Add molecule testing

.ansible-lint

@@ -1,9 +0,0 @@
----
-
-exclude_paths:
-  - test.yaml
-
-warn_list:
-  - internal-error
-
-# vi: ft=yaml

README.md

@@ -12,14 +12,14 @@ If you are running this role with older versions of OpenSSH, such as version 5.3
 This is the default in this role.
 
 ```yaml
-openssh_kexalgorithms:
+ssh_kexalgorithms:
   - curve25519-sha256@libssh.org
   - ecdh-sha2-nistp521
   - ecdh-sha2-nistp384
   - ecdh-sha2-nistp256
   - diffie-hellman-group-exchange-sha256
 
-openssh_ciphers:
+ssh_ciphers:
   - chacha20-poly1305@openssh.com
   - aes256-gcm@openssh.com
   - aes128-gcm@openssh.com
@@ -27,7 +27,7 @@ openssh_ciphers:
   - aes192-ctr
   - aes128-ctr
 
-openssh_macs:
+ssh_macs:
   - hmac-sha2-512-etm@openssh.com
   - hmac-sha2-256-etm@openssh.com
   - umac-128-etm@openssh.com
@@ -38,9 +38,8 @@ openssh_macs:
 
 ### Mozilla Intermediate
 ```yaml
-openssh_hostkeys:
+ssh_hostkey_file: /etc/ssh/ssh_host_rsa_key
-  - /etc/ssh/ssh_host_rsa_key
+ssh_hostkey_file: /etc/ssh/ssh_host_ecdsa_key
-  - /etc/ssh/ssh_host_ecdsa_key
 
 ssh_kexalgorithms:
   - diffie-hellman-group-exchange-sha256

defaults/main.yaml

@@ -1,38 +1,33 @@
 ---
 
-openssh_sshd_config_path: /etc/ssh
+sshd_config_path: /etc/ssh
 
-openssh_port: 22
+ssh_port: 22
-openssh_address_family: any
+ssh_address_family: any
-openssh_listen_addresses:
+ssh_listen_addresses:
   - 0.0.0.0
 
-openssh_hostkeys:
+ssh_allow_groups: ssh
-  - /etc/ssh/ssh_host_ed25519_key
+ssh_login_grace_time: 20
-  - /etc/ssh/ssh_host_ecdsa_key
+ssh_permit_root_login: 'no'
-  - /etc/ssh/ssh_host_rsa_key
+ssh_strict_modes: 'yes'
+ssh_max_auth_tries: 3
+ssh_max_sessions: 2
 
-openssh_allow_groups: ssh
+ssh_pubkey_authentication: 'yes'
-openssh_login_grace_time: 20
-openssh_permit_root_login: 'no'
-openssh_strict_modes: 'yes'
-openssh_max_auth_tries: 3
-openssh_max_sessions: 2
 
-openssh_pubkey_authentication: 'yes'
+ssh_authorized_keys_file: .ssh/authorized_keys
 
-openssh_authorized_keys_file: .ssh/authorized_keys
+ssh_kexalgorithms:
-
+  # Mozilla Modern
-openssh_kexalgorithms:
-  # Compliant with Mozilla Modern
   - curve25519-sha256@libssh.org
   - ecdh-sha2-nistp521
   - ecdh-sha2-nistp384
   - ecdh-sha2-nistp256
   - diffie-hellman-group-exchange-sha256
 
-openssh_ciphers:
+ssh_ciphers:
-  # Compliant with Mozilla Modern
+  # Mozilla Modern
   - chacha20-poly1305@openssh.com
   - aes256-gcm@openssh.com
   - aes128-gcm@openssh.com
@@ -40,8 +35,8 @@ openssh_ciphers:
   - aes192-ctr
   - aes128-ctr
 
-openssh_macs:
+ssh_macs:
-  # Compliant with Mozilla Modern
+  # Mozilla Modern
   - hmac-sha2-512-etm@openssh.com
   - hmac-sha2-256-etm@openssh.com
   - umac-128-etm@openssh.com
@@ -49,27 +44,27 @@ openssh_macs:
   - hmac-sha2-256
   - umac-128@openssh.com
 
-openssh_hostbased_authentication: 'no'
+ssh_hostbased_authentication: 'no'
-openssh_password_authentication: 'no'
+ssh_password_authentication: 'no'
-openssh_permit_empty_passwords: 'no'
+ssh_permit_empty_passwords: 'no'
-openssh_challenge_response_authentication: 'no'
+ssh_challenge_response_authentication: 'no'
-openssh_kerberos_authentication: 'no'
+ssh_kerberos_authentication: 'no'
-openssh_gssapi_authentication: 'no'
+ssh_gssapi_authentication: 'no'
-openssh_use_pam: 'yes'
+ssh_use_pam: 'yes'
 
