Merge pull request #135 from Jakuje/cleanup

Cleanup lint issues, update documentation, fix typos

.github/workflows/ansible-lint.yml

@@ -6,33 +6,34 @@ jobs:
   test-ansible28:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
-    - name: Lint Ansible Playbook
-      uses: ansible/ansible-lint-action@master
-      with:
-        targets: "tests/test_*.yml"
-        override-deps: |
-          ansible==2.8
-        args: ""
+      - uses: actions/checkout@v2
+      - name: Lint Ansible Playbook
+        uses: ansible/ansible-lint-action@master
+        with:
+          targets: "tests/test_*.yml"
+          override-deps: |
+            ansible==2.8
+          args: ""
   test-ansible29:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
-    - name: Lint Ansible Playbook
-      uses: ansible/ansible-lint-action@master
-      with:
-        targets: "tests/test_*.yml"
-        override-deps: |
-          ansible==2.9
-        args: ""
+      - uses: actions/checkout@v2
+      - name: Lint Ansible Playbook
+        uses: ansible/ansible-lint-action@master
+        with:
+          targets: "tests/test_*.yml
+          override-deps: |
+            ansible==2.9
+          args: ""
   test-ansible210:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
-    - name: Lint Ansible Playbook
-      uses: ansible/ansible-lint-action@master
-      with:
-        targets: "tests/test_*.yml"
-        override-deps: |
-          ansible==2.10
-        args: ""
+      - uses: actions/checkout@v2
+      - name: Lint Ansible Playbook
+        uses: ansible/ansible-lint-action@master
+        with:
+          targets: "tests/test_*.yml"
+          override-deps: |
+            ansible==2.10
+          args: ""
+

README.md

@@ -21,18 +21,18 @@ before using in production!
 Ubuntu. This is not the default assigned by this module - it will set
 `PermitRootLogin without-password` which will allow access via SSH key but not
 via simple password. If you need this functionality, be sure to set
-`ssh_PermitRootLogin yes` for those hosts.
+`sshd_PermitRootLogin yes` for those hosts.
 
 Requirements
 ------------
 
 Tested on:
 
-* Ubuntu precise, trusty
-* Debian wheezy, jessie
+* Ubuntu precise, trusty, xenial, bionic, focal
+* Debian wheezy, jessie, stretch, buster
 * FreeBSD 10.1
-* EL 6,7 derived distributions
-* Fedora 22, 23
+* EL 6, 7, 8 derived distributions
+* Fedora 31, 32, 33
 * OpenBSD 6.0
 * AIX 7.1, 7.2
 
@@ -60,15 +60,15 @@ variables. Defaults to *False*.
 If set to False, the service/daemon won't be **managed** at all, i.e. will not
 try to enable on boot or start or reload the service.  Defaults to *True*
 unless: Running inside a docker container (it is assumed ansible is used during
-build phase) or AIX (Ansible `service` module does not currently support `enabled` 
+build phase) or AIX (Ansible `service` module does not currently support `enabled`
 for AIX)
 
 * `sshd_allow_reload`
 
 If set to False, a reload of sshd wont happen on change. This can help with
 troubleshooting. You'll need to manually reload sshd if you want to apply the
-changed configuration. Defaults to the same value as ``sshd_manage_service``. 
-(Except on AIX, where `sshd_manage_service` is default *False*, but 
+changed configuration. Defaults to the same value as ``sshd_manage_service``.
+(Except on AIX, where `sshd_manage_service` is default *False*, but
 `sshd_allow_reload` is default *True*)
 
