This role helps with configuring the OpenSSH server aka sshd from Ansible variables. For example, it
allows to edit sshd's config file /etc/ssh/sshd_config. Variable sshd_config defines a list of tasks which will be
run by this role. Each task calls an Ansible module similar to tasks in roles or playbooks except that only few
keywords such as when are supported. For example, to disable password authentication and deny
root login define variable sshd_config in group_vars or host_vars as such:
sshd_config:
- ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regex: '^#*PasswordAuthentication .*'
line: 'PasswordAuthentication no'
- ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regex: '^#*PermitRootLogin .*'
line: 'PermitRootLogin no'First, this role will install packages for OpenSSH server which match the distribution specified in variable
distribution_id. Next, it will run all tasks listed in sshd_config. Once all tasks have finished and if anything
has changed (and if sshd_service_state is not set to stopped), then sshd's service (set in sshd_service_name)
is restarted to apply changes.
Tested OS images
- Cloud image (
amd64) of Debian 10 (Buster) - Cloud image (
amd64) of Debian 11 (Bullseye) - Cloud image (
amd64) of Debian 12 (Bookworm) - Cloud image (
amd64) of Debian 13 (Trixie) - Cloud image (
amd64) of CentOS 7 (Core) - Cloud image (
amd64) of CentOS 8 (Stream) - Cloud image (
amd64) of CentOS 9 (Stream) - Cloud image (
amd64) of Fedora Cloud Base 40 - Cloud image (
amd64) of Ubuntu 18.04 LTS (Bionic Beaver) - Cloud image (
amd64) of Ubuntu 20.04 LTS (Focal Fossa) - Cloud image (
amd64) of Ubuntu 22.04 LTS (Jammy Jellyfish) - Cloud image (
amd64) of Ubuntu 24.04 LTS (Noble Numbat)
Available on Ansible Galaxy in Collection jm1.cloudy.
This role uses module(s) from collection jm1.ansible and collection jm1.pkg.
To install these collections you may follow the steps described in README.md using the provided
requirements.yml.
| Name | Default value | Required | Description |
|---|---|---|---|
distribution_id |
depends on operating system | false | List which uniquely identifies a distribution release, e.g. [ 'Debian', '10' ] for Debian 10 (Buster) |
sshd_config |
[] |
false | List of tasks to run 1 2 3, e.g. to edit /etc/ssh/sshd_config |
sshd_service_enabled |
true |
false | Whether the sshd service should start on boot |
sshd_service_name |
depends on distribution_id |
false | Name of the sshd service, e.g. ssh on Debian and sshd on Red Hat Enterprise Linux |
sshd_service_state |
started |
false | State of the sshd service |
| Name | Description |
|---|---|
jm1.pkg.setup |
Installs necessary software for module jm1.pkg.meta_pkg from collection jm1.pkg. This role is called automatically, manual execution is NOT required. |
- hosts: all
become: true
roles:
- name: Manage sshd service
role: jm1.cloudy.sshd
tags: ["jm1.cloudy.sshd"]For more examples on how to use this role, refer to variable sshd_config as defined in group_vars/all.yml from the
provided examples inventory.
For instructions on how to run Ansible playbooks have look at Ansible's Getting Started Guide.
GNU General Public License v3.0 or later
See LICENSE.md to see the full text.
Jakob Meng @jm1 (github, galaxy, web)
Footnotes
-
Useful Ansible modules in this context could be
blockinfile,copy,debconf,file,lineinfileandtemplate. ↩ -
Tasks will be executed with
jm1.ansible.execute_modulewhich supports keywordwhenonly. ↩ -
Tasks will be executed with
jm1.ansible.execute_modulewhich supports modules and action plugins only. Some Ansible modules such asansible.builtin.metaandansible.builtin.{include,import}_{playbook,role,tasks}are core features of Ansible, in fact not implemented as modules and thus cannot be called fromjm1.ansible.execute_module. Doing so causes Ansible to raise errors such asMODULE FAILURE\nSee stdout/stderr for the exact error. In addition, Ansible does not support free-form parameters for arbitrary modules, so for example, change from- debug: msg=""to- debug: { msg: "" }. ↩