Merge pull request #89 from tterranigma/systemd

Adds ability to install a systemd service

README.md

@@ -44,25 +44,40 @@ Role variables
 Unconfigured, this role will provide a sshd_config that matches the OS default,
 minus the comments and in a different order.
 
-* sshd_skip_defaults
+* `sshd_skip_defaults`
 
 If set to True, don't apply default values. This means that you must have a
 complete set of configuration defaults via either the sshd dict, or sshd_Key
 variables. Defaults to *False*.
 
-* sshd_manage_service
+* `sshd_manage_service`
 
-If set to False, the service/daemon won't be touched at all, i.e. will not try
-to enable on boot or start or reload the service.  Defaults to *True* unless
-running inside a docker container (it is assumed ansible is used during build
-phase).
+If set to False, the service/daemon won't be **managed** at all, i.e. will not
+try to enable on boot or start or reload the service.  Defaults to *True*
+unless running inside a docker container (it is assumed ansible is used during
+build phase).
 
-* sshd_allow_reload
+* `sshd_allow_reload`
 
 If set to False, a reload of sshd wont happen on change. This can help with
 troubleshooting. You'll need to manually reload sshd if you want to apply the
 changed configuration. Defaults to the same value as ``sshd_manage_service``.
 
+* `sshd_install_service`
+
+If set to True, the role will install service files for the ssh service.
+Defaults to False.
+
+The templates for the service files to be used are pointed to by the variables
+
+  - `sshd_service_template_service` (__default__: _templates/sshd.service.j2_)
+  - `sshd_service_template_at_service` (__default__: _templates/[email protected]_)
+  - `sshd_service_template_socket` (__default__: _templates/sshd.socket.j2_)
+
+Using these variables, you can use your own custom templates. With the above
+default templates, the name of the installed ssh service will be provided by
+the `sshd_service` variable.
+
 * sshd
 
 A dict containing configuration.  e.g.
@@ -74,7 +89,7 @@ sshd:
     - 0.0.0.0
 ```
 
-* ssh_...
+* `ssh_...`
 
 Simple variables can be used rather than a dict. Simple values override dict
 values. e.g.:
@@ -99,14 +114,44 @@ ListenAddress 0.0.0.0
 ListenAddress ::
 ```
 
-* sshd_match
+* `sshd_match`
 
 A list of dicts for a match section. See the example playbook.
 
-* sshd_match_1 through sshd_match_9
+* `sshd_match_1` through `sshd_match_9`
 
 A list of dicts or just a dict for a Match section.
 
+### Secondary role variables
+
+These variables are used by the role internals and can be used to override the
+defaults that correspond to each supported platform.
+
+* `sshd_packages`
+
+Use this variable to override the default list of packages to install.
+
+* `sshd_config_owner`, `sshd_config_group`, `sshd_config_mode`
+
+Use these variables to set the ownership and permissions for the openssh config
+file that this role produces.
+
+* `sshd_config_file`
+
+The path where the openssh configuration produced by this role should be saved.
+
+* `sshd_binary`
+
+The path to the openssh executable
+
+* `sshd_service`
+
+The name of the openssh service. By default, this variable contains the name of
+the ssh service that the target platform uses. But it can also be used to set
+the name of the custom ssh service when the `sshd_install_service` variable is
+used.
+
+
 Dependencies
 ------------
 

defaults/main.yml

@@ -2,26 +2,41 @@
 ### USER OPTIONS
 # Don't apply OS defaults when set to true
 sshd_skip_defaults: false
+
 # If the below is false, don't manage the service or reload the SSH
 # daemon at all
 sshd_manage_service: true
+
+# If the below is true, also install service files from the templates pointed
+# to by the `sshd_service_template_*` variables
+sshd_install_service: false
+sshd_service_template_service: sshd.service.j2
+sshd_service_template_at_service: [email protected]
+sshd_service_template_socket: sshd.socket.j2
+
 # If the below is false, don't reload the ssh daemon on change
 sshd_allow_reload: true
+
 # If the below is true, create a backup of the config file when the template is copied
 sshd_backup: false
+
 # Empty dicts to avoid errors
 sshd: {}
 