-openssh_allow_agent_forwarding: 'no'
+ssh_allow_agent_forwarding: 'no'
-openssh_permit_tunnel: 'no'
+ssh_permit_tunnel: 'no'
 
-openssh_x11_forwarding: 'no'
+ssh_x11_forwarding: 'no'
 
-openssh_print_motd: 'no'
+ssh_print_motd: 'no'
 
-openssh_permit_user_env: false
+ssh_permit_user_env: false
-openssh_accept_env:
+ssh_accept_env:
   - LANG
   - 'LC_*'
 
-openssh_banner: true
+ssh_banner: true
-openssh_banner_file: /etc/issue.net
+ssh_banner_file: /etc/issue.net
 
-openssh_loglevel: "VERBOSE"
+ssh_loglevel: "VERBOSE"

makefile

@@ -1,17 +0,0 @@
-##@ General
-
-# Credit the the Woodpecker-CI team for this awesome help script
-.PHONY: help
-help: ## Display this help
-	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
-
-##@ Test
-
-.PHONY: lint
-lint: ## Lint the Ansible role
-	yamllint .
-	ansible-lint
-
-.PHONY: test
-test: lint ## Test the Ansible role
-	ansible-playbook test.yaml

meta/main.yaml

@@ -1,11 +1,10 @@
 ---
 galaxy_info:
   role_name: openssh
-  namespace: coredotbin
   author: Corbin Bartsch
   description: Sensible and secure defaults for OpenSSH server
   license: MIT
-  min_ansible_version: v2.9
+  min_ansible_version: 2.9
   platforms:
     - name: Debian
       versions:

molecule/default/converge.yml

@@ -0,0 +1,15 @@
+---
+- name: Converge
+  hosts: all
+
+  tasks:
+    - name: Update apt cache
+      ansible.builtin.apt:
+        update_cache: true
+        cache_valid_time: 3600
+      when: ansible_os_family == 'Debian'
+
+    - name: Include role
+      ansible.builtin.include_role:
+        name: ansible-role-openssh
+        tasks_from: main

molecule/default/molecule.yml

@@ -0,0 +1,22 @@
+---
+dependency:
+  name: galaxy
+  enabled: false
+driver:
+  name: docker
+lint: |
+  set -e
+  yamllint .
+  ansible-lint
+platforms:
+  - name: instance
+    image: geerlingguy/docker-debian11-ansible:latest
+    command: ""
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    priveleged: true
+    pre_build_image: true
+provisioner:
+  name: ansible
+verifier:
+  name: ansible

molecule/default/verify.yml

@@ -0,0 +1,5 @@
+---
+- name: Verify
+  hosts: all
+
+  tasks:

tasks/main.yaml

@@ -6,4 +6,4 @@
     state: present
 
 - name: Create sshd_config file
-  ansible.builtin.include_tasks: template_config.yaml
+  include_tasks: template_config.yaml

tasks/template_config.yaml

@@ -2,14 +2,14 @@
 
 - name: Ensure destination for sshd_config exists
   ansible.builtin.file:
-    path: "{{ openssh_sshd_config_path }}"
+    path: "{{ sshd_config_path }}"
     mode: '0644'
     state: directory
 
 - name: Write sshd_config file
   ansible.builtin.template:
     src: sshd_config.j2
-    dest: "{{ openssh_sshd_config_path }}/sshd_config"
+    dest: "{{ sshd_config_path }}/sshd_config"
     mode: '0644'
   become: true
   notify: Restart sshd
@@ -17,6 +17,6 @@
 - name: Write banner file
   ansible.builtin.template:
     src: issue.net.j2
-    dest: "{{ openssh_banner_file }}"
+    dest: "{{ ssh_banner_file }}"
     mode: '0644'
-  when: openssh_banner
+  when: ssh_banner

templates/sshd_config.j2

@@ -1,70 +1,72 @@
-{{ ansible_managed | comment }}
+# {{ ansible_managed }}
 
-Port {{ openssh_port }}
+Port {{ ssh_port }}
-AddressFamily {{ openssh_address_family }}
+AddressFamily {{ ssh_address_family }}
-{% for a in openssh_listen_addresses %}
+{% for a in ssh_listen_addresses %}
 ListenAddress {{ a }}
 {% endfor %}
 
-{% if openssh_hostkeys is defined %}
+{% if ssh_hostkey_file is defined %}
-{% for hostkey in openssh_hostkeys %}
+HostKey {{ ssh_hostkey_file }}
-HostKey {{ hostkey }}
+{% else %}
-{% endfor %}
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
 {% endif %}
 
