change variable layout

README.md

@@ -20,23 +20,6 @@ The following roles are tested in combination and work well - at least for the u
 ------------------------------
 **Remember:** Have a look into ``defaults/main.yml`` for all possible variables.
 
-```bash
-restrict_allow_users: True
-```
-With tis option you can enable or disable if a user needs to be in a special defined group. Like wheels, sudo or something else.
-The default ddh groups are ``admins`` and ``root``
-
-```bash
-only_allow_ed25519: true 
-```
-Force ssh to deny all ssh keys except for eliptic curve ed25519 keys.
-
-```bash
-sshd_password_authentication: 'no' 
-```
-Change the string from 'no' to 'yes' if you want to log in with a password (not recomended).
-
-There are some other cryptographic algorythmen you could enable...
 
 ### Important part:
 Define the users (and optional their ssh keys) for the ssh config template:

defaults/main.yml

@@ -1,80 +1,67 @@
 ---
-sshd:
-  # set the ssh server port
-  port: 22
+# set the ssh server port
+sshd__port: 22
   # ssh password authorisatuin (not recomended)
-  password_authentication: false
+sshd__password_authentication: false
   # should we disable not selected ssh key types?
-  manage_key_types: true
+sshd__manage_key_types: true
   # choose ssh server allowed key types
-  key_types:
-    - 'ed25519'
-    # - 'rsa'
-    # - 'ecdsa'
-    # - 'dsa' # (do not use!)
+sshd__key_types:
+  - 'ed25519'
+  # - 'rsa'
+  # - 'ecdsa'
+  # - 'dsa' # (do not use!)
 
-  key_algorithmus:
-    - 'ssh-ed25519-cert-v01@openssh.com'
-    - 'ssh-ed25519'
-    # - 'ecdsa-sha2-nistp521-cert-v01@openssh.com'
-    # - 'ecdsa-sha2-nistp384-cert-v01@openssh.com'
-    # - 'ecdsa-sha2-nistp256-cert-v01@openssh.com'
-    # - 'rsa-sha2-512-cert-v01@openssh.com'
-    # - 'rsa-sha2-256-cert-v01@openssh.com'
-    # - 'ssh-rsa-cert-v01@openssh.com'
-    # - 'ecdsa-sha2-nistp521'
-    # - 'ecdsa-sha2-nistp384'
-    # - 'ecdsa-sha2-nistp256'
-    # - 'rsa-sha2-512'
-    # - 'rsa-sha2-256'
-    # - 'ssh-rsa'
+sshd__key_algorithmus:
+  - 'ssh-ed25519-cert-v01@openssh.com'
+  - 'ssh-ed25519'
+  # - 'ecdsa-sha2-nistp521-cert-v01@openssh.com'
+  # - 'ecdsa-sha2-nistp384-cert-v01@openssh.com'
+  # - 'ecdsa-sha2-nistp256-cert-v01@openssh.com'
+  # - 'rsa-sha2-512-cert-v01@openssh.com'
+  # - 'rsa-sha2-256-cert-v01@openssh.com'
+  # - 'ssh-rsa-cert-v01@openssh.com'
+  # - 'ecdsa-sha2-nistp521'
+  # - 'ecdsa-sha2-nistp384'
+  # - 'ecdsa-sha2-nistp256'
+  # - 'rsa-sha2-512'
+  # - 'rsa-sha2-256'
+  # - 'ssh-rsa'
 
-  kex_algorithmus:
-    - 'curve25519-sha256@libssh.org'
-    - 'diffie-hellman-group-exchange-sha256'
-    # - 'diffie-hellman-group-exchange-sha1'
-    # - 'diffie-hellman-group14-sha1'
-    # - 'diffie-hellman-group1-sha1'
+sshd__kex_algorithmus:
+  - 'curve25519-sha256@libssh.org'
+  - 'diffie-hellman-group-exchange-sha256'
+  # - 'diffie-hellman-group-exchange-sha1'
+  # - 'diffie-hellman-group14-sha1'
+  # - 'diffie-hellman-group1-sha1'
 
-  ciphers:
-    - 'chacha20-poly1305@openssh.com'
-    - 'aes256-gcm@openssh.com'
-    # - 'aes256-ctr'
-    # - 'aes256-cbc'
-    # - 'aes128-ctr'
-    # - 'aes128-cbc'
-  macs:
-    - 'hmac-sha2-512-etm@openssh.com'
-    - 'hmac-sha2-256-etm@openssh.com'
-    # - 'hmac-sha2-512'
-    # - 'hmac-sha2-256'
-    # - 'hmac-ripemd160-etm@openssh.com'
-    # - 'umac-128-etm@openssh.com'
-    # - 'hmac-sha1'
-  # Enable AllowUsers and AllowGroups options
-  restrict_users: True
-  allowed_users:
-    - "root"
-    - "ansible"
-  restrict_groups: True
-  allowed_groups:
-    - "root"
-    - "admins"
-  xforwarding: True
+sshd__ciphers:
+  - 'chacha20-poly1305@openssh.com'
+  - 'aes256-gcm@openssh.com'
+  # - 'aes256-ctr'
+  # - 'aes256-cbc'
+  # - 'aes128-ctr'
+  # - 'aes128-cbc'
 
-#
-### Forcing only ed25519 SSH keys
-#only_allow_ed25519: true
-#
-## Allow login with password?
-#
-### Allow optional cryptho methods (NOT RECOMENDED)
-#generate_ecdsa_too: false
-#use_diffie_hellman_group_exchange_sha256: false
-#u#se_aes256_ctr: false
-#u#se_hmac_sha2_512: false
-###
-#do_not_delete_legacy_ssh_keys: true
+sshd__macs:
+  - 'hmac-sha2-512-etm@openssh.com'
+  - 'hmac-sha2-256-etm@openssh.com'
+  # - 'hmac-sha2-512'
+  # - 'hmac-sha2-256'
+  # - 'hmac-ripemd160-etm@openssh.com'
+  # - 'umac-128-etm@openssh.com'
+  # - 'hmac-sha1'
+
+# Enable AllowUsers and AllowGroups options
+sshd__restrict_users: True
+sshd__allowed_users:
+  - "root"
+  - "ansible"
+sshd__restrict_groups: True
+sshd__allowed_groups:
+  - "root"
+  - "admins"
+sshd__xforwarding: True
 
 # perform simple version check for this role? (true is recomended)
 submodules_versioncheck: false

handlers/main.yml

@@ -2,6 +2,6 @@
 - name: systemctrl restart ssh
   become: yes
   service:
-    name: "{{ sshd_service }}"
+    name: "{{ sshd__service }}"
     state: restarted
-  when: sshd_service is defined
+  when: sshd__service is defined

tasks/main.yml

@@ -1,8 +1,4 @@
 ---
-- name: combine sshd variable
-  set_fact:
-    sshd: "{{ _sshd|combine(sshd, recursive=True) }}"
-
 - include_tasks: versioncheck.yml
   when: submodules_versioncheck|bool
 
@@ -16,8 +12,8 @@
 
 - name: Collect all users and groups allowed to login via ssh
   set_fact:
-    sshd_allowed_users:  '{{ sshd.allowed_users + users.keys() | default({}) | sort }}'
-    sshd_allowed_groups: '{{ sshd.allowed_groups + users.keys() | default({}) | sort }}'
+    sshd__allowed_users:  '{{ sshd__allowed_users + users.keys() | default({}) | sort }}'
+    sshd__allowed_groups: '{{ sshd__allowed_groups + users.keys() | default({}) | sort }}'
 
 - name: Generate new ssh host key pair if necessary
   become: yes
@@ -27,9 +23,9 @@
     creates: 'ssh_host_{{ item }}_key.pub'
   notify:
     - systemctrl restart ssh
-  with_items: "{{ sshd.key_types }}"
+  with_items: "{{ sshd__key_types }}"
   when:
-    - sshd.manage_key_types | bool
+    - sshd__manage_key_types | bool
 