 ### VARS DEFAULTS
 ### The following are defaults for OS specific configuration in var files in
-### this role. They should not be set by role users.
-sshd_packages: []
-sshd_config_owner: root
-sshd_config_group: root
-sshd_config_mode: "0600"
-sshd_config_file: /etc/ssh/sshd_config
-sshd_binary: /usr/sbin/sshd
-sshd_service: sshd
-sshd_sftp_server: /usr/lib/openssh/sftp-server
-sshd_defaults: {}
-sshd_os_supported: no
+### this role. They should not be set directly by role users. If you really
+### need to override them, use the corresponding, unprefixed variables (eg
+### `sshd_packages` to override __sshd_packages).
+__sshd_packages: []
+__sshd_config_owner: root
+__sshd_config_group: root
+__sshd_config_mode: "0600"
+__sshd_config_file: /etc/ssh/sshd_config
+__sshd_binary: /usr/sbin/sshd
+__sshd_service: sshd
+
+### These variables are used by role internals and should not be used.
+__sshd_sftp_server: /usr/lib/openssh/sftp-server
+__sshd_defaults: {}
+__sshd_os_supported: no

meta/10_top.j2

@@ -21,8 +21,8 @@
 {%     set value = override %}
 {%   elif sshd[key] is defined %}
 {%     set value = sshd[key] %}
-{%   elif sshd_defaults[key] is defined and sshd_skip_defaults != true %}
-{%     set value = sshd_defaults[key] %}
+{%   elif __sshd_defaults[key] is defined and sshd_skip_defaults != true %}
+{%     set value = __sshd_defaults[key] %}
 {%   endif %}
 {{ render_option(key,value) -}}
 {% endmacro %}

tasks/install.yml

@@ -0,0 +1,48 @@
+---
+
+- name: OS is supported
+  assert:
+    that: __sshd_os_supported == True
+
+- name: Install ssh packages
+  package:
+    name: "{{ item }}"
+    state: present
+  with_items: "{{ sshd_packages }}"
+
+- name: Configuration
+  template:
+    src: sshd_config.j2
+    dest: "{{ sshd_config_file }}"
+    owner: "{{ sshd_config_owner }}"
+    group: "{{ sshd_config_group }}"
+    mode: "{{ sshd_config_mode }}"
+    validate: "{{ sshd_binary }} -t -f %s"
+  notify: reload_sshd
+
+- name: Install systemd service files
+  block:
+    - template:
+        src: "{{ sshd_service_template_service }}"
+        dest: "/etc/systemd/system/{{ sshd_service }}.service"
+      notify: reload_sshd
+    - template:
+        src: "{{ sshd_service_template_at_service }}"
+        dest: "/etc/systemd/system/{{ sshd_service }}@.service"
+      notify: reload_sshd
+    - template:
+        src: "{{ sshd_service_template_socket }}"
+        dest: "/etc/systemd/system/{{ sshd_service }}.socket"
+      notify: reload_sshd
+  when: sshd_install_service
+
+- name: Service enabled and running
+  service:
+    name: "{{ sshd_service }}"
+    enabled: true
+    state: started
+  when: "sshd_manage_service and ansible_virtualization_type|default(None) != 'docker'"
+
+- name: Register that this role has run
+  set_fact: sshd_has_run=true
+  when: sshd_has_run is not defined

tasks/main.yml

@@ -1,41 +1,5 @@
 ---
-- name: Set OS dependent variables
-  include_vars: "{{ item }}"
-  with_first_found:
-   - "{{ ansible_distribution }}_{{ ansible_distribution_major_version }}.yml"
-   - "{{ ansible_distribution }}.yml"
-   - "{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml"
-   - "{{ ansible_os_family }}.yml"
-   - default.yml
 
-- name: OS is supported
-  assert:
-    that: sshd_os_supported == True
+- include_tasks: variables.yml
 
-- name: Install ssh packages
-  package:
-    name: "{{ item }}"
-    state: present
-  with_items: "{{ sshd_packages }}"
-
-- name: Configuration
-  template:
-    src: sshd_config.j2
-    dest: "{{ sshd_config_file }}"
-    owner: "{{ sshd_config_owner }}"
-    group: "{{ sshd_config_group }}"
-    mode: "{{ sshd_config_mode }}"
-    backup: "{{ sshd_backup }}"
-    validate: "{{ sshd_binary }} -t -f %s"
-  notify: reload_sshd
-
-- name: Service enabled and running
-  service:
-    name: "{{ sshd_service }}"
-    enabled: true
-    state: started
-  when: "sshd_manage_service and ansible_virtualization_type|default(None) != 'docker'"
-
-- name: Register that this role has run
-  set_fact: sshd_has_run=true
-  when: sshd_has_run is not defined
+- include_tasks: install.yml

