
- refs/pull/**
|
||||||
|
|
||||||
|
depends_on:
|
||||||
|
- linting
|
||||||
|
|
||||||
|
---
|
||||||
|
kind: pipeline
|
||||||
|
name: testing-rocky8
|
||||||
|
|
||||||
|
platform:
|
||||||
|
os: linux
|
||||||
|
arch: amd64
|
||||||
|
|
||||||
|
concurrency:
|
||||||
|
limit: 1
|
||||||
|
|
||||||
|
workspace:
|
||||||
|
base: /drone/src
|
||||||
|
path: ${DRONE_REPO_NAME}
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: ansible-molecule
|
||||||
|
image: thegeeklab/molecule:3
|
||||||
|
commands:
|
||||||
|
- molecule test -s rocky8
|
||||||
|
environment:
|
||||||
|
HCLOUD_TOKEN:
|
||||||
|
from_secret: hcloud_token
|
||||||
|
|
||||||
|
trigger:
|
||||||
|
ref:
|
||||||
|
- refs/heads/master
|
||||||
|
- refs/tags/**
|
||||||
|
- refs/pull/**
|
||||||
|
|
||||||
depends_on:
|
depends_on:
|
||||||
- linting
|
- linting
|
||||||
@ -108,6 +142,7 @@ trigger:
|
|||||||
|
|
||||||
depends_on:
|
depends_on:
|
||||||
- testing-centos7
|
- testing-centos7
|
||||||
|
- testing-rocky8
|
||||||
|
|
||||||
---
|
---
|
||||||
kind: pipeline
|
kind: pipeline
|
||||||
@ -147,6 +182,6 @@ depends_on:
|
|||||||
|
|
||||||
---
|
---
|
||||||
kind: signature
|
kind: signature
|
||||||
hmac: 6fb4bbe578d0a67f6def789d5b7a11d422bca42f07695c24fac97950f02cf51a
|
hmac: 4e3ffd7002957963c30b32275a59b62e7c19a1ccf7bd40369411bca13d94614e
|
||||||
|
|
||||||
...
|
...
|
||||||
|
@ -1,15 +1,16 @@
|
|||||||
---
|
---
|
||||||
sshd_protocol: 2
|
sshd_protocol: 2
|
||||||
sshd_permit_root_login: 'yes'
|
sshd_permit_root_login: "yes"
|
||||||
sshd_permit_empty_passwords: 'no'
|
sshd_permit_empty_passwords: "no"
|
||||||
sshd_password_authentication: 'no'
|
sshd_password_authentication: "no"
|
||||||
sshd_gssapi_authentication: 'yes'
|
sshd_gssapi_authentication: "no"
|
||||||
sshd_strict_modes: 'yes'
|
sshd_strict_modes: "yes"
|
||||||
sshd_allow_groups: []
|
sshd_allow_groups: []
|
||||||
sshd_ignore_rhosts: 'yes'
|
sshd_ignore_rhosts: "yes"
|
||||||
sshd_hostbased_authentication: 'no'
|
sshd_hostbased_authentication: "no"
|
||||||
sshd_client_alive_interval: 900
|
sshd_client_alive_interval: 900
|
||||||
sshd_client_alive_count_max: 0
|
sshd_client_alive_count_max: 0
|
||||||
|
|
||||||
sshd_ciphers:
|
sshd_ciphers:
|
||||||
- chacha20-poly1305@openssh.com
|
- chacha20-poly1305@openssh.com
|
||||||
- aes256-gcm@openssh.com
|
- aes256-gcm@openssh.com
|
||||||
@ -17,33 +18,37 @@ sshd_ciphers:
|
|||||||
- aes256-ctr
|
- aes256-ctr
|
||||||
- aes192-ctr
|
- aes192-ctr
|
||||||
- aes128-ctr
|
- aes128-ctr
|
||||||
|
|
||||||
sshd_kex:
|
sshd_kex:
|
||||||
- curve25519-sha256@libssh.org
|
- curve25519-sha256@libssh.org
|
||||||
- diffie-hellman-group-exchange-sha256
|
- diffie-hellman-group-exchange-sha256
|
||||||
|
|
||||||
sshd_moduli_minimum: 2048
|
sshd_moduli_minimum: 2048
|
||||||
|
|
||||||
sshd_macs:
|
sshd_macs:
|
