evolinux-base: include files under sshd_config.d

In case we need to add the Include directive, we add it at the
beginning of the global configuration file. This way the Include
directive can't be inside a Match directive.

CHANGELOG.md

@@ -58,6 +58,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * postgresql: fix task "update apt cache" for PGDG repo
 * postgresql: fix file postgresql.pref.j2 for exclude package
 * lxc-php: Change lxc container in bookworm for php82
+* evolinux-base: include files under `sshd_config.d`
 
 ### Fixed
 

evolinux-base/tasks/root.yml

@@ -101,6 +101,16 @@
     - evolinux_root_disable_ssh | bool
     - ansible_distribution_major_version is version('11', '<=')
 
+- name: files under /etc/ssh/sshd_config.d are included (Debian >= 12)
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config
+    line: "Include /etc/ssh/sshd_config.d/*.conf"
+    insertbefore: BOF
+  notify: reload ssh
+  when:
+    - evolinux_root_disable_ssh | bool
+    - ansible_distribution_major_version is version('12', '>=')
+
 - name: disable SSH access for root (Debian >= 12)
   ansible.builtin.replace:
     path: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf

evolinux-base/tasks/ssh.included-files.yml

@@ -3,6 +3,13 @@
     msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, some configuration elements won't be set!"
   when: evolinux_ssh_password_auth_addresses == []
 
+- name: files under /etc/ssh/sshd_config.d are included
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config
+    line: "Include /etc/ssh/sshd_config.d/*.conf"
+    insertbefore: BOF
+  notify: reload ssh
+
 - name: add SSH server configuration template
   ansible.builtin.template:
     src: sshd/defaults.j2