 * `sshd_install_service`
@@ -97,7 +97,7 @@ sshd:
     - 0.0.0.0
 ```
 
-* `ssh_...`
+* `sshd_...`
 
 Simple variables can be used rather than a dict. Simple values override dict
 values. e.g.:

defaults/main.yml

@@ -1,7 +1,7 @@
 ---
 ### USER OPTIONS
-# Set to False to disable this role completely
-sshd_enable: True
+# Set to false to disable this role completely
+sshd_enable: true
 
 # Don't apply OS defaults when set to true
 sshd_skip_defaults: false
@@ -21,7 +21,7 @@ sshd_service_template_socket: sshd.socket.j2
 sshd_allow_reload: true
 
 # If the below is true, create a backup of the config file when the template is copied
-sshd_backup: false
+sshd_backup: true
 
 # Empty dicts to avoid errors
 sshd: {}

handlers/main.yml

@@ -11,7 +11,7 @@
     - ansible_os_family != 'AIX'
   listen: reload_sshd
 
-# sshd on AIX cannot be 'reloaded', it must be Stopped+Started.  
+# sshd on AIX cannot be 'reloaded', it must be Stopped+Started.
 # It's dangerous to do this in two tasks.. you're stopping SSH and then trying to SSH back in to start it.
 # Instead, use a dirty shell script:
 #  https://www.ibm.com/developerworks/community/blogs/brian/entry/scripting_the_stop_and_restart_of_src_controlled_processes_on_aix6

meta/main.yml

@@ -6,50 +6,51 @@ galaxy_info:
   license: LGPLv3
   min_ansible_version: 2.8
   platforms:
-  - name: Debian
-    versions:
-    - wheezy
-    - jessie
-    - stretch
-    - buster
-  - name: Ubuntu
-    versions:
-    - precise
-    - trusty
-    - xenial
-    - bionic
-    - focal
-  - name: FreeBSD
-    version:
-    - 10.1
-  - name: EL
-    versions:
-    - 6
-    - 7
-    - 8
-  - name: Fedora
-    versions:
-    - 22
-    - 23
-  - name: OpenBSD
-    versions:
-    - 6.0
-  - name: AIX
-    versions:
-    - 7.1
-    - 7.2
+    - name: Debian
+      versions:
+        - wheezy
+        - jessie
+        - stretch
+        - buster
+    - name: Ubuntu
+      versions:
+        - precise
+        - trusty
+        - xenial
+        - bionic
+        - focal
+    - name: FreeBSD
+      version:
+        - 10.1
+    - name: EL
+      versions:
+        - 6
+        - 7
+        - 8
+    - name: Fedora
+      versions:
+        - 31
+        - 32
+        - 33
+    - name: OpenBSD
+      versions:
+        - 6.0
+    - name: AIX
+      versions:
+        - 7.1
+        - 7.2
   galaxy_tags:
-  - networking
-  - system
-  - ssh
-  - openssh
-  - sshd
-  - server
-  - ubuntu
-  - debian
-  - centos
-  - redhat
-  - freebsd
-  - openbsd
-  - aix
+    - networking
+    - system
+    - ssh
+    - openssh
+    - sshd
+    - server
+    - ubuntu
+    - debian
+    - centos
+    - redhat
+    - freebsd
+    - openbsd
+    - aix
 dependencies: []

tasks/install.yml

@@ -1,7 +1,7 @@
 ---
 - name: OS is supported
   meta: end_host
-  when: 
+  when:
     - not __sshd_os_supported|bool
 
 - name: Install ssh packages

vars/AIX.yml

@@ -1,6 +1,8 @@
 ---
 __sshd_config_mode: '0644'
-__sshd_packages: [ ] # sshd is not installed by yum / AIX toolbox for Linux.  You'll need to manually install them using AIX Web Download Packs.
+# sshd is not installed by yum / AIX toolbox for Linux.
+# You'll need to manually install them using AIX Web Download Packs.
+__sshd_packages: []
 __sshd_sftp_server: /usr/sbin/sftp-server
 __sshd_config_group: system
 __sshd_defaults:

vars/Debian_10.yml