||||||
- hmac-sha2-512-etm@openssh.com
|
- hmac-sha2-512-etm@openssh.com
|
||||||
- hmac-sha2-256-etm@openssh.com
|
- hmac-sha2-256-etm@openssh.com
|
||||||
- hmac-ripemd160-etm@openssh.com
|
|
||||||
- umac-128-etm@openssh.com
|
- umac-128-etm@openssh.com
|
||||||
- hmac-sha2-512
|
- hmac-sha2-512
|
||||||
- hmac-sha2-256
|
- hmac-sha2-256
|
||||||
- hmac-ripemd160
|
- umac-128@openssh.com
|
||||||
sshd_allow_agent_forwarding: 'no'
|
|
||||||
sshd_x11_forwarding: 'yes'
|
sshd_allow_agent_forwarding: "no"
|
||||||
sshd_allow_tcp_forwarding: 'yes'
|
sshd_x11_forwarding: "yes"
|
||||||
|
sshd_allow_tcp_forwarding: "yes"
|
||||||
sshd_compression: delayed
|
sshd_compression: delayed
|
||||||
sshd_log_level: INFO
|
sshd_log_level: INFO
|
||||||
sshd_max_auth_tries: 6
|
sshd_max_auth_tries: 6
|
||||||
sshd_max_sessions: 10
|
sshd_max_sessions: 10
|
||||||
sshd_tcp_keep_alive: 'yes'
|
sshd_tcp_keep_alive: "yes"
|
||||||
sshd_use_dns: 'yes'
|
sshd_use_dns: "no"
|
||||||
|
|
||||||
|
sshd_disable_crypto_policy: False
|
||||||
|
|
||||||
# @var sshd_challenge_response_authentication:description: >
|
# @var sshd_challenge_response_authentication:description: >
|
||||||
# If you disable password auth you should disable
|
# If you disable password auth you should disable ChallengeResponseAuth also.
|
||||||
# ChallengeResponseAuth also.
|
|
||||||
# @end
|
# @end
|
||||||
sshd_challenge_response_authentication: 'no'
|
sshd_challenge_response_authentication: "no"
|
||||||
|
|
||||||
# @var sshd_google_auth_enabled:description: >
|
# @var sshd_google_auth_enabled:description: >
|
||||||
# Google Authenticator required ChallengeResponseAuth!
|
# Google Authenticator required ChallengeResponseAuth!
|
||||||
|
@ -1 +1 @@
|
|||||||
centos7
|
rocky8
|
5
molecule/rocky8/converge.yml
Normal file
5
molecule/rocky8/converge.yml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
- name: Converge
|
||||||
|
hosts: all
|
||||||
|
roles:
|
||||||
|
- role: xoxys.sshd
|
120
molecule/rocky8/create.yml
Normal file
120
molecule/rocky8/create.yml
Normal file
@ -0,0 +1,120 @@
|
|||||||
|
---
|
||||||
|
- name: Create
|
||||||
|
hosts: localhost
|
||||||
|
connection: local
|
||||||
|
gather_facts: false
|
||||||
|
no_log: "{{ molecule_no_log }}"
|
||||||
|
vars:
|
||||||
|
ssh_port: 22
|
||||||
|
ssh_user: root
|
||||||
|
ssh_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/ssh_key"
|
||||||
|
tasks:
|
||||||
|
- name: Create SSH key
|
||||||
|
user:
|
||||||
|
name: "{{ lookup('env', 'USER') }}"
|
||||||
|
generate_ssh_key: true
|
||||||
|
ssh_key_file: "{{ ssh_path }}"
|
||||||
|
force: true
|
||||||
|
register: generated_ssh_key
|
||||||
|
|
||||||
|
- name: Register the SSH key name
|
||||||
|
set_fact:
|
||||||
|
ssh_key_name: "molecule-generated-{{ 12345 | random | to_uuid }}"
|
||||||
|
|
||||||
|
