fix: rename var sshd -> sshd_config and debug output

.ansible-lint

@@ -6,6 +6,7 @@ exclude_paths:
 skip_list:
  - var-naming[no-role-prefix]
  - meta-runtime[unsupported-version]
+ - experimental
 mock_roles:
  - willshersystems.sshd.ansible-sshd
 mock_modules:

defaults/main.yml

@@ -1,4 +1,3 @@
----
 ### USER OPTIONS
 # Set to false to disable this role completely
 sshd_enable: true
@@ -38,7 +37,7 @@ sshd_sysconfig_override_crypto_policy: false
 sshd_sysconfig_use_strong_rng: 0
 
 # Empty dicts to avoid errors
-sshd: {}
+sshd_config: {}
 
 # The path to sshd_config file. This is useful when creating an included
 # configuration file snippet or configuring second sshd service

meta/10_top.j2

@@ -21,8 +21,8 @@
 {% set value = undefined %}
 {% if override is defined %}
 {% set value = override %}
-{% elif sshd[key] is defined %}
-{% set value = sshd[key] %}
+{% elif sshd_config[key] is defined %}
+{% set value = sshd_config[key] %}
 {% elif sshd_main_config_file is not none
  and sshd_config_file | dirname == sshd_main_config_file ~ '.d' %}
 {# Do not use the defaults from main file to avoid recursion #}

meta/30_bottom.j2

@@ -1,5 +1,5 @@
-{% if sshd['Match'] is defined %}
-{{ match_iterate_block(sshd['Match']) -}}
+{% if sshd_config['Match'] is defined %}
+{{ match_iterate_block(sshd_config['Match']) -}}
 {% endif %}
 {% if sshd_match is defined %}
 {{ match_iterate_block(sshd_match) -}}

tasks/certificates.yml

@@ -6,7 +6,7 @@
  {% if sshd_TrustedUserCAKeys is defined %}
  {{ sshd_TrustedUserCAKeys | to_json }}
  {% else %}
- {{ sshd['TrustedUserCAKeys'] | to_json }}
+ {{ sshd_config['TrustedUserCAKeys'] | to_json }}
  {% endif %}
  block:
  - name: Create Trusted user CA Keys directory
@@ -32,7 +32,7 @@
  {% if sshd_AuthorizedPrincipalsFile is defined %}
  {{ sshd_AuthorizedPrincipalsFile | to_json }}
  {% else %}
- {{ sshd['AuthorizedPrincipalsFile'] | to_json }}
+ {{ sshd_config['AuthorizedPrincipalsFile'] | to_json }}
  {% endif %}
  when: sshd_principals != {}
  block:

tasks/find_ports.yml

@@ -6,8 +6,8 @@
  __sshd_ports_from_config_tmp: >-
  {% if sshd_Port is defined %}
  {{ sshd_Port | to_json }}
- {% elif sshd['Port'] is defined %}
- {{ sshd['Port'] | to_json }}
+ {% elif sshd_config['Port'] is defined %}
+ {{ sshd_config['Port'] | to_json }}
  {% elif __sshd_defaults['Port'] is defined and not sshd_skip_defaults %}
  {{ __sshd_defaults['Port'] | to_json }}
  {% else %}

tasks/install.yml

@@ -33,8 +33,8 @@
  - __sshd_hostkeys_nofips | d([])
 
 - name: Make sure hostkeys are available and have expected permissions
- vars: &share_vars
- # 'MAo=' evaluates to '0\n' in base 64 encoding, which is default
+ vars:
+ &share_vars # 'MAo=' evaluates to '0\n' in base 64 encoding, which is default
  __sshd_fips_mode: >-
  {{ __sshd_hostkeys_nofips | d([]) and
  (__sshd_kernel_fips_mode.content | d('MAo=') | b64decode | trim == '1' or
@@ -44,8 +44,8 @@
  __sshd_hostkeys_from_config: >-
  {% if sshd_HostKey is defined %}
  {{ sshd_HostKey | to_json }}
- {% elif sshd['HostKey'] is defined %}
- {{ sshd['HostKey'] | to_json }}
+ {% elif sshd_config['HostKey'] is defined %}
+ {{ sshd_config['HostKey'] | to_json }}
  {% elif __sshd_defaults['HostKey'] is defined and not sshd_skip_defaults %}
  {% if __sshd_fips_mode %}
  {{ __sshd_defaults['HostKey'] | difference(__sshd_hostkeys_nofips) | to_json }}

