make sshd config more flexible

Author: sjpb

ansible/roles/sshd/README.md

@@ -5,3 +5,5 @@ Configure sshd.
 ## Role variables
 
 - `sshd_password_authentication`: Optional bool. Whether to enable password login. Default `false`.
+- `sshd_conf_src`: Optional string. Path to sshd configuration template. Default is in-role template.
+- `sshd_conf_dest`: Optional string. Path to destination for sshd configuration file. Default is `/etc/ssh/sshd_config.d/10-ansible.conf` which overides `50-{cloud-init,redhat}` files, if present.

ansible/roles/sshd/defaults/main.yml

@@ -1 +1,3 @@
-sshd_password_authentication: false # Whether to enable password login
+sshd_password_authentication: false
+sshd_conf_src: sshd.conf.j2
+sshd_conf_dest: /etc/ssh/sshd_config.d/10-ansible.conf

ansible/roles/sshd/tasks/configure.yml

@@ -1,16 +1,15 @@
-- name: Configure SSH password authentication
+- name: Template sshd configuration
   # NB: If parameters are defined multiple times the first value wins;
   # The default /etc/ssh/sshd_config has
   #   Include /etc/ssh/sshd_config.d/*.conf
   # early on, which is generally held to be the correct approach, so adding
   # values to the end of that file won't work
-  lineinfile:
-    dest: /etc/ssh/sshd_config.d/10-ansible.conf # will beat 50-cloud-init and 50-redhat
-    regexp: "^PasswordAuthentication"
-    line: "PasswordAuthentication {{ 'yes' if sshd_password_authentication | bool else 'no' }}"
-    state: present
-    create: true
+  template:
+    src: "{{ sshd_conf_src }}"
+    dest: "{{ sshd_conf_dest }}"
+    owner: root
+    group: root
+    mode: u=rw,go=
     validate: sshd -t -f %s
   notify:
     - Restart sshd
-  

ansible/roles/sshd/templates/sshd.conf.j2

@@ -0,0 +1,2 @@
+# {{ ansible_managed }}
+PasswordAuthentication {{ 'yes' if sshd_password_authentication | bool else 'no' }}