- name: Register SSH key for test instance(s)
|
||||||
|
hcloud_ssh_key:
|
||||||
|
name: "{{ ssh_key_name }}"
|
||||||
|
public_key: "{{ generated_ssh_key.ssh_public_key }}"
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Create molecule instance(s)
|
||||||
|
hcloud_server:
|
||||||
|
name: "{{ item.name }}"
|
||||||
|
server_type: "{{ item.server_type }}"
|
||||||
|
ssh_keys:
|
||||||
|
- "{{ ssh_key_name }}"
|
||||||
|
image: "{{ item.image }}"
|
||||||
|
location: "{{ item.location | default(omit) }}"
|
||||||
|
datacenter: "{{ item.datacenter | default(omit) }}"
|
||||||
|
user_data: "{{ item.user_data | default(omit) }}"
|
||||||
|
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
|
||||||
|
state: present
|
||||||
|
register: server
|
||||||
|
loop: "{{ molecule_yml.platforms }}"
|
||||||
|
async: 7200
|
||||||
|
poll: 0
|
||||||
|
|
||||||
|
- name: Wait for instance(s) creation to complete
|
||||||
|
async_status:
|
||||||
|
jid: "{{ item.ansible_job_id }}"
|
||||||
|
register: hetzner_jobs
|
||||||
|
until: hetzner_jobs.finished
|
||||||
|
retries: 300
|
||||||
|
loop: "{{ server.results }}"
|
||||||
|
|
||||||
|
- name: Create volume(s)
|
||||||
|
hcloud_volume:
|
||||||
|
name: "{{ item.name }}"
|
||||||
|
server: "{{ item.name }}"
|
||||||
|
location: "{{ item.location | default(omit) }}"
|
||||||
|
size: "{{ item.volume_size | default(10) }}"
|
||||||
|
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
|
||||||
|
state: "present"
|
||||||
|
loop: "{{ molecule_yml.platforms }}"
|
||||||
|
when: item.volume | default(False) | bool
|
||||||
|
register: volumes
|
||||||
|
async: 7200
|
||||||
|
poll: 0
|
||||||
|
|
||||||
|
- name: Wait for volume(s) creation to complete
|
||||||
|
async_status:
|
||||||
|
jid: "{{ item.ansible_job_id }}"
|
||||||
|
register: hetzner_volumes
|
||||||
|
until: hetzner_volumes.finished
|
||||||
|
retries: 300
|
||||||
|
when: volumes.changed
|
||||||
|
loop: "{{ volumes.results }}"
|
||||||
|
|
||||||
|
# Mandatory configuration for Molecule to function.
|
||||||
|
|
||||||
|
- name: Populate instance config dict
|
||||||
|
set_fact:
|
||||||
|
instance_conf_dict:
|
||||||
|
{
|
||||||
|
"instance": "{{ item.hcloud_server.name }}",
|
||||||
|
"ssh_key_name": "{{ ssh_key_name }}",
|
||||||
|
"address": "{{ item.hcloud_server.ipv4_address }}",
|
||||||
|
"user": "{{ ssh_user }}",
|
||||||
|
"port": "{{ ssh_port }}",
|
||||||
|
"identity_file": "{{ ssh_path }}",
|
||||||
|
"volume": "{{ item.item.item.volume | default(False) | bool }}",
|
||||||
|
}
|
||||||
|
loop: "{{ hetzner_jobs.results }}"
|
||||||
|
register: instance_config_dict
|
||||||
|
when: server.changed | bool
|
||||||
|
|
||||||
|
- name: Convert instance config dict to a list
|
||||||
|
set_fact:
|
||||||
|
instance_conf: "{{ instance_config_dict.results | map(attribute='ansible_facts.instance_conf_dict') | list }}"