 - name: Remove unwanted host keys
   become: yes
@@ -48,7 +44,7 @@
     state: absent
   become: yes
   with_items:
-    - "{{ sshd_key_types_list | difference( sshd.key_types ) }}"
+    - "{{ sshd__key_types_list | difference( sshd__key_types ) }}"
   notify:
     - systemctrl restart ssh
 
@@ -58,7 +54,7 @@
     state: absent
   become: yes
   with_items:
-    - "{{ sshd_key_types_list | difference( sshd.key_types ) }}"
+    - "{{ sshd__key_types_list | difference( sshd__key_types ) }}"
   notify:
     - systemctrl restart ssh
 

tasks/versioncheck.yml

@@ -7,15 +7,6 @@
     mode: 0755
   when: submodules_versioncheck|bool
 
-- name: check legacy playbook version
-  become: true
-  slurp:
-    src: "/etc/ansible-version/{{ playbook_version_path }}"
-  register: legacy_playbook_version
-  when: submodules_versioncheck|bool
-  ignore_errors: yes
-  changed_when: False
-
 - name: check playbook version
   become: true
   slurp:
@@ -23,6 +14,7 @@
   register: playbook_version
   when: submodules_versioncheck|bool
   ignore_errors: yes
+  failed_when: false
 
 - name: Print remote role version
   debug:
@@ -39,26 +31,12 @@
     msg: "Your ansible module has the version '{{ playbook_version_number }}' and is outdated. You need to update it!"
   when:
     - playbook_version.content|default("Mgo=")|b64decode|int - 1 >= playbook_version_number|int and submodules_versioncheck|bool
-    - legacy_playbook_version.content|default("Mgo=")|b64decode|int - 1 >= playbook_version_number|int and submodules_versioncheck|bool
-
-- name: delete legacy version if needed
-  become: true
-  file:
-    state: absent
-    path: "/etc/ansible-version/{{ playbook_version_path }}"
 
 - name: check if '/etc/ansible-version/' is empty
   find:
     paths: '/etc/ansible-version/'
   register: filesFound
 
-- name: delete legacy version folder if needed
-  become: true
-  file:
-    state: absent
-    path: "/etc/ansible-version"
-  when: filesFound.matched < 0
-
 - name: write new version to remote disk
   become: true
   copy:

templates/sshd_config.j2

@@ -7,7 +7,7 @@
 Include /etc/ssh/sshd_config.d/*.conf
 
 # Networking
-Port {{ sshd.port }}
+Port {{ sshd__port }}
 AddressFamily any
 #ListenAddress 0.0.0.0
 #ListenAddress ::
@@ -16,7 +16,7 @@ TCPKeepAlive yes
 
 # Key exchange
 {{ 'KexAlgorithms ' }}
-{%- for algo in sshd.kex_algorithmus -%}
+{%- for algo in sshd__kex_algorithmus -%}
 {{ algo }}{{ "," if not loop.last }}
 {%- endfor %}
 
@@ -25,7 +25,7 @@ TCPKeepAlive yes
 #RekeyLimit default none
 
 {{ 'Ciphers ' }}
-{%- for cipher in sshd.ciphers -%}
+{%- for cipher in sshd__ciphers -%}
 {{ cipher }}{{ "," if not loop.last }}
 {%- endfor %}
 
@@ -36,7 +36,7 @@ LogLevel INFO
 
 # Macs
 {{ 'MACs ' }}
-{%- for mac in sshd.macs -%}
+{%- for mac in sshd__macs -%}
 {{ mac }}{{ "," if not loop.last }}
 {%- endfor %}
 