-{% if openssh_kexalgorithms is defined %}
+{% if ssh_kexalgorithms is defined %}
-KexAlgorithms {% for alg in openssh_kexalgorithms %}{{ alg }}{{ "," if not loop.last }}{% endfor %}
+KexAlgorithms {% for alg in ssh_kexalgorithms %}{{ alg }}{{ "," if not loop.last }}{% endfor %}
 {% endif %}
 
-{% if openssh_ciphers is defined %}
+{% if ssh_ciphers is defined %}
-Ciphers {% for alg in openssh_ciphers %}{{ alg }}{{ "," if not loop.last }}{% endfor %}
+Ciphers {% for alg in ssh_ciphers %}{{ alg }}{{ "," if not loop.last }}{% endfor %}
 {% endif %}
 
-{% if openssh_macs is defined %}
+{% if ssh_macs is defined %}
-MACs {% for alg in openssh_macs %}{{ alg }}{{ "," if not loop.last }}{% endfor %}
+MACs {% for alg in ssh_macs %}{{ alg }}{{ "," if not loop.last }}{% endfor %}
 {% endif %}
 
 
-AllowGroups {{ openssh_allow_groups }}
+AllowGroups {{ ssh_allow_groups }}
-LoginGraceTime {{ openssh_login_grace_time }}
+LoginGraceTime {{ ssh_login_grace_time }}
-PermitRootLogin {{ openssh_permit_root_login }}
+PermitRootLogin {{ ssh_permit_root_login }}
-StrictModes {{ openssh_strict_modes }}
+StrictModes {{ ssh_strict_modes }}
-MaxAuthTries {{ openssh_max_auth_tries }}
+MaxAuthTries {{ ssh_max_auth_tries }}
-MaxSessions {{ openssh_max_sessions }}
+MaxSessions {{ ssh_max_sessions }}
 
-PubkeyAuthentication {{ openssh_pubkey_authentication }}
+PubkeyAuthentication {{ ssh_pubkey_authentication }}
-AuthorizedKeysFile {{ openssh_authorized_keys_file }}
+AuthorizedKeysFile {{ ssh_authorized_keys_file }}
 
-HostbasedAuthentication {{ openssh_hostbased_authentication }}
+HostbasedAuthentication {{ ssh_hostbased_authentication }}
 
-PasswordAuthentication {{ openssh_password_authentication }}
+PasswordAuthentication {{ ssh_password_authentication }}
-PermitEmptyPasswords {{ openssh_permit_empty_passwords }}
+PermitEmptyPasswords {{ ssh_permit_empty_passwords }}
-ChallengeResponseAuthentication {{ openssh_challenge_response_authentication }}
+ChallengeResponseAuthentication {{ ssh_challenge_response_authentication }}
-KerberosAuthentication {{ openssh_kerberos_authentication }}
+KerberosAuthentication {{ ssh_kerberos_authentication }}
-GSSAPIAuthentication {{ openssh_gssapi_authentication }}
+GSSAPIAuthentication {{ ssh_gssapi_authentication }}
-UsePAM {{ openssh_use_pam }}
+UsePAM {{ ssh_use_pam }}
 
-AllowAgentForwarding {{ openssh_allow_agent_forwarding }}
+AllowAgentForwarding {{ ssh_allow_agent_forwarding }}
-PermitTunnel {{ openssh_permit_tunnel }}
+PermitTunnel {{ ssh_permit_tunnel }}
 
-X11Forwarding {{ openssh_x11_forwarding }}
+X11Forwarding {{ ssh_x11_forwarding }}
-PrintMotd {{ openssh_print_motd }}
+PrintMotd {{ ssh_print_motd }}
 
-{% if openssh_banner == true %}
+{% if ssh_banner == true %}
-Banner {{ openssh_banner_file }}
+Banner {{ ssh_banner_file }}
 {% endif %}
 
-{% if openssh_permit_user_env == true %}
+{% if ssh_permit_user_env == true %}
 PermitUserEnvironment yes
 
-{% for e in openssh_accept_env %}
+{% for e in ssh_accept_env %}
 AcceptEnv {{ e }}
 {% endfor %}
 {% else %}
 PermitUserEnvironment no
 {% endif %}
 
-LogLevel {{ openssh_loglevel }}
+LogLevel {{ ssh_loglevel }}
 
 {% if ansible_facts['os_family'] == 'RedHat' %}
 Subsystem sftp	/usr/libexec/openssh/sftp-server -f AUTHPRIV -l INFO

test.yaml

@@ -1,15 +0,0 @@
----
-- name: Test the role
-  hosts: 127.0.0.1
-  vars_files:
-    - defaults/main.yaml
-  tasks:
-    - name: Test Jinja2 templates
-      check_mode: true
-      diff: true
-      ansible.builtin.template:
-        src: "{{ item }}"
-        dest: "/tmp/{{ item }}"
-      with_items:
-        - templates/sshd_config.j2
-        - templates/issue.net.j2