tasks/variables.yml

@@ -0,0 +1,37 @@
+---
+
+- name: Set OS dependent variables
+  include_vars: "{{ item }}"
+  with_first_found:
+   - "{{ ansible_distribution }}_{{ ansible_distribution_major_version }}.yml"
+   - "{{ ansible_distribution }}.yml"
+   - "{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml"
+   - "{{ ansible_os_family }}.yml"
+   - default.yml
+
+- name: Override OS defaults
+  block:
+    - set_fact:
+        sshd_packages: "{{ __sshd_packages }}"
+      when: sshd_packages is not defined
+    - set_fact:
+        sshd_config_owner: "{{ __sshd_config_owner }}"
+      when: sshd_config_owner is not defined
+    - set_fact:
+        sshd_config_group: "{{ __sshd_config_group }}"
+      when: sshd_config_group is not defined
+    - set_fact:
+        sshd_config_mode: "{{ __sshd_config_mode }}"
+      when: sshd_config_mode is not defined
+    - set_fact:
+        sshd_config_file: "{{ __sshd_config_file }}"
+      when: sshd_config_file is not defined
+    - set_fact:
+        sshd_binary: "{{ __sshd_binary }}"
+      when: sshd_binary is not defined
+    - set_fact:
+        sshd_service: "{{ __sshd_service }}"
+      when: sshd_service is not defined
+    - set_fact:
+        sshd_sftp_server: "{{ __sshd_sftp_server }}"
+      when: sshd_sftp_server is not defined

templates/sshd.service.j2

@@ -0,0 +1,17 @@
+[Unit]
+Description=OpenBSD Secure Shell server
+
+[Service]
+ExecStartPre={{ sshd_binary }} -t
+ExecStart={{ sshd_binary }} -D -f {{ sshd_config_file }}
+ExecReload={{ sshd_binary }} -t
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=on-failure
+RestartPreventExitStatus=255
+Type=notify
+RuntimeDirectory={{ sshd_binary }}
+RuntimeDirectoryMode=0755
+
+[Install]
+WantedBy=multi-user.target

templates/sshd.socket.j2

@@ -0,0 +1,11 @@
+[Unit]
+Description=OpenBSD Secure Shell server socket
+Before={{ sshd_service }}.service
+Conflicts={{sshd_service }}.service
+
+[Socket]
+ListenStream=22
+Accept=yes
+
+[Install]
+WantedBy=sockets.target

templates/sshd@.service.j2

@@ -0,0 +1,9 @@
+[Unit]
+Description=OpenBSD Secure Shell server per-connection daemon
+After=auditd.service
+
+[Service]
+ExecStart=-{{ sshd_binary }} -i -f {{ sshd_config_file }}
+StandardInput=socket
+RuntimeDirectory={{ sshd_binary }}
+RuntimeDirectoryMode=0755

templates/sshd_config.j2

@@ -21,8 +21,8 @@
 {%     set value = override %}
 {%   elif sshd[key] is defined %}
 {%     set value = sshd[key] %}
-{%   elif sshd_defaults[key] is defined and sshd_skip_defaults != true %}
-{%     set value = sshd_defaults[key] %}
+{%   elif __sshd_defaults[key] is defined and sshd_skip_defaults != true %}
+{%     set value = __sshd_defaults[key] %}
 {%   endif %}
 {{ render_option(key,value) -}}
 {% endmacro %}

vars/Amazon.yml

@@ -1,10 +1,10 @@
 ---
-sshd_config_mode: '0644'
-sshd_packages:
+__sshd_config_mode: '0644'
+__sshd_packages:
   - openssh
   - openssh-server
-sshd_sftp_server: /usr/libexec/openssh/sftp-server
-sshd_defaults:
+__sshd_sftp_server: /usr/libexec/openssh/sftp-server
+__sshd_defaults:
   SyslogFacility: AUTHPRIV
   PermitRootLogin: forced-commands-only
   AuthorizedKeysFile: .ssh/authorized_keys
@@ -20,4 +20,4 @@ sshd_defaults:
     - LC_IDENTIFICATION LC_ALL LANGUAGE
     - XMODIFIERS
   Subsystem: "sftp {{ sshd_sftp_server }}"
-sshd_os_supported: yes
+__sshd_os_supported: yes

vars/Archlinux.yml

@@ -1,11 +1,11 @@
 ---
-sshd_packages:
+__sshd_packages:
   - openssh
-sshd_sftp_server: /usr/lib/ssh/sftp-server
-sshd_defaults:
+__sshd_sftp_server: /usr/lib/ssh/sftp-server
+__sshd_defaults:
   AuthorizedKeysFile: .ssh/authorized_keys
   ChallengeResponseAuthentication: no
   PrintMotd: no
   Subsystem: "sftp {{ sshd_sftp_server }}"
   UsePAM: yes
-sshd_os_supported: yes
+__sshd_os_supported: yes