|
||||||
|
when: server.changed | bool
|
||||||
|
|
||||||
|
- name: Dump instance config
|
||||||
|
copy:
|
||||||
|
content: |
|
||||||
|
# Molecule managed
|
||||||
|
|
||||||
|
{{ instance_conf | to_nice_yaml(indent=2) }}
|
||||||
|
dest: "{{ molecule_instance_config }}"
|
||||||
|
when: server.changed | bool
|
||||||
|
|
||||||
|
- name: Wait for SSH
|
||||||
|
wait_for:
|
||||||
|
port: "{{ ssh_port }}"
|
||||||
|
host: "{{ item.address }}"
|
||||||
|
search_regex: SSH
|
||||||
|
delay: 10
|
||||||
|
loop: "{{ lookup('file', molecule_instance_config) | from_yaml }}"
|
||||||
|
|
||||||
|
- name: Wait for VM to settle down
|
||||||
|
pause:
|
||||||
|
seconds: 30
|
78
molecule/rocky8/destroy.yml
Normal file
78
molecule/rocky8/destroy.yml
Normal file
@ -0,0 +1,78 @@
|
|||||||
|
---
|
||||||
|
- name: Destroy
|
||||||
|
hosts: localhost
|
||||||
|
connection: local
|
||||||
|
gather_facts: false
|
||||||
|
no_log: "{{ molecule_no_log }}"
|
||||||
|
tasks:
|
||||||
|
- name: Check existing instance config file
|
||||||
|
stat:
|
||||||
|
path: "{{ molecule_instance_config }}"
|
||||||
|
register: cfg
|
||||||
|
|
||||||
|
- name: Populate the instance config
|
||||||
|
set_fact:
|
||||||
|
instance_conf: "{{ (lookup('file', molecule_instance_config) | from_yaml) if cfg.stat.exists else [] }}"
|
||||||
|
|
||||||
|
- name: Destroy molecule instance(s)
|
||||||
|
hcloud_server:
|
||||||
|
name: "{{ item.instance }}"
|
||||||
|
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
|
||||||
|
state: absent
|
||||||
|
register: server
|
||||||
|
loop: "{{ instance_conf }}"
|
||||||
|
async: 7200
|
||||||
|
poll: 0
|
||||||
|
|
||||||
|
- name: Wait for instance(s) deletion to complete
|
||||||
|
async_status:
|
||||||
|
jid: "{{ item.ansible_job_id }}"
|
||||||
|
register: hetzner_jobs
|
||||||
|
until: hetzner_jobs.finished
|
||||||
|
retries: 300
|
||||||
|
loop: "{{ server.results }}"
|
||||||
|
|
||||||
|
- pause:
|
||||||
|
seconds: 5
|
||||||
|
|
||||||
|
- name: Destroy volume(s)
|
||||||
|
hcloud_volume:
|
||||||
|
name: "{{ item.instance }}"
|
||||||
|
server: "{{ item.instance }}"
|
||||||
|
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
|
||||||
|
state: "absent"
|
||||||
|
register: volumes
|
||||||
|
loop: "{{ instance_conf }}"
|
||||||
|
when: item.volume | default(False) | bool
|
||||||
|
async: 7200
|
||||||
|
poll: 0
|
||||||
|
|
||||||
|
- name: Wait for volume(s) deletion to complete
|
||||||
|
async_status:
|
||||||
|
jid: "{{ item.ansible_job_id }}"
|
||||||
|
register: hetzner_volumes
|
||||||
|
until: hetzner_volumes.finished
|
||||||
|
retries: 300
|
||||||
|
when: volumes.changed
|
||||||
|
loop: "{{ volumes.results }}"
|
||||||
|
|
||||||
|
- name: Remove registered SSH key
|
||||||
|
hcloud_ssh_key:
|
||||||
|
name: "{{ instance_conf[0].ssh_key_name }}"
