feat: add ssh_backup option with default true

README.md

@@ -82,6 +82,10 @@ owned by `root:root` with mode `0644` by default, unless
 `ssh_user!=null`. In that case, the mode is `0600` and owner and
 group are derived from username given in `ssh_user` variable.
 
+### ssh_backup
+
+When set to *false*, the original `ssh_config` file is not backed up. Default is *true*.
+
 ## Example Playbook
 
 The following playbook configures the `root` user ssh configuration in his

defaults/main.yml

@@ -23,3 +23,6 @@ ssh_config_mode: null
 
 # the override for the configuration file we are writing
 ssh_config_file: null
+
+# create backup of ssh_config
+ssh_backup: true

tasks/main.yml

@@ -38,7 +38,7 @@
       {% else %}
         true %s
       {% endif %}
-    backup: true
+    backup: "{{ ssh_backup }}"
   vars:
     __ssh_skip_defaults: >-
       {% if ssh_skip_defaults != 'auto' %}

tests/tasks/setup.yml

@@ -14,3 +14,20 @@
   package:
     name: "{{ __ssh_test_packages }}"
     state: present
+
+- name: Define common variables
+  ansible.builtin.set_fact:
+    main_ssh_config: /etc/ssh/ssh_config
+    main_ssh_config_name: ssh_config
+    main_ssh_config_path: /etc/ssh/
+
+- name: Define specific variables
+  ansible.builtin.set_fact:
+    main_ssh_config: /etc/ssh/ssh_config.d/00-ansible.conf
+    main_ssh_config_name: 00-ansible.conf
+    main_ssh_config_path: /etc/ssh/ssh_config.d/
+  when:
+    - (ansible_facts['os_family'] == 'RedHat'
+        and ansible_facts['distribution_major_version'] | int >= 8) or
+      (ansible_facts['distribution'] == 'Ubuntu'
+        and ansible_facts['distribution_major_version'] | int >= 20)

tests/tests_backup.yml

@@ -0,0 +1,56 @@
+---
+- name: Test backups
+  hosts: all
+  vars:
+    __ssh_test_backup_files:
+      - /etc/ssh/ssh_config
+      - /etc/ssh/ssh_config.d/00-ansible.conf
+  tasks:
+    - name: Backup configuration files
+      ansible.builtin.include_tasks: tasks/backup.yml
+
+    - name: Find old backups files
+      ansible.builtin.find:
+        paths: "{{ main_ssh_config_path }}"
+        patterns: "{{ main_ssh_config_name }}.*@*~"
+      register: backup_files
+
+    - name: Remove old backup files
+      ansible.builtin.file:
+        path: "{{ item.path }}"
+        state: absent
+      with_items: "{{ backup_files.files }}"
+
+    - name: Configure ssh without creating backup
+      ansible.builtin.include_role:
+        name: linux-system-roles.ssh
+      vars:
+        ssh_backup: false
+
+    - name: Find new backups files
+      ansible.builtin.find:
+        paths: "{{ main_ssh_config_path }}"
+        patterns: "{{ main_ssh_config_name }}.*@*~"
+      register: no_backup
+
+    - name: Configure ssh again with different configuration and with backup
+      ansible.builtin.include_role:
+        name: linux-system-roles.ssh
+      vars:
+        ssh_ForwardX11Trusted: 'yes'  # noqa var-naming
+      register: second_run
+
+    - name: Find new backups files
+      ansible.builtin.find:
+        paths: "{{ main_ssh_config_path }}"
+        patterns: "{{ main_ssh_config_name }}.*@*~"
+      register: new_backup
+
+    - name: Verify backup was not done in first, but in second attempt
+      ansible.builtin.assert:
+        that:
+          - no_backup.files == []
+          - new_backup.files != []
+
+    - name: Restore configuration files
+      ansible.builtin.include_tasks: tasks/restore.yml

tests/tests_custom_drop_in.yml

@@ -12,7 +12,9 @@
       when:
         - ansible_facts['distribution'] != 'Fedora' and
           not (ansible_facts['distribution'] in ['RedHat','CentOS'] and
-               ansible_facts['distribution_version'] | int >= 8)
+               ansible_facts['distribution_version'] | int >= 8) and
+          not (ansible_facts['distribution'] in ['Ubuntu'] and
+               ansible_facts['distribution_version'] | int >= 20)
 
