Unbreak FIPS detection and stabilize failing tests and GH actions

.ansible-lint

@@ -1,3 +1,6 @@
-warn_list:  # or 'skip_list' to silence them completely                       │
+warn_list:  # or 'skip_list' to silence them completely
   - '106'  # Role name {} does not match ``^[a-z][a-z0-9_]+$`` pattern
   - '306'  # Shells that use pipes should set the pipefail option
+  - 'fqcn-builtins'  # this is not compatible with ansible 2.6 on RHEL6
+exclude_paths:
+  - tests/roles/

.github/workflows/ansible-centos-check.yml

@@ -0,0 +1,61 @@
+name: Run Ansible Check on CentOS
+
+on: [push, pull_request]
+
+jobs:
+  centos-6:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+
+    # Workaround missing support for end_host in old ansible
+    - run: "sed -i -e 's/meta: end_host/assert:\\n    that: __sshd_os_supported|bool/' tasks/install.yml"
+    - run: "sed -i -e 's/.*public: true//' tests/tasks/restore.yml"
+
+    - name: ansible check with centos 6
+      uses: roles-ansible/check-ansible-centos-centos6-action@master
+      with:
+        group: local
+        hosts: localhost
+        targets: "tests/tests_*.yml"
+
+  centos-7:
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout PR
+        uses: actions/checkout@v2
+
+      - name: ansible check with centos 7
+        uses: roles-ansible/check-ansible-centos-centos7-action@master
+        with:
+          group: local
+          hosts: localhost
+          targets: "tests/tests_*.yml"
+
+  centos-8:
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout PR
+        uses: actions/checkout@v2
+
+      - name: ansible check with centos 8
+        uses: roles-ansible/check-ansible-centos-centos8-action@master
+        with:
+          group: local
+          hosts: localhost
+          targets: "tests/tests_*.yml"
+          requirements: tests/requirements.yml
+
+  centos-9:
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout PR
+        uses: actions/checkout@v2
+
+      - name: ansible check with centos 9
+        uses: roles-ansible/check-ansible-centos-centos9-action@main
+        with:
+          group: local
+          hosts: localhost
+          targets: "tests/tests_*.yml"
+          requirements: tests/requirements.yml

.github/workflows/ansible-debian-check.yml

@@ -0,0 +1,43 @@
+name: Run tests on Debian
+
+on: [push, pull_request]
+
+jobs:
+  debian-bullseye:
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout PR
+        uses: actions/checkout@v2
+
+      - name: ansible check with debian bullseye (11)
+        uses: roles-ansible/check-ansible-debian-bullseye-action@main
+        with:
+          group: local
+          hosts: localhost
+          targets: "tests/tests_*.yml"
+
+  debian-buster:
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout PR
+        uses: actions/checkout@v2
+
+      - name: ansible check with debian buster (10)
+        uses: roles-ansible/check-ansible-debian-buster-action@master
+        with:
+          group: local
+          hosts: localhost
+          targets: "tests/tests_*.yml"
+
+  debian-stretch:
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout PR
+        uses: actions/checkout@v2
+
+      - name: ansible check with debian stretch (9)
+        uses: roles-ansible/check-ansible-debian-stretch-action@master
+        with:
+          group: local
+          hosts: localhost
+          targets: "tests/tests_*.yml"

.github/workflows/ansible-lint.yml

@@ -3,39 +3,10 @@ name: Ansible Lint  # feel free to pick your own name
 on: [push, pull_request]
 
 jobs:
-  # test-ansible28:
-  #   runs-on: ubuntu-latest
-  #   steps:
-  #     - name: checkout PR
-  #       uses: actions/checkout@v2
-  #     - name: Lint Ansible Playbook
-  #       uses: ansible/ansible-lint-action@master
-  #       with:
-  #         targets: "tests/test_*.yml"
-  #         override-deps: |
-  #           ansible==2.9
-  #         args: ""
-  # test-ansible29:
-  #   runs-on: ubuntu-latest
-  #   steps:
-  #     - name: checkout PR
-  #       uses: actions/checkout@v2
-  #     - name: Lint Ansible Playbook
-  #       uses: ansible/ansible-lint-action@master
-  #       with:
-  #         targets: "tests/test_*.yml"
-  #         override-deps: |
-  #           ansible==2.9
-  #         args: ""
-  test-ansible210:
+  ansible-lint:
     runs-on: ubuntu-latest
     steps:
       - name: checkout PR
         uses: actions/checkout@v2
-      - name: Lint Ansible Playbook
-        uses: ansible/ansible-lint-action@master
-        with:
-          targets: "tests/test_*.yml"
-          override-deps: |
-            ansible==2.10
-          args: ""
+      - name: Lint Ansible playbook
+        uses: ansible/ansible-lint-action@main

