Skip to content

Latest commit

 

History

History
124 lines (97 loc) · 7.57 KB

File metadata and controls

124 lines (97 loc) · 7.57 KB

Ansible Role jm1.cloudy.sshd

This role helps with configuring the OpenSSH server aka sshd from Ansible variables. For example, it allows to edit sshd's config file /etc/ssh/sshd_config. Variable sshd_config defines a list of tasks which will be run by this role. Each task calls an Ansible module similar to tasks in roles or playbooks except that only few keywords such as when are supported. For example, to disable password authentication and deny root login define variable sshd_config in group_vars or host_vars as such:

sshd_config:
- ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regex: '^#*PasswordAuthentication .*'
    line: 'PasswordAuthentication no'
- ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regex: '^#*PermitRootLogin .*'
    line: 'PermitRootLogin no'

First, this role will install packages for OpenSSH server which match the distribution specified in variable distribution_id. Next, it will run all tasks listed in sshd_config. Once all tasks have finished and if anything has changed (and if sshd_service_state is not set to stopped), then sshd's service (set in sshd_service_name) is restarted to apply changes.

Tested OS images

Available on Ansible Galaxy in Collection jm1.cloudy.

Requirements

This role uses module(s) from collection jm1.ansible and collection jm1.pkg. To install these collections you may follow the steps described in README.md using the provided requirements.yml.

Variables

Name Default value Required Description
distribution_id depends on operating system false List which uniquely identifies a distribution release, e.g. [ 'Debian', '10' ] for Debian 10 (Buster)
sshd_config [] false List of tasks to run 1 2 3, e.g. to edit /etc/ssh/sshd_config
sshd_service_enabled true false Whether the sshd service should start on boot
sshd_service_name depends on distribution_id false Name of the sshd service, e.g. ssh on Debian and sshd on Red Hat Enterprise Linux
sshd_service_state started false State of the sshd service

Dependencies

Name Description
jm1.pkg.setup Installs necessary software for module jm1.pkg.meta_pkg from collection jm1.pkg. This role is called automatically, manual execution is NOT required.

Example Playbook

- hosts: all
  become: true
  roles:
  - name: Manage sshd service
    role: jm1.cloudy.sshd
    tags: ["jm1.cloudy.sshd"]

For more examples on how to use this role, refer to variable sshd_config as defined in group_vars/all.yml from the provided examples inventory.

For instructions on how to run Ansible playbooks have look at Ansible's Getting Started Guide.

License

GNU General Public License v3.0 or later

See LICENSE.md to see the full text.

Author

Jakob Meng @jm1 (github, galaxy, web)

Footnotes

  1. Useful Ansible modules in this context could be blockinfile, copy, debconf, file, lineinfile and template.

  2. Tasks will be executed with jm1.ansible.execute_module which supports keyword when only.

  3. Tasks will be executed with jm1.ansible.execute_module which supports modules and action plugins only. Some Ansible modules such as ansible.builtin.meta and ansible.builtin.{include,import}_{playbook,role,tasks} are core features of Ansible, in fact not implemented as modules and thus cannot be called from jm1.ansible.execute_module. Doing so causes Ansible to raise errors such as MODULE FAILURE\nSee stdout/stderr for the exact error. In addition, Ansible does not support free-form parameters for arbitrary modules, so for example, change from - debug: msg="" to - debug: { msg: "" }.