diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 1f124bc..dee0dc6 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -18,4 +18,6 @@ on: jobs: integration: name: Integration - uses: systemli/github-ansible-workflow/.github/workflows/ansible-integration-workflow.yaml@v1.2.0 + uses: systemli/github-ansible-workflow/.github/workflows/ansible-integration-workflow.yaml@main + with: + distros: '[ "debian11", "debian12", "ubuntu2004", "ubuntu2204" ]' diff --git a/defaults/main.yml b/defaults/main.yml index 09e789f..03848af 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -26,6 +26,7 @@ sshd_ignore_rhosts: "yes" sshd_hostbased_authentication: "no" sshd_permit_empty_passwords: "no" sshd_challenge_response_authentication: "no" +sshd_kbd_interactive_authentication: "no" sshd_x11_forwarding: "no" sshd_x11_display_offset: 10 sshd_print_motd: "no" diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index b737806..1b3bd67 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -1,19 +1,13 @@ --- driver: name: vagrant - provider: - name: virtualbox platforms: - - name: buster64 - box: debian/buster64 - - name: bullseye64 + - name: debian12 + box: debian/bookworm64 + - name: debian11 box: debian/bullseye64 -lint: | - set -e - yamllint . - ansible-lint --exclude molecule/default/tests provisioner: name: ansible + ansible_args: + - --diff become: true -verifier: - name: goss diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml deleted file mode 100644 index 167403f..0000000 --- a/molecule/default/verify.yml +++ /dev/null @@ -1,83 +0,0 @@ ---- -- name: Verify - hosts: all - become: true - vars: - goss_version: v0.3.16 - goss_arch: amd64 - goss_bin: /usr/local/bin/goss - goss_sha256sum: 827e354b48f93bce933f5efcd1f00dc82569c42a179cf2d384b040d8a80bfbfb. - goss_test_directory: /tmp/molecule/goss - goss_format: documentation - goss_vars: "{{ goss_test_directory }}/vars" - copy_defaults_vars: true - tasks: - - name: Download and install Goss - get_url: - url: "https://github.com/aelsabbahy/goss/releases/download/{{ goss_version }}/goss-linux-{{ goss_arch }}" - dest: "{{ goss_bin }}" - checksum: "sha256:{{ goss_sha256sum }}" - mode: 0755 - - - name: Create Molecule directory for test files - file: - path: "{{ goss_test_directory }}" - state: directory - mode: 0644 - - - name: Find Goss tests on localhost - find: - paths: "{{ lookup('env', 'MOLECULE_VERIFIER_TEST_DIRECTORY') }}" - patterns: - - "test[-.\\w]*.yml" - - "test_host_{{ ansible_hostname }}[-.\\w]*.yml" - excludes: - - "test_host_(?!{{ ansible_hostname }})[-.\\w]*.yml" - use_regex: true - delegate_to: localhost - register: test_files - changed_when: false - become: false - - - name: Copy defaults vars to goss vars - copy: - src: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') }}/defaults/main.yml" - dest: "{{ goss_vars }}" - mode: 0644 - when: copy_defaults_vars - - - name: Copy Goss tests to remote - copy: - src: "{{ item.path }}" - dest: "{{ goss_test_directory }}/{{ item.path | basename }}" - mode: 0644 - with_items: - - "{{ test_files.files }}" - - - name: Register test files - shell: "ls {{ goss_test_directory }}/test_*.yml" - changed_when: false - register: test_files - - - name: Execute Goss tests - command: - "{{ goss_bin }} - {% if copy_defaults_vars %} - --vars {{ goss_vars }} - {% endif %} - -g {{ item }} validate --format {{ goss_format }}" - register: test_results - with_items: "{{ test_files.stdout_lines }}" - changed_when: false - failed_when: false - - - name: Display details about the Goss results - debug: - msg: "{{ item.stdout_lines }}" - with_items: "{{ test_results.results }}" - - - name: Fail when tests fail - fail: - msg: "Goss failed to validate" - when: item.rc != 0 - with_items: "{{ test_results.results }}" diff --git a/tasks/main.yml b/tasks/main.yml index 3438d28..f23bcfc 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,5 +1,4 @@ --- - - name: Ensure openssh-server is present apt: pkg: openssh-server diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2 index 4b3956f..b8e22e6 100644 --- a/templates/sshd_config.j2 +++ b/templates/sshd_config.j2 @@ -1,5 +1,4 @@ -# {{ sshd_header }} - +{{ ansible_managed | comment }} # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -10,7 +9,7 @@ # possible, but leave them commented. Uncommented options override the # default value. -{% if ansible_distribution_release == "bullseye" %} +{% if ansible_distribution_version | int >= 11 and ansible_distribution == 'Debian' %} Include /etc/ssh/sshd_config.d/*.conf {% endif %} @@ -74,7 +73,11 @@ PermitEmptyPasswords {{ sshd_permit_empty_passwords }} # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) +{% if ansible_distribution_version | int >= 12 and ansible_distribution == 'Debian' %} +KbdInteractiveAuthentication {{ sshd_kbd_interactive_authentication }} +{% else %} ChallengeResponseAuthentication {{ sshd_challenge_response_authentication }} +{% endif %} # Kerberos options #KerberosAuthentication no @@ -151,8 +154,6 @@ AllowUsers {{ sshd_allow_users|join(" ") }} AllowGroups {{ sshd_allow_groups|join(" ") }} {% endif %} -{% if ansible_distribution == 'Debian' or (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('14.04', '>' )) %} # Specifies whether to remove an existing Unix-domain socket file for # local or remote port forwarding before creating a new one. StreamLocalBindUnlink {{ sshd_stream_local_bind_unlink }} -{% endif %}