|
||||||
|
state: absent
|
||||||
|
when: (instance_conf | default([])) | length > 0
|
||||||
|
|
||||||
|
# Mandatory configuration for Molecule to function.
|
||||||
|
|
||||||
|
- name: Populate instance config
|
||||||
|
set_fact:
|
||||||
|
instance_conf: {}
|
||||||
|
|
||||||
|
- name: Dump instance config
|
||||||
|
copy:
|
||||||
|
content: |
|
||||||
|
# Molecule managed
|
||||||
|
|
||||||
|
{{ instance_conf | to_nice_yaml(indent=2) }}
|
||||||
|
dest: "{{ molecule_instance_config }}"
|
||||||
|
when: server.changed | bool
|
24
molecule/rocky8/molecule.yml
Normal file
24
molecule/rocky8/molecule.yml
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
---
|
||||||
|
dependency:
|
||||||
|
name: galaxy
|
||||||
|
options:
|
||||||
|
role-file: molecule/requirements.yml
|
||||||
|
requirements-file: molecule/requirements.yml
|
||||||
|
env:
|
||||||
|
ANSIBLE_GALAXY_DISPLAY_PROGRESS: "false"
|
||||||
|
driver:
|
||||||
|
name: delegated
|
||||||
|
platforms:
|
||||||
|
- name: rocky8-sshd
|
||||||
|
image: rocky-8
|
||||||
|
server_type: cx11
|
||||||
|
lint: |
|
||||||
|
/usr/local/bin/flake8
|
||||||
|
provisioner:
|
||||||
|
name: ansible
|
||||||
|
env:
|
||||||
|
ANSIBLE_FILTER_PLUGINS: ${ANSIBLE_FILTER_PLUGINS:-./plugins/filter}
|
||||||
|
ANSIBLE_LIBRARY: ${ANSIBLE_LIBRARY:-./library}
|
||||||
|
log: False
|
||||||
|
verifier:
|
||||||
|
name: testinfra
|
15
molecule/rocky8/prepare.yml
Normal file
15
molecule/rocky8/prepare.yml
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
---
|
||||||
|
- name: Prepare
|
||||||
|
hosts: all
|
||||||
|
gather_facts: false
|
||||||
|
tasks:
|
||||||
|
- name: Bootstrap python for Ansible
|
||||||
|
raw: |
|
||||||
|
command -v python3 python || (
|
||||||
|
(test -e /usr/bin/dnf && sudo dnf install -y python3) ||
|
||||||
|
(test -e /usr/bin/apt && (apt -y update && apt install -y python-minimal)) ||
|
||||||
|
(test -e /usr/bin/yum && sudo yum -y -qq install python3) ||
|
||||||
|
echo "Warning: Python not boostrapped due to unknown platform."
|
||||||
|
)
|
||||||
|
become: true
|
||||||
|
changed_when: false
|
16
molecule/rocky8/tests/test_default.py
Normal file
16
molecule/rocky8/tests/test_default.py
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
import os
|
||||||
|
|
||||||
|
import testinfra.utils.ansible_runner
|
||||||
|
|
||||||
|
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
|
||||||
|
os.environ["MOLECULE_INVENTORY_FILE"]
|
||||||
|
).get_hosts("all")
|
||||||
|
|
||||||
|
|
||||||
|
def test_sshd_config_file(host):
|
||||||
|
sshd = host.file("/etc/ssh/sshd_config")
|
||||||
|
|
||||||
|
assert sshd.exists
|
||||||
|
assert sshd.user == "root"
|
||||||
|
assert sshd.group == "root"
|
||||||
|
assert sshd.mode == 0o600
|
@ -1,4 +1,9 @@
|
|||||||
---
|
---
|
||||||
|
- name: Gather package facts
|
||||||
|
package_facts:
|
||||||
|
check_mode: False
|
||||||
|
when: sshd_disable_crypto_policy | bool
|
||||||
|
|
||||||
- block:
|
- block:
|
||||||
- name: Hardening sshd config
|
- name: Hardening sshd config
|
||||||
template:
|
template:
|
||||||
@ -16,8 +21,9 @@
|
|||||||
check_mode: no
|
check_mode: no
|
||||||
|
|
||||||
- name: Remove all small primes
|
- name: Remove all small primes
|
||||||
shell: awk '$5 >= {{ sshd_moduli_minimum }}' /etc/ssh/moduli > /etc/ssh/moduli.new ;
|
shell:
|
||||||
[ -r /etc/ssh/moduli.new -a -s /etc/ssh/moduli.new ] && mv /etc/ssh/moduli.new /etc/ssh/moduli || true
|
awk '$5 >= {{ sshd_moduli_minimum }}' /etc/ssh/moduli > /etc/ssh/moduli.new ;
|
||||||
|
[ -r /etc/ssh/moduli.new -a -s /etc/ssh/moduli.new ] && mv /etc/ssh/moduli.new /etc/ssh/moduli || true
|
||||||
notify: __sshd_restart
|
notify: __sshd_restart
|
||||||
when: __sshd_register_moduli.stdout
