add sshd role

Author: sjpb

ansible/roles/sshd/README.md

@@ -0,0 +1,7 @@
+# sshd
+
+Configure sshd.
+
+## Role variables
+
+- `sshd_password_authentication`: Optional bool. Whether to enable password login. Default `false`.

ansible/roles/sshd/defaults/main.yml

@@ -0,0 +1 @@
+sshd_password_authentication: false # Whether to enable password login

ansible/roles/sshd/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: Restart sshd
+  systemd:
+    name: sshd
+    state: restarted

ansible/roles/sshd/tasks/configure.yml

@@ -0,0 +1,16 @@
+- name: Configure SSH password authentication
+  # NB: If parameters are defined multiple times the first value wins;
+  # The default /etc/ssh/sshd_config has
+  #   Include /etc/ssh/sshd_config.d/*.conf
+  # early on, which is generally held to be the correct approach, so adding
+  # values to the end of that file won't work
+  lineinfile:
+    dest: /etc/ssh/sshd_config.d/10-ansible.conf # will beat 50-cloud-init and 50-redhat
+    regexp: "^PasswordAuthentication"
+    line: "PasswordAuthentication {{ 'yes' if sshd_password_authentication | bool else 'no' }}"
+    state: present
+    create: true
+    validate: sshd -t -f %s
+  notify:
+    - Restart sshd
+  

ansible/roles/sshd/tasks/main.yml

@@ -0,0 +1 @@
+- import_tasks: configure.yml

environments/common/layouts/everything

@@ -85,3 +85,6 @@ cluster
 
 [sssd]
 # Hosts to configure sssd on
+
+[sshd]
+# Hosts where the OpenSSH server daemon should be configured