Ansible role to configure the OpenSSH server daemon
Enhancement: Moved symlinking a level down in test/roles to avoid a recursive look via the test directory.
Reason: Ansible Core >= 2.15.5 does not allow recursive directory trees.
Result: CI should still run correctly, the problem with the recursive symlinks with Ansible Core 2.15.5 should be fixed.
Issue Tracker Tickets (Jira or BZ if any): #259 #260 #261
Enhancement:
Reason: This allows you to configure and manage the SSH server to authenticate via certificates. Improves SSH authentication security: certificates have a validity period, unlike SSH keys.
More information on SSH certificates is available here: Managing SSH Access at Scale with HashiCorp Vault.
Result:
All tests passed.
The related documentation is available and an example can be found in examples/example-use-certificates.yml
.
Issue Tracker Tickets (Jira or BZ if any): -
Enhancement:
Support inject_facts_as_vars = false
in ansible.cfg.
The setting is considered safer because a compromised host cannot inject facts into variables.
Reason:
Minor security enhancement.
This setting is also recommended in some tuning guides like https://docs.openstack.org/kolla-ansible/wallaby/user/ansible-tuning.html#fact-variable-injection and issue mitigation guides: https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#when-is-it-unsafe-to-bulk-set-task-arguments-from-a-variable
ansible_facts
are used only with one name. Previously for example ansible_facts['os_family']
was also used as ansible_os_family
. This helps maintainability.
Result:
Support inject_facts_as_vars = false
. If setting is true
, situation still works as expected.
Also drop ansible
prefix from local variables to avoid possible conflicts in namespace and avoid possible confusion.
Issue Tracker Tickets (Jira or BZ if any): -
Enhancement:
Makes systemd RuntimeDirectory service file directive relative (sshd
instead of /run/sshd
).
Reason: The docs say it has to be relative.
Result: The following error is gone from the journal:
/etc/systemd/system/backdoor-ssh.service:14: RuntimeDirectory= path is not valid, ignoring assignment: /run/custom-ssh
Waiting for the tests.
Issue Tracker Tickets (Jira or BZ if any): none
chore: add missing h2 heading for the 0.19.0 release
There was no markdown h2 heading for the 0.19.0 release which broke the changelog parser in the collection release, causing the changelog to look like https://github.com/linux-system-roles/auto-maintenance/commit/0eade02032c55ffc008240ce44cfbee25276b51c#diff-ddbe2c1474f5ea331aef8eedcd595299f771578e4416a5f112ae69ed5a934bc0R4 Add the correct markdown
Signed-off-by: Rich Megginson [email protected]
Enhancement:
Reason:
Fedora 31 is EOL.
Result:
Drop explicit support of EOL distro version. Less code to maintain.
Enhancement: Add markdownlint, test_converting_readme, and build_docs GitHub workflows
Reason:
Enhancement: Ignore var-naming[no-role-prefix] ansible-lint rule that fails expectedly
Reason: ansible-lint recently added a rule var-naming[no-role-prefix]
that fails expectedly, this role generally uses sshd
instead of ansible_sshd
, and also vars from other roles e.g. firewall_
.
Result: ansible-lint ignores this rule and passes.
Bumps actions/checkout from 3 to 4.
This PR adds Debian 12 (aka bookworm) support to the role. The workflow fails at the moment because there is no roles-ansible/check-ansible-debian-bookworm-action repo yet. As soon as @DO1JLR has created the repo it should pass all checks.
Furthermore i fixed some small oversights in older debian defaults.
Basically the same as for RHEL6/7/8
We now ensure the conventional commits format only on PR titles and not on commits to let developers keep commit messages targeted for other developers i.e. describe actual changes to code that users should not care about. And PR titles, on the contrary, must be aimed at end users.
For more info, see https://linux-system-roles.github.io/contribute.html#write-a-good-pr-title-and-description
This removes the defaults/Debian.yml
file and moves it to the defaults/Debian_7.yml
file. This prohibits rolling out ancient config on new Debian-Systems which aren't supported by this role.
[v0.19.0] - 2023-04-27