|
when: __sshd_register_moduli.stdout
|
||||||
|
|
||||||
@ -26,5 +32,16 @@
|
|||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
state: present
|
state: present
|
||||||
loop: "{{ sshd_allow_groups }}"
|
loop: "{{ sshd_allow_groups }}"
|
||||||
|
|
||||||
|
- name: Disable SSH server CRYPTO_POLICY
|
||||||
|
copy:
|
||||||
|
src: etc/sysconfig/sshd
|
||||||
|
dest: /etc/sysconfig/sshd
|
||||||
|
owner: "root"
|
||||||
|
group: "root"
|
||||||
|
mode: "0640"
|
||||||
|
when:
|
||||||
|
- sshd_disable_crypto_policy | bool
|
||||||
|
- ('crypto-policies' in ansible_facts.packages)
|
||||||
become: True
|
become: True
|
||||||
become_user: root
|
become_user: root
|
||||||
|
@ -5,18 +5,30 @@
|
|||||||
path: "{{ item.path }}"
|
path: "{{ item.path }}"
|
||||||
value: "{{ item.value }}"
|
value: "{{ item.value }}"
|
||||||
loop:
|
loop:
|
||||||
- { path: sshd/permitroot, value: "{{ sshd_permit_root_login | default('') }}" }
|
- path: sshd/permitroot
|
||||||
- { path: sshd/PermitEmptyPasswords, value: "{{ sshd_permit_empty_passwords | default('') }}" }
|
value: "{{ sshd_permit_root_login | default('') }}"
|
||||||
- { path: sshd/permitroot, value: "{{ sshd_permit_root_login | default('') }}" }
|
- path: sshd/PermitEmptyPasswords
|
||||||
- { path: sshd/passwordauthentication, value: "{{ sshd_password_authentication | default('') }}" }
|
value: "{{ sshd_permit_empty_passwords | default('') }}"
|
||||||
- { path: sshd/challengeresponse, value: "{{ sshd_password_authentication | default('') }}" }
|
- path: sshd/permitroot
|
||||||
- { path: sshd/IgnoreRhosts, value: "{{ sshd_ignore_rhosts | default('') }}" }
|
value: "{{ sshd_permit_root_login | default('') }}"
|
||||||
- { path: sshd/HostbasedAuthentication, value: "{{ sshd_hostbased_authentication | default('') }}" }
|
- path: sshd/passwordauthentication
|
||||||
- { path: sshd/ClientAliveInterval, value: "{{ sshd_client_alive_interval | default('') }}" }
|
value: "{{ sshd_password_authentication | default('') }}"
|
||||||
- { path: sshd/ClientAliveCountMax, value: "{{ sshd_client_alive_count_max | default('') }}" }
|
- path: sshd/challengeresponse
|
||||||
- { path: sshd/Ciphers, value: "{{ sshd_ciphers | default('[]') | join(',') }}" }
|
value: "{{ sshd_password_authentication | default('') }}"
|
||||||
- { path: sshd/KexAlgorithms, value: "{{ sshd_kex | default('[]') | join(',') }}" }
|
- path: sshd/IgnoreRhosts
|
||||||
- { path: sshd/MACs, value: "{{ sshd_macs | default('[]') | join(',') }}" }
|
value: "{{ sshd_ignore_rhosts | default('') }}"
|
||||||
|
- path: sshd/HostbasedAuthentication
|
||||||
|
value: "{{ sshd_hostbased_authentication | default('') }}"
|
||||||
|
- path: sshd/ClientAliveInterval
|
||||||
|
value: "{{ sshd_client_alive_interval | default('') }}"
|
||||||
|
- path: sshd/ClientAliveCountMax
|
||||||
|
value: "{{ sshd_client_alive_count_max | default('') }}"
|
||||||
|
- path: sshd/Ciphers
|
||||||
|
value: "{{ sshd_ciphers | default('[]') | join(',') }}"
|
||||||
|
- path: sshd/KexAlgorithms
|
||||||
|
value: "{{ sshd_kex | default('[]') | join(',') }}"
|
||||||
|
- path: sshd/MACs
|
||||||
|
value: "{{ sshd_macs | default('[]') | join(',') }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
label: "variable: {{ item.path }}={{ item.value }}"
|
label: "variable: {{ item.path }}={{ item.value }}"
|
||||||
notify: __sshd_restart
|
notify: __sshd_restart
|
||||||
@ -30,7 +42,7 @@
|
|||||||
- name: Create SSH Usergroup
|
- name: Create SSH Usergroup
|
||||||
group:
|
group:
|
||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
system: 'yes'
|
system: "yes"
|
||||||
state: present
|
state: present
|
||||||
loop: "{{ sshd_allow_groups }}"
|
loop: "{{ sshd_allow_groups }}"
|
||||||
become: True
|
become: True
|
||||||
|
@ -1,9 +1,8 @@
|
|||||||
#jinja2: lstrip_blocks: True
|
#jinja2: lstrip_blocks: True
|
||||||
{{ ansible_managed | comment }}
|
{{ ansible_managed | comment }}
|
||||||
# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
|
|
||||||
|
|
||||||
# This is the sshd server system-wide configuration file. See
|
# This is the sshd server system-wide configuration file.
|
||||||
# sshd_config(5) for more information.
|
# See sshd_config(5) for more information.
|
||||||
|
|
||||||
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
|
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
|
||||||
|
|
||||||
@ -20,30 +19,31 @@
|
|||||||
#AddressFamily any
|
#AddressFamily any
|
||||||
#ListenAddress 0.0.0.0
|
#ListenAddress 0.0.0.0
|
||||||
#ListenAddress ::
|
#ListenAddress ::
|
||||||
|
{% if ansible_distribution_major_version is version('8', '<') %}
|
||||||
|
|
||||||
# The default requires explicit activation of protocol 1
|
|
||||||
Protocol {{ sshd_protocol }}
|
Protocol {{ sshd_protocol }}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
# HostKey for protocol version 1
|
|
||||||
#HostKey /etc/ssh/ssh_host_key
|
|
||||||
# HostKeys for protocol version 2
|
|
||||||
HostKey /etc/ssh/ssh_host_rsa_key
|
HostKey /etc/ssh/ssh_host_rsa_key
|
||||||
#HostKey /etc/ssh/ssh_host_dsa_key
|
|
||||||
HostKey /etc/ssh/ssh_host_ecdsa_key
|
HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||||
|
|
||||||
# Lifetime and size of ephemeral version 1 server key
|
|
||||||
#KeyRegenerationInterval 1h
|
|
||||||
#ServerKeyBits 1024
|
|
||||||
|
|
||||||
# Ciphers and keying
|
# Ciphers and keying
|
||||||
#RekeyLimit default none
|
#RekeyLimit default none
|
||||||
|
|
||||||
|
{% if not sshd_disable_crypto_policy | bool %}
|
||||||
|
# This system is following system-wide crypto policy. The changes to
|
||||||
|
# crypto properties (Ciphers, MACs, ...) will not have any effect here.
|
||||||
|
# They will be overridden by command-line options passed to the server
|
||||||
|
# on command line.
|
||||||
|
# Please, check manual pages for update-crypto-policies(8) and sshd_config(5).
|
||||||
|
{% else %}
|
||||||
Ciphers {{ sshd_ciphers | join(',') }}
|
Ciphers {{ sshd_ciphers | join(',') }}
|
||||||
KexAlgorithms {{ sshd_kex | join(',') }}
|
KexAlgorithms {{ sshd_kex | join(',') }}
|
||||||
MACs {{ sshd_macs | join(',') }}
|
MACs {{ sshd_macs | join(',') }}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