     - name: Backup configuration files
       include_tasks: tasks/backup.yml

tests/tests_global_config.yml

@@ -38,20 +38,10 @@
             Hostname: local.example.com
 
     - name: Verify the configuration file was created with right content
-      vars:
-        ssh_config_file: >-
-          {{
-            "/etc/ssh/ssh_config.d/00-ansible.conf"
-            if ansible_facts['distribution'] == 'Fedora' or
-               (ansible_facts['distribution'] in ['RedHat','CentOS'] and
-                ansible_facts['distribution_version'] | int >= 8)
-            else "/etc/ssh/ssh_config"
-          }}
-
       block:
         - name: Download the global configuration file
           slurp:
-            src: "{{ ssh_config_file }}"
+            src: "{{ main_ssh_config }}"
           register: config
 
         - name: Verify the options are in the file
@@ -79,7 +69,7 @@
               - "'Include' not in config.content | b64decode"
               - "'SendEnv' not in config.content | b64decode"
           when:
-            - ssh_config_file != "/etc/ssh/ssh_config"
+            - main_ssh_config != "/etc/ssh/ssh_config"
 
         - name: Check header for ansible_managed, fingerprint
           include_tasks: tasks/check_header.yml

tests/tests_global_config_mode.yml

@@ -24,25 +24,15 @@
         ssh_config_mode: 600
 
     - name: Verify the configuration file was created with right content
-      vars:
-        ssh_test_config_file: >-
-          {{
-            "/etc/ssh/ssh_config.d/00-ansible.conf"
-            if ansible_facts['distribution'] == 'Fedora' or
-               (ansible_facts['distribution'] in ['RedHat', 'CentOS'] and
-                ansible_facts['distribution_version'] | int >= 8)
-            else "/etc/ssh/ssh_config"
-          }}
-
       block:
         - name: Download the global configuration file
           slurp:
-            src: "{{ ssh_test_config_file }}"
+            src: "{{ main_ssh_config }}"
           register: config
 
         - name: Stat the configuration file too
           stat:
-            path: "{{ ssh_test_config_file }}"
+            path: "{{ main_ssh_config }}"
           register:
             config_mode
 

tests/tests_match.yml

@@ -29,20 +29,10 @@
               Hostname: remote.example.com
 
     - name: Verify the configuration file was created in the right place
-      vars:
-        ssh_config_file: >-
-          {{
-            "/etc/ssh/ssh_config.d/00-ansible.conf"
-            if ansible_facts['distribution'] == 'Fedora' or
-               (ansible_facts['distribution'] in ['RedHat', 'CentOS'] and
-                ansible_facts['distribution_version'] | int >= 8)
-            else "/etc/ssh/ssh_config"
-          }}
-
       block:
         - name: Download the custom configuration file
           slurp:
-            src: "{{ ssh_config_file }}"
+            src: "{{ main_ssh_config }}"
           register: config
 
         - name: Verify the options are in the file

tests/tests_precedence.yml

@@ -23,20 +23,10 @@
         ssh_Port: 222
 
     - name: Verify the configuration file was created with right content
-      vars:
-        ssh_config_file: >-
-          {{
-            "/etc/ssh/ssh_config.d/00-ansible.conf"
-            if ansible_facts['distribution'] == 'Fedora' or
-               (ansible_facts['distribution'] in ['RedHat','CentOS'] and
-                ansible_facts['distribution_version'] | int >= 8)
-            else "/etc/ssh/ssh_config"
-          }}
-
       block:
         - name: Download the global configuration file
           slurp:
-            src: "{{ ssh_config_file }}"
+            src: "{{ main_ssh_config }}"
           register: config
 
         - name: Verify the options are in the file

vars/Ubuntu.yml

@@ -1,5 +1,11 @@
 ---
 __ssh_packages: ['openssh-client']
+
+# This system supports drop in directory so defaults are adjusted
+__ssh_supports_drop_in: true
+__ssh_drop_in_name: "00-ansible"
+
+# This default lists the main configuration file defaults
 __ssh_defaults:
   Include: /etc/ssh/ssh_config.d/*.conf
   Host: