evolinux-base: reorganize ssh section

evolinux-base/tasks/main.yml

@@ -56,9 +56,17 @@
     name: evolix/evomaintenance
   when: evolinux_evomaintenance_include | bool
 
-- name: SSH configuration
-  include: ssh.yml
-  when: evolinux_ssh_include | bool
+- name: SSH configuration (single file)
+  import_tasks: ssh.single-file.yml
+  when:
+    - ansible_distribution_major_version is version('12', '<')
+    - evolinux_ssh_include | bool
+
+- name: SSH configuration (included-files)
+  import_tasks: ssh.included-files.yml
+  when:
+    - ansible_distribution_major_version is version('12', '>=')
+    - evolinux_ssh_include | bool
 
 ### disabled because of a memory leak
 # - name: Create evolinux users

evolinux-base/tasks/ssh.included-files.yml

@@ -0,0 +1,104 @@
+---
+# This is a copy of ssh.single-file.yml
+# It needs to be changed when we move to a included-files configuration
+
+
+- ansible.builtin.debug:
+    msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, tasks will be skipped!"
+  when: evolinux_ssh_password_auth_addresses == []
+
+# From 'man sshd_config' :
+# « If all of the criteria on the Match line are satisfied, the keywords
+# on the following lines override those set in the global section of the config
+# file, until either another Match line or the end of the file.
+# If a keyword appears in multiple Match blocks that are satisfied,
+# only the first instance of the keyword is applied. »
+#
+# We want to allow any user from a list of IP addresses to login with password,
+# but users of the "{{ evolinux_internal_group }}" group can't login with password from other IP addresses
+
+- name: "Security directives for Evolinux (Debian 10 or later)"
+  ansible.builtin.blockinfile:
+    dest: /etc/ssh/sshd_config
+    marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS"
+    block: |
+      Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
+          PasswordAuthentication yes
+      Match Group {{ evolinux_internal_group }}
+          PasswordAuthentication no
+    insertafter: EOF
+    validate: '/usr/sbin/sshd -t -f %s'
+  notify: reload sshd
+  when:
+    - evolinux_ssh_password_auth_addresses != []
+    - ansible_distribution_major_version is version('10', '>=')
+
+- name: Security directives for Evolinux (Jessie/Stretch)
+  ansible.builtin.blockinfile:
+    dest: /etc/ssh/sshd_config
+    marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
+    block: |
+      Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
+          PasswordAuthentication yes
+    insertafter: EOF
+    validate: '/usr/sbin/sshd -t -f %s'
+  notify: reload sshd
+  when:
+    - evolinux_ssh_password_auth_addresses != []
+    - ansible_distribution_major_version is version('10', '<')
+
+# We disable AcceptEnv because it can be a security issue, but also because we
+# do not want clients to push their environment variables like LANG.
+- name: disable AcceptEnv in ssh config
+  ansible.builtin.replace:
+    dest: /etc/ssh/sshd_config
+    regexp: '^AcceptEnv'
+    replace: "#AcceptEnv"
+  notify: reload sshd
+  when: evolinux_ssh_disable_acceptenv | bool
+
+- name: Set log level to verbose (for Debian >= 9)
+  ansible.builtin.replace:
+    dest: /etc/ssh/sshd_config
+    regexp: '^#?LogLevel [A-Z]+'
+    replace: "LogLevel VERBOSE"
+  notify: reload sshd
+  when: ansible_distribution_major_version is version('9', '>=')
+
+- name: "Get current user"
+  ansible.builtin.command:
+    cmd: logname
+  changed_when: False
+  register: logname
+  check_mode: no
+  when: evolinux_ssh_allow_current_user | bool
+
+# we must double-escape caracters, because python
+- name: verify AllowUsers directive
+  ansible.builtin.command:
+    cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
+  failed_when: False
+  changed_when: False
+  register: grep_allowusers_ssh
+  check_mode: no
+  when: evolinux_ssh_allow_current_user | bool
+
+- name: "Add AllowUsers sshd directive for current user"
+  ansible.builtin.lineinfile:
+    dest: /etc/ssh/sshd_config
+    line: "\nAllowUsers {{ logname.stdout }}"
+    insertafter: 'Subsystem'
+    validate: '/usr/sbin/sshd -t -f %s'
+  notify: reload sshd
+  when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc != 0
+
+- name: "Modify AllowUsers sshd directive for current user"
+  ansible.builtin.replace:
+    dest: /etc/ssh/sshd_config
+    regexp: '^(AllowUsers ((?!{{ logname.stdout }}).)*)$'
+    replace: '\1 {{ logname.stdout }}'
+    validate: '/usr/sbin/sshd -t -f %s'
+  notify: reload sshd
+  when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc == 0
+
+- ansible.builtin.meta: flush_handlers

evolinux-base/tasks/ssh.single-file.yml

@@ -1,5 +1,5 @@
 ---
-- debug:
+- ansible.builtin.debug:
     msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, tasks will be skipped!"
   when: evolinux_ssh_password_auth_addresses == []
 
@@ -14,7 +14,7 @@
 # but users of the "{{ evolinux_internal_group }}" group can't login with password from other IP addresses
 
 - name: "Security directives for Evolinux (Debian 10 or later)"
-  blockinfile:
+  ansible.builtin.blockinfile:
     dest: /etc/ssh/sshd_config
     marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS"
     block: |
@@ -30,7 +30,7 @@
     - ansible_distribution_major_version is version('10', '>=')
 
 - name: Security directives for Evolinux (Jessie/Stretch)
-  blockinfile:
+  ansible.builtin.blockinfile:
     dest: /etc/ssh/sshd_config
     marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
     block: |
@@ -46,7 +46,7 @@
 # We disable AcceptEnv because it can be a security issue, but also because we
 # do not want clients to push their environment variables like LANG.
 - name: disable AcceptEnv in ssh config
-  replace:
+  ansible.builtin.replace:
     dest: /etc/ssh/sshd_config
     regexp: '^AcceptEnv'
     replace: "#AcceptEnv"
@@ -54,7 +54,7 @@
   when: evolinux_ssh_disable_acceptenv | bool
 
 - name: Set log level to verbose (for Debian >= 9)
-  replace:
+  ansible.builtin.replace:
     dest: /etc/ssh/sshd_config
     regexp: '^#?LogLevel [A-Z]+'
     replace: "LogLevel VERBOSE"
@@ -62,7 +62,8 @@
   when: ansible_distribution_major_version is version('9', '>=')
 
 - name: "Get current user"
-  command: logname
+  ansible.builtin.command:
+    cmd: logname
   changed_when: False
   register: logname
   check_mode: no
@@ -70,7 +71,8 @@
 
 # we must double-escape caracters, because python
 - name: verify AllowUsers directive
-  command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
+  ansible.builtin.command:
+    cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
   failed_when: False
   changed_when: False
   register: grep_allowusers_ssh
@@ -78,7 +80,7 @@
   when: evolinux_ssh_allow_current_user | bool
 
 - name: "Add AllowUsers sshd directive for current user"
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /etc/ssh/sshd_config
     line: "\nAllowUsers {{ logname.stdout }}"
     insertafter: 'Subsystem'
@@ -87,7 +89,7 @@
   when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc != 0
 
 - name: "Modify AllowUsers sshd directive for current user"
-  replace:
+  ansible.builtin.replace:
     dest: /etc/ssh/sshd_config
     regexp: '^(AllowUsers ((?!{{ logname.stdout }}).)*)$'
     replace: '\1 {{ logname.stdout }}'
@@ -95,4 +97,4 @@
   notify: reload sshd
   when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc == 0
 
-- meta: flush_handlers
+- ansible.builtin.meta: flush_handlers