# Logging
|
# Logging
|
||||||
# obsoletes QuietMode and FascistLogging
|
|
||||||
#SyslogFacility AUTH
|
#SyslogFacility AUTH
|
||||||
SyslogFacility AUTHPRIV
|
SyslogFacility AUTHPRIV
|
||||||
LogLevel {{ sshd_log_level }}
|
LogLevel {{ sshd_log_level }}
|
||||||
@ -59,7 +59,6 @@ AllowGroups {{ sshd_allow_groups|join(',') }}
|
|||||||
MaxAuthTries {{ sshd_max_auth_tries }}
|
MaxAuthTries {{ sshd_max_auth_tries }}
|
||||||
MaxSessions {{ sshd_max_sessions }}
|
MaxSessions {{ sshd_max_sessions }}
|
||||||
|
|
||||||
#RSAAuthentication yes
|
|
||||||
#PubkeyAuthentication yes
|
#PubkeyAuthentication yes
|
||||||
|
|
||||||
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
||||||
@ -71,12 +70,7 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|||||||
#AuthorizedKeysCommand none
|
#AuthorizedKeysCommand none
|
||||||
#AuthorizedKeysCommandUser nobody
|
#AuthorizedKeysCommandUser nobody
|
||||||
|
|
||||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
|
||||||
#RhostsRSAAuthentication no
|
|
||||||
# similar for protocol version 2
|
|
||||||
HostbasedAuthentication {{ sshd_hostbased_authentication }}
|
HostbasedAuthentication {{ sshd_hostbased_authentication }}
|
||||||
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
|
||||||
# RhostsRSAAuthentication and HostbasedAuthentication
|
|
||||||
#IgnoreUserKnownHosts no
|
#IgnoreUserKnownHosts no
|
||||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||||
IgnoreRhosts {{ sshd_ignore_rhosts }}
|
IgnoreRhosts {{ sshd_ignore_rhosts }}
|
||||||
@ -116,8 +110,8 @@ GSSAPICleanupCredentials no
|
|||||||
# If you just want the PAM account and session checks to run without
|
# If you just want the PAM account and session checks to run without
|
||||||
# PAM authentication, then enable this but set PasswordAuthentication
|
# PAM authentication, then enable this but set PasswordAuthentication
|
||||||
# and ChallengeResponseAuthentication to 'no'.
|
# and ChallengeResponseAuthentication to 'no'.
|
||||||
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
|
# WARNING: 'UsePAM no' is not supported on RH based systems and may
|
||||||
# problems.
|
# cause several problems.
|
||||||
UsePAM yes
|
UsePAM yes
|
||||||
|
|
||||||
AllowAgentForwarding {{ sshd_allow_agent_forwarding }}
|
AllowAgentForwarding {{ sshd_allow_agent_forwarding }}
|
||||||
@ -131,12 +125,13 @@ X11Forwarding {{ sshd_x11_forwarding }}
|
|||||||
#PrintLastLog no
|
#PrintLastLog no
|
||||||
TCPKeepAlive {{ sshd_tcp_keep_alive }}
|
TCPKeepAlive {{ sshd_tcp_keep_alive }}
|
||||||
#UseLogin no
|
#UseLogin no
|
||||||
|
{% if ansible_distribution_major_version is version('8', '<') %}
|
||||||
UsePrivilegeSeparation sandbox
|
UsePrivilegeSeparation sandbox
|
||||||
|
{% endif %}
|
||||||
#PermitUserEnvironment no
|
#PermitUserEnvironment no
|
||||||
Compression {{ sshd_compression }}
|
Compression {{ sshd_compression }}
|
||||||
ClientAliveInterval {{ sshd_client_alive_interval }}
|
ClientAliveInterval {{ sshd_client_alive_interval }}
|
||||||
ClientAliveCountMax {{ sshd_client_alive_count_max }}
|
ClientAliveCountMax {{ sshd_client_alive_count_max }}
|
||||||
#ShowPatchLevel no
|
|
||||||
UseDNS {{ sshd_use_dns }}
|
UseDNS {{ sshd_use_dns }}
|
||||||
#PidFile /var/run/sshd.pid
|
#PidFile /var/run/sshd.pid
|
||||||
#MaxStartups 10:30:100
|
#MaxStartups 10:30:100
|
||||||
|
20
templates/etc/sysconfig/sshd.j2
Normal file
20
templates/etc/sysconfig/sshd.j2
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
#jinja2: lstrip_blocks: True
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
# Configuration file for the sshd service.
|
||||||
|
|
||||||
|
# The server keys are automatically generated if they are missing.
|
||||||
|
# To change the automatic creation, adjust sshd.service options for
|
||||||
|
# example using systemctl enable sshd-keygen@dsa.service to allow creation
|
||||||
|
# of DSA key or systemctl mask sshd-keygen@rsa.service to disable RSA key
|
||||||
|
# creation.
|
||||||
|
|
||||||
|
# Do not change this option unless you have hardware random
|
||||||
|
# generator and you REALLY know what you are doing
|
||||||
|
|
||||||
|
SSH_USE_STRONG_RNG=0
|
||||||
|
# SSH_USE_STRONG_RNG=1
|
||||||
|
|
||||||
|
# System-wide crypto policy:
|
||||||
|
# To opt-out, uncomment the following line
|
||||||
|
CRYPTO_POLICY=
|
Loading…
Reference in New Issue
Block a user