ansible-roles/evolinux-base/tasks/ssh.included-files.yml

---
- ansible.builtin.debug:
    msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, some configuration elements won't be set!"
  when: evolinux_ssh_password_auth_addresses == []

- name: files under /etc/ssh/sshd_config.d are included
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    line: "Include /etc/ssh/sshd_config.d/*.conf"
    insertbefore: BOF
  notify: reload ssh

- name: add SSH server configuration template
  ansible.builtin.template:
    src: sshd/defaults.j2
    dest: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
    mode: "0644"

- name: "Get current user's group"
  ansible.builtin.command:
    cmd: logname
  changed_when: False
  register: logname
  check_mode: no
  when: evolinux_ssh_allow_current_user | bool

- name: verify AllowUsers directive
  ansible.builtin.command:
    cmd: "grep -ER '^AllowUsers' /etc/ssh"
  failed_when: False
  changed_when: False
  register: grep_allowusers_ssh
  check_mode: no
  when: evolinux_ssh_allow_current_user | bool

- name: "Add AllowUsers sshd directive for current user"
  ansible.builtin.lineinfile:
    dest: /etc/ssh/sshd_config.d/allow_evolinux_user.conf
    create: yes
    line: "AllowUsers {{ logname.stdout }}"
    insertafter: 'Subsystem'
    validate: '/usr/sbin/sshd -t -f %s'
  notify: reload sshd
  when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc != 0

- ansible.builtin.meta: flush_handlers

# TODO si allowusers et allowgroups, ajouter utilisateur aux deux
# TODO si allowgroups, ajouter groupe de l’utilisateur
-												evolinux-base: add ssh.yml

* disable root login
* list authorized addresses
* disable AcceptEnv
											
										
										
											2016-12-27 14:03:35 +01:00
+								---
-												evolinux-base: reorganize ssh section

											
										
										
											2023-03-18 18:37:58 +01:00
+								- ansible.builtin.debug:
-												evolinux-base: Add SSH configuration template

											
										
										
											2023-04-07 14:26:09 +02:00
+								    msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, some configuration elements won't be set!"
-												fail when evolinux_ssh_password_auth_addresses is empty instead of Ansible crash (like for minifirewall)

											
										
										
											2017-08-18 04:13:56 +02:00
+								  when: evolinux_ssh_password_auth_addresses == []
-												evolinux-base: include files under sshd_config.d

In case we need to add the Include directive, we add it at the
beginning of the global configuration file. This way the Include
directive can't be inside a Match directive.

											
										
										
											2023-08-31 17:09:13 +02:00
+								- name: files under /etc/ssh/sshd_config.d are included
 								  ansible.builtin.lineinfile:
 								    path: /etc/ssh/sshd_config
 								    line: "Include /etc/ssh/sshd_config.d/*.conf"
 								    insertbefore: BOF
 								  notify: reload ssh
-												evolinux-base: Add SSH configuration template

											
										
										
											2023-04-07 14:26:09 +02:00
+								- name: add SSH server configuration template
 								  ansible.builtin.template:
 								    src: sshd/defaults.j2
 								    dest: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
-												Fix mode for files under /etc/ssh/sshd_config.d

											
										
										
											2023-08-16 18:21:06 +02:00
+								    mode: "0644"
-												SSH: log level to verbose for Stretch and later

											
										
										
											2017-06-14 15:53:15 +02:00
-												evolinux-base: Add SSH configuration template

											
										
										
											2023-04-07 14:26:09 +02:00
+								- name: "Get current user's group"
-												evolinux-base: reorganize ssh section

											
										
										
											2023-03-18 18:37:58 +01:00
+								  ansible.builtin.command:
 								    cmd: logname
-												evolinux-users: split AllowGroups/AllowUsers modes

If an AllowGroups directive is found or when using Debian 9+,
we use the AllowGroups directive and comment AllowUsers that may be
already present.
When adding a user, we make sure that the allowed group exists
and the use is in that group, to be sure that at least this user
is allowed to connect.

In other situations, we use the AllowUsers directive.