tasks/main.yml

@@ -1,4 +1,17 @@
 ---
+- name: Link the deprecated sshd fact
+ when: sshd is defined
+ block:
+ - name: Print that the sshd variable is deprecated
+ ansible.builtin.debug:
+ msg: >-
+ The sshd variable is deprecated and will be removed
+ in a future version. Edit your playbook to use
+ the sshd_config variable instead.
+
+ - name: Link the deprecated sshd fact
+ ansible.builtin.set_fact:
+ sshd_config: "{{ sshd }}"
 
 - name: Invoke the role, if enabled
  ansible.builtin.include_tasks: sshd.yml

templates/sshd_config.j2

@@ -23,8 +23,8 @@
 {% set value = undefined %}
 {% if override is defined %}
 {% set value = override %}
-{% elif sshd[key] is defined %}
-{% set value = sshd[key] %}
+{% elif sshd_config[key] is defined %}
+{% set value = sshd_config[key] %}
 {% elif sshd_main_config_file is not none
  and sshd_config_file | dirname == sshd_main_config_file ~ '.d' %}
 {# Do not use the defaults from main file to avoid recursion #}
@@ -250,8 +250,8 @@ Match {{ match["Condition"] }}
 {{ body_option("X11Forwarding",sshd_X11Forwarding) -}}
 {{ body_option("X11UseLocalhost",sshd_X11UseLocalhost) -}}
 {{ body_option("XAuthLocation",sshd_XAuthLocation) -}}
-{% if sshd['Match'] is defined %}
-{{ match_iterate_block(sshd['Match']) -}}
+{% if sshd_config['Match'] is defined %}
+{{ match_iterate_block(sshd_config['Match']) -}}
 {% endif %}
 {% if sshd_match is defined %}
 {{ match_iterate_block(sshd_match) -}}

templates/sshd_config_snippet.j2

@@ -21,8 +21,8 @@
 {% set value = undefined %}
 {% if override is defined %}
 {% set value = override %}
-{% elif sshd[key] is defined %}
-{% set value = sshd[key] %}
+{% elif sshd_config[key] is defined %}
+{% set value = sshd_config[key] %}
 {% elif sshd_main_config_file is not none
  and sshd_config_file | dirname == sshd_main_config_file ~ '.d' %}
 {# Do not use the defaults from main file to avoid recursion #}
@@ -248,8 +248,8 @@ Match {{ match["Condition"] }}
 {{ body_option("X11Forwarding",sshd_X11Forwarding) -}}
 {{ body_option("X11UseLocalhost",sshd_X11UseLocalhost) -}}
 {{ body_option("XAuthLocation",sshd_XAuthLocation) -}}
-{% if sshd['Match'] is defined %}
-{{ match_iterate_block(sshd['Match']) -}}
+{% if sshd_config['Match'] is defined %}
+{{ match_iterate_block(sshd_config['Match']) -}}
 {% endif %}
 {% if sshd_match is defined %}
 {{ match_iterate_block(sshd_match) -}}

vars/main.yml

@@ -1,4 +1,3 @@
----
 __sshd_config_file: "/etc/ssh/sshd_config"
 __sshd_config_owner: "root"
 __sshd_config_group: "root"
@@ -54,7 +53,7 @@ __sshd_runtime_directory_mode: "0755"
 # drop-in directory is used
 __sshd_main_config_file: ~
 
-__sshd_drop_in_dir_mode: '0755'
+__sshd_drop_in_dir_mode: "0755"
 
 # The list of hostkeys to check when there are none listed in configuration file.
 # This is usually the case when the selection is up to the OpenSSH defaults or