diff --git a/defaults/main.yml b/defaults/main.yml index fd0646e..94e63c9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -37,9 +37,6 @@ sshd_sysconfig_override_crypto_policy: false # generator sshd_sysconfig_use_strong_rng: 0 -# Empty dicts to avoid errors -sshd_config: {} - # The path to sshd_config file. This is useful when creating an included # configuration file snippet or configuring second sshd service sshd_config_file: "{{ __sshd_config_file }}" diff --git a/meta/10_top.j2 b/meta/10_top.j2 index 68ccf60..474e760 100644 --- a/meta/10_top.j2 +++ b/meta/10_top.j2 @@ -21,8 +21,8 @@ {% set value = undefined %} {% if override is defined %} {% set value = override %} -{% elif sshd_config[key] is defined %} -{% set value = sshd_config[key] %} +{% elif __sshd_config[key] is defined %} +{% set value = __sshd_config[key] %} {% elif sshd_main_config_file is not none and sshd_config_file | dirname == sshd_main_config_file ~ '.d' %} {# Do not use the defaults from main file to avoid recursion #} diff --git a/meta/30_bottom.j2 b/meta/30_bottom.j2 index 8739e13..3c2a43b 100644 --- a/meta/30_bottom.j2 +++ b/meta/30_bottom.j2 @@ -1,5 +1,5 @@ -{% if sshd_config['Match'] is defined %} -{{ match_iterate_block(sshd_config['Match']) -}} +{% if __sshd_config['Match'] is defined %} +{{ match_iterate_block(__sshd_config['Match']) -}} {% endif %} {% if sshd_match is defined %} {{ match_iterate_block(sshd_match) -}} diff --git a/tasks/certificates.yml b/tasks/certificates.yml index eb82454..c949350 100644 --- a/tasks/certificates.yml +++ b/tasks/certificates.yml @@ -6,7 +6,7 @@ {% if sshd_TrustedUserCAKeys is defined %} {{ sshd_TrustedUserCAKeys | to_json }} {% else %} - {{ sshd_config['TrustedUserCAKeys'] | to_json }} + {{ __sshd_config['TrustedUserCAKeys'] | to_json }} {% endif %} block: - name: Create Trusted user CA Keys directory @@ -32,7 +32,7 @@ {% if sshd_AuthorizedPrincipalsFile is defined %} {{ sshd_AuthorizedPrincipalsFile | to_json }} {% else %} - {{ sshd_config['AuthorizedPrincipalsFile'] | to_json }} + {{ __sshd_config['AuthorizedPrincipalsFile'] | to_json }} {% endif %} when: sshd_principals != {} block: diff --git a/tasks/find_ports.yml b/tasks/find_ports.yml index 34fdef5..ec4a874 100644 --- a/tasks/find_ports.yml +++ b/tasks/find_ports.yml @@ -6,8 +6,8 @@ __sshd_ports_from_config_tmp: >- {% if sshd_Port is defined %} {{ sshd_Port | to_json }} - {% elif sshd_config['Port'] is defined %} - {{ sshd_config['Port'] | to_json }} + {% elif __sshd_config['Port'] is defined %} + {{ __sshd_config['Port'] | to_json }} {% elif __sshd_defaults['Port'] is defined and not sshd_skip_defaults %} {{ __sshd_defaults['Port'] | to_json }} {% else %} diff --git a/tasks/install.yml b/tasks/install.yml index e7742f4..9e868fe 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -33,7 +33,8 @@ - __sshd_hostkeys_nofips | d([]) - name: Make sure hostkeys are available and have expected permissions - vars: &share_vars # 'MAo=' evaluates to '0\n' in base 64 encoding, which is default + vars: + &share_vars # 'MAo=' evaluates to '0\n' in base 64 encoding, which is default __sshd_fips_mode: >- {{ __sshd_hostkeys_nofips | d([]) and (__sshd_kernel_fips_mode.content | d('MAo=') | b64decode | trim == '1' or @@ -43,8 +44,8 @@ __sshd_hostkeys_from_config: >- {% if sshd_HostKey is defined %} {{ sshd_HostKey | to_json }} - {% elif sshd_config['HostKey'] is defined %} - {{ sshd_config['HostKey'] | to_json }} + {% elif __sshd_config['HostKey'] is defined %} + {{ __sshd_config['HostKey'] | to_json }} {% elif __sshd_defaults['HostKey'] is defined and not sshd_skip_defaults %} {% if __sshd_fips_mode %} {{ __sshd_defaults['HostKey'] | difference(__sshd_hostkeys_nofips) | to_json }} diff --git a/tasks/main.yml b/tasks/main.yml index 8098812..74b6598 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,17 +1,11 @@ --- -- name: Link the deprecated sshd fact +- name: Print that the sshd variable is deprecated when: sshd is defined - block: - - name: Print that the sshd variable is deprecated - ansible.builtin.debug: - msg: >- - The sshd variable is deprecated and will be removed - in a future version. Edit your playbook to use - the sshd_config variable instead. - - - name: Link the deprecated sshd fact - ansible.builtin.set_fact: - sshd_config: "{{ sshd }}" + ansible.builtin.debug: + msg: >- + The sshd variable is deprecated and will be removed + in a future version. Edit your playbook to use + the sshd_config variable instead. - name: Invoke the role, if enabled ansible.builtin.include_tasks: sshd.yml diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2 index af0a02f..adcfeb7 100644 --- a/templates/sshd_config.j2 +++ b/templates/sshd_config.j2 @@ -23,8 +23,8 @@ {% set value = undefined %} {% if override is defined %} {% set value = override %} -{% elif sshd_config[key] is defined %} -{% set value = sshd_config[key] %} +{% elif __sshd_config[key] is defined %} +{% set value = __sshd_config[key] %} {% elif sshd_main_config_file is not none and sshd_config_file | dirname == sshd_main_config_file ~ '.d' %} {# Do not use the defaults from main file to avoid recursion #} @@ -250,8 +250,8 @@ Match {{ match["Condition"] }} {{ body_option("X11Forwarding",sshd_X11Forwarding) -}} {{ body_option("X11UseLocalhost",sshd_X11UseLocalhost) -}} {{ body_option("XAuthLocation",sshd_XAuthLocation) -}} -{% if sshd_config['Match'] is defined %} -{{ match_iterate_block(sshd_config['Match']) -}} +{% if __sshd_config['Match'] is defined %} +{{ match_iterate_block(__sshd_config['Match']) -}} {% endif %} {% if sshd_match is defined %} {{ match_iterate_block(sshd_match) -}} diff --git a/templates/sshd_config_snippet.j2 b/templates/sshd_config_snippet.j2 index f89a29f..07d4c9c 100644 --- a/templates/sshd_config_snippet.j2 +++ b/templates/sshd_config_snippet.j2 @@ -21,8 +21,8 @@ {% set value = undefined %} {% if override is defined %} {% set value = override %} -{% elif sshd_config[key] is defined %} -{% set value = sshd_config[key] %} +{% elif __sshd_config[key] is defined %} +{% set value = __sshd_config[key] %} {% elif sshd_main_config_file is not none and sshd_config_file | dirname == sshd_main_config_file ~ '.d' %} {# Do not use the defaults from main file to avoid recursion #} @@ -248,8 +248,8 @@ Match {{ match["Condition"] }} {{ body_option("X11Forwarding",sshd_X11Forwarding) -}} {{ body_option("X11UseLocalhost",sshd_X11UseLocalhost) -}} {{ body_option("XAuthLocation",sshd_XAuthLocation) -}} -{% if sshd_config['Match'] is defined %} -{{ match_iterate_block(sshd_config['Match']) -}} +{% if __sshd_config['Match'] is defined %} +{{ match_iterate_block(__sshd_config['Match']) -}} {% endif %} {% if sshd_match is defined %} {{ match_iterate_block(sshd_match) -}} diff --git a/vars/main.yml b/vars/main.yml index eeeb5c7..bc38b5e 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,4 +1,5 @@ --- +__sshd_config: "{{ sshd_config | default({}) or sshd | default({}) }}" __sshd_config_file: "/etc/ssh/sshd_config" __sshd_config_owner: "root" __sshd_config_group: "root"