From 9049a9779215ff1900d6315b51108ad42e950a09 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Tue, 6 Aug 2019 17:53:21 -0400 Subject: [PATCH] Simplify evolinux-users ssh tasks It makes no sense to make a check before you include the task and do lt again after. Just use the pre-registered variables. This removes two tasks per user loop and one overall task. --- evolinux-users/tasks/ssh.yml | 14 ++++++++++++++ evolinux-users/tasks/ssh_allowgroups.yml | 13 ++----------- evolinux-users/tasks/ssh_allowusers.yml | 24 ++++-------------------- 3 files changed, 20 insertions(+), 31 deletions(-) diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml index 70570c63..52348c7a 100644 --- a/evolinux-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -41,13 +41,27 @@ verbosity: 1 - include: ssh_allowgroups.yml + vars: + - allow_groups_present: "{{ grep_allowgroups_ssh.rc == 0 }}" when: - ssh_allowgroups - not ssh_allowusers +- name: "verify Match User directive" + command: "grep -E '^Match User' /etc/ssh/sshd_config" + changed_when: False + failed_when: False + check_mode: no + register: grep_matchuser_ssh + when: + - ssh_allowusers + - not ssh_allowgroups + - include: ssh_allowusers.yml vars: user: "{{ item.value }}" + - allow_users_present: "{{ grep_allowusers_ssh.rc == 0 }}" + - match_users_present: "{{ grep_matchuser_ssh.rc == 0 }}" with_dict: "{{ evolinux_users }}" when: - ssh_allowusers diff --git a/evolinux-users/tasks/ssh_allowgroups.yml b/evolinux-users/tasks/ssh_allowgroups.yml index a4e4ee54..bef0a393 100644 --- a/evolinux-users/tasks/ssh_allowgroups.yml +++ b/evolinux-users/tasks/ssh_allowgroups.yml @@ -1,14 +1,5 @@ --- -# this check must be repeated for each user -# even if it's been done before -- name: verify AllowGroups directive - command: "grep -E '^AllowGroups' /etc/ssh/sshd_config" - changed_when: False - failed_when: False - check_mode: no - register: grep_allowgroups_ssh - - name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'" lineinfile: dest: /etc/ssh/sshd_config @@ -16,7 +7,7 @@ insertafter: 'Subsystem' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: grep_allowgroups_ssh.rc != 0 + when: not allow_groups_present - name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive" replace: @@ -25,4 +16,4 @@ replace: '\1 {{ evolinux_ssh_group }}' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: grep_allowgroups_ssh.rc == 0 + when: allow_groups_present diff --git a/evolinux-users/tasks/ssh_allowusers.yml b/evolinux-users/tasks/ssh_allowusers.yml index 1aa31f3c..dc9338dc 100644 --- a/evolinux-users/tasks/ssh_allowusers.yml +++ b/evolinux-users/tasks/ssh_allowusers.yml @@ -1,14 +1,5 @@ --- -# this check must be repeated for each user -# even if it's been done before -- name: verify AllowUsers directive - command: "grep -E '^AllowUsers' /etc/ssh/sshd_config" - changed_when: False - failed_when: False - check_mode: no - register: grep_allowusers_ssh - - name: "Add AllowUsers sshd directive with '{{ user.name }}'" lineinfile: dest: /etc/ssh/sshd_config @@ -16,7 +7,7 @@ insertafter: 'Subsystem' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: grep_allowusers_ssh.rc != 0 + when: not allow_users_present - name: "Append '{{ user.name }}' to AllowUsers sshd directive" replace: @@ -25,14 +16,7 @@ replace: '\1 {{ user.name }}' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: grep_allowusers_ssh.rc == 0 - -- name: "verify Match User directive" - command: "grep -E '^Match User' /etc/ssh/sshd_config" - changed_when: False - failed_when: False - check_mode: no - register: grep_matchuser_ssh + when: allow_users_present - name: "Add Match User sshd directive with '{{ user.name }}'" lineinfile: @@ -41,7 +25,7 @@ insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: grep_matchuser_ssh.rc != 0 + when: not allow_users_present - name: "Append '{{ user.name }}' to Match User's sshd directive" replace: @@ -50,4 +34,4 @@ replace: '\1,{{ user.name }}' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: grep_matchuser_ssh.rc == 0 + when: match_users_present