@@ -10,7 +10,7 @@ __sshd_defaults:
   HostKey:
     - /etc/ssh/ssh_host_rsa_key
     - /etc/ssh/ssh_host_ed25519_key
-  HostKeyAlgorithms: ssh-ed25519,ecdsa-sha2-nistp256,ssh-rsa,[email protected] 
+  HostKeyAlgorithms: ssh-ed25519,ecdsa-sha2-nistp256,ssh-rsa,[email protected]
   KexAlgorithms: curve25519-sha256,[email protected],diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256
   MACs: [email protected],[email protected],[email protected]
   SyslogFacility: AUTH

vars/Fedora.yml

@@ -3,23 +3,9 @@ __sshd_packages:
   - openssh
   - openssh-server
 __sshd_sftp_server: /usr/libexec/openssh/sftp-server
+# Fedora 32 ships with drop-in directory support so we touch
+# just included file with highest priority by default and have
+# empty defaults
+__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
 __sshd_defaults:
-  HostKey:
-    - /etc/ssh/ssh_host_rsa_key
-    - /etc/ssh/ssh_host_ecdsa_key
-    - /etc/ssh/ssh_host_ed25519_key
-  SyslogFacility: AUTHPRIV
-  AuthorizedKeysFile: .ssh/authorized_keys
-  PasswordAuthentication: yes
-  ChallengeResponseAuthentication: no
-  GSSAPIAuthentication: yes
-  GSSAPICleanupCredentials: no
-  UsePAM: yes
-  X11Forwarding: yes
-  AcceptEnv:
-    - LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
-    - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
-    - LC_IDENTIFICATION LC_ALL LANGUAGE
-    - XMODIFIERS
-  Subsystem: "sftp {{ sshd_sftp_server }}"
 __sshd_os_supported: yes

vars/Fedora_31.yml

@@ -0,0 +1,25 @@
+---
+__sshd_packages:
+  - openssh
+  - openssh-server
+__sshd_sftp_server: /usr/libexec/openssh/sftp-server
+__sshd_defaults:
+  HostKey:
+    - /etc/ssh/ssh_host_rsa_key
+    - /etc/ssh/ssh_host_ecdsa_key
+    - /etc/ssh/ssh_host_ed25519_key
+  SyslogFacility: AUTHPRIV
+  AuthorizedKeysFile: .ssh/authorized_keys
+  PasswordAuthentication: yes
+  ChallengeResponseAuthentication: no
+  GSSAPIAuthentication: yes
+  GSSAPICleanupCredentials: no
+  UsePAM: yes
+  X11Forwarding: yes
+  AcceptEnv:
+    - LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+    - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+    - LC_IDENTIFICATION LC_ALL LANGUAGE
+    - XMODIFIERS
+  Subsystem: "sftp {{ sshd_sftp_server }}"
+__sshd_os_supported: yes

vars/RedHat_7.yml

@@ -13,9 +13,9 @@ __sshd_defaults:
   PasswordAuthentication: yes
   ChallengeResponseAuthentication: no
   GSSAPIAuthentication: yes
-  GSSAPICleanupCredentials: yes
-# Note that UsePAM: no is not supported under RHEL/CentOS. See
-# https://github.com/willshersystems/ansible-sshd/pull/51#issuecomment-287333218
+  GSSAPICleanupCredentials: no
+  # Note that UsePAM: no is not supported under RHEL/CentOS. See
+  # https://github.com/willshersystems/ansible-sshd/pull/51#issuecomment-287333218
   UsePAM: yes
   X11Forwarding: yes
   UsePrivilegeSeparation: sandbox

vars/RedHat_8.yml

@@ -14,8 +14,8 @@ __sshd_defaults:
   ChallengeResponseAuthentication: no
   GSSAPIAuthentication: yes
   GSSAPICleanupCredentials: no
-# Note that UsePAM: no is not supported under RHEL/CentOS. See
-# https://github.com/willshersystems/ansible-sshd/pull/51#issuecomment-287333218
+  # Note that UsePAM: no is not supported under RHEL/CentOS. See
+  # https://github.com/willshersystems/ansible-sshd/pull/51#issuecomment-287333218
   UsePAM: yes
   X11Forwarding: yes
   PrintMotd: no