remove small moduli needs package upgrade hook

[wookietreiber]

At least on Arch Linux, the changes to /etc/ssh/moduli are not preserved, i.e. overwritten on each package upgrade.

[dirks]

On Debian et al. config file are by the default not overwritten.

~$ dpkg --status openssh-server
[…]
Conffiles:
[…]
  /etc/ssh/moduli 2679899083c9df983a24200f235fec11
[…]

On Rhel et al. one seems to need the spec file from the src package to know what is what as there is a difference between %config and %config(noreplace) 🙄

~$ yumdownloader --source openssh
~$ rpm2cpio openssh-8.0p1-12.el8.src.rpm  | cpio -civ '*.spec'
~$ cat openssh.spec 
[…]
%files
[…]
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
[…]

So I would say this is probably Arch specific and warrants a bug against arch ssh package.

If it should be done here something along the lines in an arch specific task/handler.

- name: manage ssh moduli with ansible not pacman
  copy:
    dest: /etc/pacman.d/openssh
    content: |
        [options]
        NoUpgrade=etc/ssh/moduli
    when: '{{ ssh_modulus_min }}' is defined

- name: manage ssh moduli via pacman
  file
    path: /etc/pacman.d/openssh
    state: absent
  when: ssh_modulus_min is not defined