README.md

@@ -136,7 +136,8 @@ ListenAddress ::
 
 A list of dicts or just a dict for a Match section. Note, that these variables
 do not override match blocks as defined in the `sshd` dict. All of the sources
-will be reflected in the resulting configuration file.
+will be reflected in the resulting configuration file. The use of
+`sshd_match_*` variant is deprecated and no longer recommended.
 
 * `sshd_backup`
 
@@ -196,11 +197,12 @@ file that this role produces.
 * `sshd_verify_hostkeys`
 
 By default (*auto*), this list contains all the host keys that are present in
-the produced configuration file. The paths are checked for presence and
-generated if missing. Additionally, permissions and file owners are set to sane
-defaults. This is useful if the role is used in deployment stage to make sure
-the service is able to start on the first attempt. To disable this check, set
-this to empty list.
+the produced configuration file. If there are none, the OpenSSH default list
+will be used after excluding non-FIPS approved keys in FIPS mode. The paths
+are checked for presence and generated if missing. Additionally, permissions
+and file owners are set to sane defaults. This is useful if the role is used
+in deployment stage to make sure the service is able to start on the first
+attempt. To disable this check, set this to empty list.
 
 * `sshd_hostkey_owner`, `sshd_hostkey_group`, `sshd_hostkey_mode`
 
@@ -242,6 +244,9 @@ Dependencies
 
 None
 
+For tests the `ansible.posix` collection is required for the `mount` role to
+emulate FIPS mode.
+
 Example Playbook
 ----------------
 
@@ -348,7 +353,7 @@ The [`sshd_config.j2`](templates/sshd_config.j2) template is programatically
 generated by the scripts in meta. New options should be added to the
 `options_body` or `options_match`.
 
-To regenerate the template, from within the meta/ directory run:
+To regenerate the template, from within the `meta/` directory run:
 `./make_option_lists`
 
 License
@@ -357,9 +362,13 @@ License
 LGPLv3
 
 
-Author
-------
+Authors
+-------
 
 Matt Willsher <matt@willsher.systems>
 
 &copy; 2014,2015 Willsher Systems Ltd.
+
+Jakub Jelen <jjelen@redhat.com>
+
+&copy; 2020 - 2022 Red Hat, Inc.

defaults/main.yml

@@ -61,6 +61,10 @@ sshd_sftp_server: /usr/lib/openssh/sftp-server
 # configuration or restarting), we make sure the keys exist and have correct
 # permissions. To disable this check, set sshd_verify_hostkeys to false
 sshd_verify_hostkeys: "auto"
+# The list of hostkeys to check when there are none listed in configuration file.
+# This is usually the case when the selection is up to the OpenSSH defaults or
+# drop-in directory is used.
+__sshd_verify_hostkeys_default: []
 sshd_hostkey_owner: "{{ __sshd_hostkey_owner }}"
 sshd_hostkey_group: "{{ __sshd_hostkey_group }}"
 sshd_hostkey_mode: "{{ __sshd_hostkey_mode }}"

handlers/main.yml

@@ -6,10 +6,7 @@
     state: reloaded
   when:
     - sshd_allow_reload|bool
-    - ansible_virtualization_type|default(None) != 'docker'
-    - ansible_virtualization_type|default(None) != 'podman'
-    - ansible_virtualization_type|default(None) != 'containerd'
-    - ansible_virtualization_type|default(None) != 'VirtualPC'  # for Github Actions
+    - ansible_virtualization_type|default(None) not in __sshd_skip_virt_env
     - ansible_connection != 'chroot'
     - ansible_os_family != 'AIX'
   listen: reload_sshd