fix: use __sshd_config as config var derived from sshd_config or sshd

defaults/main.yml

@@ -37,9 +37,6 @@ sshd_sysconfig_override_crypto_policy: false
 # generator
 sshd_sysconfig_use_strong_rng: 0
 
-# Empty dicts to avoid errors
-sshd_config: {}
-
 # The path to sshd_config file. This is useful when creating an included
 # configuration file snippet or configuring second sshd service
 sshd_config_file: "{{ __sshd_config_file }}"

meta/10_top.j2

@@ -21,8 +21,8 @@
 {% set value = undefined %}
 {% if override is defined %}
 {% set value = override %}
-{% elif sshd_config[key] is defined %}
-{% set value = sshd_config[key] %}
+{% elif __sshd_config[key] is defined %}
+{% set value = __sshd_config[key] %}
 {% elif sshd_main_config_file is not none
  and sshd_config_file | dirname == sshd_main_config_file ~ '.d' %}
 {# Do not use the defaults from main file to avoid recursion #}

meta/30_bottom.j2

@@ -1,5 +1,5 @@
-{% if sshd_config['Match'] is defined %}
-{{ match_iterate_block(sshd_config['Match']) -}}
+{% if __sshd_config['Match'] is defined %}
+{{ match_iterate_block(__sshd_config['Match']) -}}
 {% endif %}
 {% if sshd_match is defined %}
 {{ match_iterate_block(sshd_match) -}}

tasks/certificates.yml

@@ -6,7 +6,7 @@
  {% if sshd_TrustedUserCAKeys is defined %}
  {{ sshd_TrustedUserCAKeys | to_json }}
  {% else %}
- {{ sshd_config['TrustedUserCAKeys'] | to_json }}
+ {{ __sshd_config['TrustedUserCAKeys'] | to_json }}
  {% endif %}
  block:
  - name: Create Trusted user CA Keys directory
@@ -32,7 +32,7 @@
  {% if sshd_AuthorizedPrincipalsFile is defined %}
  {{ sshd_AuthorizedPrincipalsFile | to_json }}
  {% else %}
- {{ sshd_config['AuthorizedPrincipalsFile'] | to_json }}
+ {{ __sshd_config['AuthorizedPrincipalsFile'] | to_json }}
  {% endif %}
  when: sshd_principals != {}
  block:

tasks/find_ports.yml

@@ -6,8 +6,8 @@
  __sshd_ports_from_config_tmp: >-
  {% if sshd_Port is defined %}
  {{ sshd_Port | to_json }}
- {% elif sshd_config['Port'] is defined %}
- {{ sshd_config['Port'] | to_json }}
+ {% elif __sshd_config['Port'] is defined %}
+ {{ __sshd_config['Port'] | to_json }}
  {% elif __sshd_defaults['Port'] is defined and not sshd_skip_defaults %}
  {{ __sshd_defaults['Port'] | to_json }}
  {% else %}

tasks/install.yml

@@ -33,7 +33,8 @@
  - __sshd_hostkeys_nofips | d([])
 
 - name: Make sure hostkeys are available and have expected permissions
- vars: &share_vars # 'MAo=' evaluates to '0\n' in base 64 encoding, which is default
+ vars:
+ &share_vars # 'MAo=' evaluates to '0\n' in base 64 encoding, which is default
  __sshd_fips_mode: >-
  {{ __sshd_hostkeys_nofips | d([]) and
  (__sshd_kernel_fips_mode.content | d('MAo=') | b64decode | trim == '1' or
@@ -43,8 +44,8 @@
  __sshd_hostkeys_from_config: >-
  {% if sshd_HostKey is defined %}
  {{ sshd_HostKey | to_json }}
- {% elif sshd_config['HostKey'] is defined %}
- {{ sshd_config['HostKey'] | to_json }}
+ {% elif __sshd_config['HostKey'] is defined %}
+ {{ __sshd_config['HostKey'] | to_json }}
  {% elif __sshd_defaults['HostKey'] is defined and not sshd_skip_defaults %}
  {% if __sshd_fips_mode %}
  {{ __sshd_defaults['HostKey'] | difference(__sshd_hostkeys_nofips) | to_json }}

tasks/main.yml

@@ -1,17 +1,11 @@
 ---
-- name: Link the deprecated sshd fact
+- name: Print that the sshd variable is deprecated
  when: sshd is defined
- block:
- - name: Print that the sshd variable is deprecated
- ansible.builtin.debug:
- msg: >-
- The sshd variable is deprecated and will be removed
- in a future version. Edit your playbook to use
- the sshd_config variable instead.
-
- - name: Link the deprecated sshd fact
- ansible.builtin.set_fact:
- sshd_config: "{{ sshd }}"
+ ansible.builtin.debug:
+ msg: >-
+ The sshd variable is deprecated and will be removed
+ in a future version. Edit your playbook to use
+ the sshd_config variable instead.
 
 - name: Invoke the role, if enabled
  ansible.builtin.include_tasks: sshd.yml

templates/sshd_config.j2

@@ -23,8 +23,8 @@
 {% set value = undefined %}
 {% if override is defined %}
 {% set value = override %}
-{% elif sshd_config[key] is defined %}
-{% set value = sshd_config[key] %}
+{% elif __sshd_config[key] is defined %}
+{% set value = __sshd_config[key] %}
 {% elif sshd_main_config_file is not none
  and sshd_config_file | dirname == sshd_main_config_file ~ '.d' %}
 {# Do not use the defaults from main file to avoid recursion #}
@@ -250,8 +250,8 @@ Match {{ match["Condition"] }}
 {{ body_option("X11Forwarding",sshd_X11Forwarding) -}}
 {{ body_option("X11UseLocalhost",sshd_X11UseLocalhost) -}}
 {{ body_option("XAuthLocation",sshd_XAuthLocation) -}}
-{% if sshd_config['Match'] is defined %}
-{{ match_iterate_block(sshd_config['Match']) -}}
+{% if __sshd_config['Match'] is defined %}
+{{ match_iterate_block(__sshd_config['Match']) -}}
 {% endif %}
 {% if sshd_match is defined %}
 {{ match_iterate_block(sshd_match) -}}

templates/sshd_config_snippet.j2

@@ -21,8 +21,8 @@
 {% set value = undefined %}
 {% if override is defined %}
 {% set value = override %}
-{% elif sshd_config[key] is defined %}
-{% set value = sshd_config[key] %}
+{% elif __sshd_config[key] is defined %}
+{% set value = __sshd_config[key] %}
 {% elif sshd_main_config_file is not none
  and sshd_config_file | dirname == sshd_main_config_file ~ '.d' %}
 {# Do not use the defaults from main file to avoid recursion #}
@@ -248,8 +248,8 @@ Match {{ match["Condition"] }}
 {{ body_option("X11Forwarding",sshd_X11Forwarding) -}}
 {{ body_option("X11UseLocalhost",sshd_X11UseLocalhost) -}}
 {{ body_option("XAuthLocation",sshd_XAuthLocation) -}}
-{% if sshd_config['Match'] is defined %}
-{{ match_iterate_block(sshd_config['Match']) -}}
+{% if __sshd_config['Match'] is defined %}
+{{ match_iterate_block(__sshd_config['Match']) -}}
 {% endif %}
 {% if sshd_match is defined %}
 {{ match_iterate_block(sshd_match) -}}

vars/main.yml

@@ -1,4 +1,5 @@
 ---
+__sshd_config: "{{ sshd_config | default({}) or sshd | default({}) }}"
 __sshd_config_file: "/etc/ssh/sshd_config"
 __sshd_config_owner: "root"
 __sshd_config_group: "root"