											
										
										
											2018-03-01 11:07:43 +01:00
+								  changed_when: False
-												evolinux-base: allow ssh for current user

When you're not sure to have a proper ssh connection after install,
you can keep the current user authorized.
Example: when using vagrant

This is disabled by default

											
										
										
											2017-10-07 12:59:35 +02:00
+								  register: logname
 								  check_mode: no
-												fix more Ansible syntax

											
										
										
											2021-05-09 23:20:15 +02:00
+								  when: evolinux_ssh_allow_current_user | bool
-												evolinux-base: allow ssh for current user

When you're not sure to have a proper ssh connection after install,
you can keep the current user authorized.
Example: when using vagrant

This is disabled by default

											
										
										
											2017-10-07 12:59:35 +02:00
-												evolinux-base: improve AllowUsers for current user

											
										
										
											2017-10-07 22:15:51 +02:00
+								- name: verify AllowUsers directive
-												evolinux-base: reorganize ssh section

											
										
										
											2023-03-18 18:37:58 +01:00
+								  ansible.builtin.command:
-												evolinux-base: Add SSH configuration template

											
										
										
											2023-04-07 14:26:09 +02:00
+								    cmd: "grep -ER '^AllowUsers' /etc/ssh"
-												evolinux-base: improve AllowUsers for current user

											
										
										
											2017-10-07 22:15:51 +02:00
+								  failed_when: False
-												evolinux-users: split AllowGroups/AllowUsers modes

If an AllowGroups directive is found or when using Debian 9+,
we use the AllowGroups directive and comment AllowUsers that may be
already present.
When adding a user, we make sure that the allowed group exists
and the use is in that group, to be sure that at least this user
is allowed to connect.

In other situations, we use the AllowUsers directive.

											
										
										
											2018-03-01 11:07:43 +01:00
+								  changed_when: False
-												evolinux-base: improve AllowUsers for current user

											
										
										
											2017-10-07 22:15:51 +02:00
+								  register: grep_allowusers_ssh
 								  check_mode: no
-												fix more Ansible syntax

											
										
										
											2021-05-09 23:20:15 +02:00
+								  when: evolinux_ssh_allow_current_user | bool
-												evolinux-base: improve AllowUsers for current user

											
										
										
											2017-10-07 22:15:51 +02:00
 								- name: "Add AllowUsers sshd directive for current user"
-												evolinux-base: reorganize ssh section

											
										
										
											2023-03-18 18:37:58 +01:00
+								  ansible.builtin.lineinfile:
-												Fix mode for files under /etc/ssh/sshd_config.d

											
										
										
											2023-08-16 18:21:06 +02:00
+								    dest: /etc/ssh/sshd_config.d/allow_evolinux_user.conf
-												evolinux-base: Corriger autorisation pour evolinux_user

Cas configuration SSH séparée. Ticket #74636.

											
										
										
											2023-10-11 09:55:56 +02:00
+								    create: yes
-												evolinux-base: Add SSH configuration template

											
										
										
											2023-04-07 14:26:09 +02:00
+								    line: "AllowUsers {{ logname.stdout }}"
-												evolinux-base: allow ssh for current user

When you're not sure to have a proper ssh connection after install,
you can keep the current user authorized.
Example: when using vagrant

This is disabled by default

											
										
										
											2017-10-07 12:59:35 +02:00
+								    insertafter: 'Subsystem'
-												evolinux-base: Validate sshd config with "sshd -t"

See #52 - It seems the behaviour changed with the recent releases, -T 
that does an extended test now fails on "Match" blocks when no context 
is given through -C

											
										
										
											2019-06-17 09:47:22 +02:00
+								    validate: '/usr/sbin/sshd -t -f %s'
-												evolinux-base: improve AllowUsers for current user

											
										
										
											2017-10-07 22:15:51 +02:00
+								  notify: reload sshd
 								  when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc != 0
-												evolinux-base: reorganize ssh section

											
										
										
											2023-03-18 18:37:58 +01:00
+								- ansible.builtin.meta: flush_handlers
-												evolinux-base: Add SSH configuration template

											
										
										
											2023-04-07 14:26:09 +02:00
 								# TODO si allowusers et allowgroups, ajouter utilisateur aux deux
 								# TODO si allowgroups, ajouter groupe de l’utilisateur