@@ -44,9 +44,9 @@ LogLevel INFO
 Protocol 2
 
 
-{% if sshd.manage_key_types | bool -%}
+{% if sshd__manage_key_types | bool -%}
 # host key types
-{% for key in sshd.key_types %}
+{% for key in sshd__key_types %}
 HostKey /etc/ssh/ssh_host_{{ key }}_key
 {% endfor %}
 {%- endif %}
@@ -55,7 +55,7 @@ HostKey /etc/ssh/ssh_host_{{ key }}_key
 # HostKeyAlgorithms
 # Maybe not available in openssh 6.7
 {{ 'HostKeyAlgorithms ' }}
-{%- for key in sshd.key_algorithmus -%}
+{%- for key in sshd__key_algorithmus -%}
 {{ key }}{{ "," if not loop.last }}
 {%- endfor %}
 
@@ -64,7 +64,7 @@ HostKey /etc/ssh/ssh_host_{{ key }}_key
 MaxAuthTries 6
 MaxSessions 10
 PasswordAuthentication
-{%- if sshd.password_authentication | bool -%}
+{%- if sshd__password_authentication | bool -%}
   {{ ' yes' }}
 {% else -%}
   {{ ' no' }}
@@ -75,7 +75,7 @@ PermitRootLogin without-password
 LoginGraceTime 120
 StrictModes yes
 X11Forwarding
-{%- if sshd.xforwarding | bool -%}
+{%- if sshd__xforwarding | bool -%}
   {{ ' yes' }}
 {% else -%}
   {{ ' no' }}
@@ -112,11 +112,11 @@ TCPKeepAlive yes
 UsePAM yes
 
 # User Authentication
-{% if sshd.restrict_users -%}
-  AllowUsers {{ sshd_allowed_users|join(' ') }}
+{% if sshd__restrict_users -%}
+  AllowUsers {{ sshd__allowed_users|join(' ') }}
 {%- endif %}
-{% if sshd.restrict_groups -%}
-  AllowUsers {{ sshd_allowed_groups|join(' ') }}
+{% if sshd__restrict_groups -%}
+  AllowUsers {{ sshd__allowed_groups|join(' ') }}
 {%- endif %}
 
 # Allow client to pass locale environment variables

vars/main.yml

@@ -1,10 +1,3 @@
 ---
-_sshd:
-  port: 22
-  password_authentication: false
-  manage_key_types: true
-  key_types:
-    - ed25519
-
-playbook_version_number: 2060 # should be over ninethousand
+playbook_version_number: 2070 # should be over ninethousand
 playbook_version_path: 'role-sshd_chaos-bodensee_github.com.version'

vars/sshd_archlinux.yml

@@ -1,10 +1,10 @@
 ---
-sshd_service: sshd
-sshd_key_types_list:
+sshd__service: sshd
+sshd__key_types_list:
   - ed25519
   - rsa
   - ecdsa
   - dsa
 
-sshd_xauth:
+sshd__xauth:
   - xorg-xauth

vars/sshd_centos.yml

@@ -1,10 +1,10 @@
 ---
-sshd_service: sshd
-sshd_key_types_list:
+sshd__service: sshd
+sshd__key_types_list:
   - ed25519
   - rsa
   - ecdsa
   - dsa
 
-sshd_xauth:
+sshd__xauth:
   - xorg-xauth

vars/sshd_debian.yml

@@ -1,10 +1,10 @@
 ---
-sshd_service: ssh
-sshd_key_types_list:
+sshd__service: ssh
+sshd__key_types_list:
   - ed25519
   - rsa
   - ecdsa
   - dsa
 
-sshd_xauth:
+sshd__xauth:
   - xorg-xauth

vars/sshd_default.yml

@@ -1,10 +1,10 @@
 ---
-sshd_service: ssh
-sshd_key_types_list:
+sshd__service: ssh
+sshd__key_types_list:
   - ed25519
   - rsa
   - ecdsa
   - dsa
 
-sshd_xauth:
+sshd__xauth:
   - xorg-xauth

vars/sshd_fedora.yml

@@ -1,10 +1,10 @@
 ---
-sshd_service: sshd
-sshd_key_types_list:
+sshd__service: sshd
+sshd__key_types_list:
   - ed25519
   - rsa
   - ecdsa
   - dsa
 
-sshd_xauth:
+sshd__xauth:
   - xorg-xauth