Merge branch 'release/2.0.0'

.travis.yml

@@ -7,36 +7,47 @@ python:
   - "3.6"
   - "3.7"
   - "3.8"
+
 env:
-  - ANSIBLE=2.9.2
-  - ANSIBLE=2.9.3
-  - ANSIBLE=2.9.4
-  - ANSIBLE=2.9.5
-  - ANSIBLE=2.9.6
-  - ANSIBLE=2.9.7
-  - ANSIBLE=2.9.8
-  - ANSIBLE=2.9.9
-  - ANSIBLE=2.9.10
+  # Matrix built with https://play.golang.org/p/VNz0tiTDasm
+  - MOLECULE_DISTRO=centos7 ANSIBLE_VERSION=2.9.2
+  - MOLECULE_DISTRO=centos7 ANSIBLE_VERSION=2.9.8
+  - MOLECULE_DISTRO=centos7 ANSIBLE_VERSION=2.9.9
+  - MOLECULE_DISTRO=centos7 ANSIBLE_VERSION=2.9.10
+  - MOLECULE_DISTRO=centos8 ANSIBLE_VERSION=2.9.2
+  - MOLECULE_DISTRO=centos8 ANSIBLE_VERSION=2.9.8
+  - MOLECULE_DISTRO=centos8 ANSIBLE_VERSION=2.9.9
+  - MOLECULE_DISTRO=centos8 ANSIBLE_VERSION=2.9.10
+  - MOLECULE_DISTRO=ubuntu1804 ANSIBLE_VERSION=2.9.2
+  - MOLECULE_DISTRO=ubuntu1804 ANSIBLE_VERSION=2.9.8
+  - MOLECULE_DISTRO=ubuntu1804 ANSIBLE_VERSION=2.9.9
+  - MOLECULE_DISTRO=ubuntu1804 ANSIBLE_VERSION=2.9.10
+  - MOLECULE_DISTRO=ubuntu2004 ANSIBLE_VERSION=2.9.2
+  - MOLECULE_DISTRO=ubuntu2004 ANSIBLE_VERSION=2.9.8
+  - MOLECULE_DISTRO=ubuntu2004 ANSIBLE_VERSION=2.9.9
+  - MOLECULE_DISTRO=ubuntu2004 ANSIBLE_VERSION=2.9.10
+  - MOLECULE_DISTRO=debian9 ANSIBLE_VERSION=2.9.2
+  - MOLECULE_DISTRO=debian9 ANSIBLE_VERSION=2.9.8
+  - MOLECULE_DISTRO=debian9 ANSIBLE_VERSION=2.9.9
+  - MOLECULE_DISTRO=debian9 ANSIBLE_VERSION=2.9.10
+  - MOLECULE_DISTRO=debian10 ANSIBLE_VERSION=2.9.2
+  - MOLECULE_DISTRO=debian10 ANSIBLE_VERSION=2.9.8
+  - MOLECULE_DISTRO=debian10 ANSIBLE_VERSION=2.9.9
+  - MOLECULE_DISTRO=debian10 ANSIBLE_VERSION=2.9.10
 
 services:
 - docker
 
-# Install ansible
-addons:
-  apt:
-    packages:
-    - python-pip
 install:
   # Install ansible
-  - pip install ansible==$ANSIBLE
-  - pip install molecule[docker,lint]
+  - pip install ansible==$ANSIBLE_VERSION molecule[docker,lint]
+  - pip install yamllint ansible-lint docker
 
   # Check ansible version
   - ansible --version
   - molecule --version
 
 script:
-
   # Run molecule tests
   - molecule test
 

README.md

@@ -10,7 +10,11 @@ Ansible role for a Secure OpenSSH configuration.
 > You should update immediately.
 
 ---
-<!-- TOC START min:2 max:3 link:true update:true -->
+
+<!-- @import "[TOC]" {cmd="toc" depthFrom=2 depthTo=3 orderedList=false} -->
+
+<!-- code_chunk_output -->
+
 - [Motivation](#motivation)
 - [What does the role configure?](#what-does-the-role-configure)
   - [Protocol version](#protocol-version)
@@ -20,6 +24,8 @@ Ansible role for a Secure OpenSSH configuration.
   - [Server Authentication](#server-authentication)
   - [Client Authentication](#client-authentication)
   - [Optional: `/etc/ssh/moduli`](#optional-etcsshmoduli)
+- [Supported Operating Systems and Versions](#supported-operating-systems-and-versions)
+- [Test matrix](#test-matrix)
 - [Installation](#installation)
 - [Role variables](#role-variables)
   - [Overview](#overview)
@@ -28,7 +34,7 @@ Ansible role for a Secure OpenSSH configuration.
   - [Instructions](#instructions)
   - [Screencast](#screencast)
 
-<!-- TOC END -->
+<!-- /code_chunk_output -->
 ---
 
 ## Motivation
@@ -154,6 +160,30 @@ As of the time of this writing, a `sssh_moduli_size` of 1024 is considered secur
 by todays standards. A size of 2048 bit is considered secure for the foreseeable
 future.
 
+## Supported Operating Systems and Versions
+
+Since I am limited in the time I can put into this project, this role will support the last two releases of the following operating systems.
+
+* CentOS and RedHat Enterprise Linux
+* Debian
+* Ubuntu (last two LTS releases)
+
+As for the exact versions, please see [the role information on Galaxy](https://galaxy.ansible.com/mwmahlberg/sssh).
+
+## Test matrix
+
+The role is tested against a complete matrix consisting of the following:
+
+* Python Versions 3.6, 3.7 and 3.8
+* Ansible Versions 2.9.2, 2.9.8, 2.9.9 and 2.9.10
+* OS Versions:
+  * CentOS 7 and 8
+  * Debian 9 and 10
+  * Ubuntu 18.04 and 20.04
+
+Before using the role in production, I strongly suggest to [look up whether your specific setup
+was successfully tested](https://travis-ci.org/github/mwmahlberg/ansible-role-sssh).
+
 ## Installation
 
 Simply drop
@@ -162,11 +192,6 @@ Simply drop
 
 into your shell.
 
-<!-- Click on the image below to see a screen recording on what to expect during the installation.
-
-<a href="https://asciinema.org/a/8KMZN2sPiSIfC29bqMqvBacFD?speed=2&theme=monokai&autoplay=1" target="_blank"><img src="https://asciinema.org/a/8KMZN2sPiSIfC29bqMqvBacFD.png"  width="250"/></a> -->
-[![asciicast](https://asciinema.org/a/187545.svg)](https://asciinema.org/a/187545?autoplay=1)
-
 ## Role variables
 
 Below you will find the variables used in this role.

handlers/main.yml

@@ -24,12 +24,26 @@
   service:
     name: sshd
     state: restarted
+    enabled: true
   when: ansible_os_family == "RedHat"
   listen: restart sshd
 
 - name: restart ssh on Debian family OSes
   service:
     name: ssh
     state: restarted
+    enabled: true
   when: ansible_os_family == "Debian"
   listen: restart sshd
+
+- name: Print new RSA key if one was generated
+  listen: "print new key"
+  debug:
+    var: rsakey.public_key
+  when: rsakey.changed
+
+- name: Print new ED25519 key if one was generated
+  listen: "print new key"
+  debug:
+    var: ed25519key.public_key
+  when: ed25519key.changed

meta/main.yml

@@ -35,7 +35,10 @@ galaxy_info:
       versions:
         - focal
         - bionic
-        - xenial
+    - name: Debian
+      versions:
+        - buster
+        - stretch
 
   galaxy_tags: ["ssh", "sshd", "system", "openssh"]
     # List tags for your role here, one per line. A tag is a keyword that describes

molecule/default/molecule.yml

@@ -4,30 +4,20 @@ dependency:
 driver:
   name: docker
 
+lint: |
+  set -e
+  yamllint .
+  ansible-lint
 
 platforms:
-  - name: sssh_centos7
-    image: centos:7
-    command: /sbin/init
-    tmpfs:
-      - /run
-      - /tmp
+  - name: instance
+    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos8}-ansible:latest"
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:ro
-  - name: sssh_centos8
-    image: centos:8
-    command: /sbin/init
-    tmpfs:
-      - /run
-      - /tmp
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-  - name: ubuntu16.04_xenial
-    image: docker.io/jrei/systemd-ubuntu:16.04      
-  - name: ubuntu18.04_bionic
-    image: docker.io/jrei/systemd-ubuntu:18.04
-  - name: ubuntu20.04_focal
-    image: docker.io/jrei/systemd-ubuntu:20.04       
+    privileged: true
+    pre_build_image: true
+
 provisioner:
   name: ansible
 verifier:

tasks/main.yml

@@ -16,7 +16,20 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 ---
 # tasks file for ansible-role-sssh
+- name: Ensure apt cache is updated
+  apt:
+    update_cache: yes
+  when: ansible_distribution == "Ubuntu" or ansible_distribution=="Debian"
+  changed_when: False
 
+- name: Ensure sshd is present
+  package:
+    name: openssh-server
+    state: present
+  notify: "restart sshd"
+
+- name: Force all notified handlers to run at this point, not waiting for normal sync points
+  meta: flush_handlers
 
 - import_tasks: savemoduli.yml
   tags: moduli

tasks/server_keys.yml

@@ -56,9 +56,13 @@
   openssh_keypair:
     type: ed25519
     path: /etc/ssh/ssh_host_ed25519_key
+  register: ed25519key
+  notify: "print new key"
 
 - name: Generate new ssh keys (rsa)
   openssh_keypair:
     type: rsa
     path: /etc/ssh/ssh_host_rsa_key
-    size: "{{ sssh_rsa_key_size }}"
+    size: "{{ sssh_rsa_key_size }}"
+  register: rsakey
+  notify: "print new key"