Add support for Ubuntu 22 with drop-in directory

Signed-off-by: Jakub Jelen <[email protected]>

README.md

@@ -29,13 +29,13 @@ Requirements
 
 Tested on:
 
-* Ubuntu precise, trusty, xenial, bionic, focal
+* Ubuntu precise, trusty, xenial, bionic, focal, jammy
   * [![Run tests on Ubuntu latest](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-ubuntu.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-ubuntu.yml)
 * Debian wheezy, jessie, stretch, buster, bullseye
   * [![Run tests on Debian](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-debian-check.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-debian-check.yml)
 * EL 6, 7, 8, 9 derived distributions
   * [![Run tests on CentOS](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-centos-check.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-centos-check.yml)
-* Fedora 31, 32, 33, 34
+* All Fedora
   * [![Run tests on Fedora latest](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-fedora.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-fedora.yml)
 * FreeBSD 10.1
 * OpenBSD 6.0

meta/main.yml

@@ -20,6 +20,7 @@ galaxy_info:
         - xenial
         - bionic
         - focal
+        - jammy
     - name: FreeBSD
       version:
         - 10.1

tests/tasks/setup.yml

@@ -26,5 +26,5 @@
     main_sshd_config_name: 00-ansible_system_role.conf
     main_sshd_config_path: /etc/ssh/sshd_config.d/
   when:
-    - ansible_facts['os_family'] == 'RedHat'
-    - ansible_facts['distribution_major_version']|int > 8
+    - (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8) or
+      (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version']|int >= 22)

tests/tests_alternative_file.yml

@@ -130,6 +130,17 @@
               - "'UsePAM yes' in config.content | b64decode"
           when:
             - ansible_facts['os_family'] == 'Debian'
+            - ansible_facts['distribution_major_version']|int < 22
+
+        - name: Check Ubuntu 22 defaults are present in the first configuration file
+          assert:
+            that:
+              - "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode"
+              - "'KbdInteractiveAuthentication no' in config.content | b64decode"
+              - "'UsePAM yes' in config.content | b64decode"
+          when:
+            - ansible_facts['distribution'] == 'Ubuntu'
+            - ansible_facts['distribution_major_version']|int >= 22
 
         - name: Check content of second configuration file
           assert:

tests/tests_alternative_file_role.yml

@@ -144,6 +144,18 @@
               - "'UsePAM yes' in config.content | b64decode"
           when:
             - ansible_facts['os_family'] == 'Debian'
+            - ansible_facts['distribution_major_version']|int < 22
+
+        - name: Check Ubuntu 22 defaults are present in the first configuration file
+          assert:
+            that:
+              - "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode"
+              - "'KbdInteractiveAuthentication no' in config.content | b64decode"
+              - "'UsePAM yes' in config.content | b64decode"
+          when:
+            - ansible_facts['distribution'] == 'Ubuntu'
+            - ansible_facts['distribution_major_version']|int >= 22
+
 
         - name: Check content of second configuration file
           assert:

tests/tests_include_present.yml

@@ -15,7 +15,8 @@
         regexp: "^Include"
         state: absent
       when:
-        - ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8
+        - (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8) or
+          (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version']|int >= 22)
 
     - name: Create a new configuration in drop-in directory
       include_role:
@@ -26,7 +27,8 @@
           Banner: /etc/include-issue
           Ciphers: aes192-ctr
       when:
-        - ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8
+        - (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8) or
+          (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version']|int >= 22)
 
     - name: Verify the options are correctly set
       block:
@@ -48,17 +50,31 @@
               - "'Banner /etc/include-issue' in config.content | b64decode"
               - "'Ciphers aes192-ctr' in config.content | b64decode"
               - "'Include /etc/ssh/sshd_config.d/*.conf' not in config.content | b64decode"
-              - "'Subsystem sftp /usr/libexec/sftp-server' not in config.content | b64decode"
+              - "'Subsystem sftp  /usr/libexec/openssh/sftp-server' not in config.content | b64decode"
+              - "'Subsystem	sftp	/usr/lib/openssh/sftp-server' not in config.content | b64decode"
 
-        - name: Check content of the main configuration file
+        - name: Check common content of the main configuration file
           assert:
             that:
               - "'Banner /etc/include-issue' not in config_main.content | b64decode"
               - "'Ciphers aes192-ctr' not in config_main.content | b64decode"
               - "'Include /etc/ssh/sshd_config.d/*.conf' in config_main.content | b64decode"
+
+        - name: Check RHEL content of the main configuration file
+          assert:
+            that:
               - "'Subsystem	sftp	/usr/libexec/openssh/sftp-server' in config_main.content | b64decode"
+          when: ansible_facts['os_family'] == 'RedHat'
+
+        - name: Check Ubuntu content of the main configuration file
+          assert:
+            that:
+              - "'Subsystem	sftp	/usr/lib/openssh/sftp-server' in config_main.content | b64decode"
+          when: ansible_facts['os_family'] == 'Ubuntu'
+
       when:
-        - ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8
+        - (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 8) or
+          (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version']|int >= 22)
 
       tags: tests::verify
 

vars/Ubuntu_22.yml

@@ -0,0 +1,23 @@
+---
+__sshd_os_supported: yes
+
+sshd_service: ssh
+sshd_packages:
+  - openssh-server
+  - openssh-sftp-server
+# Ubuntu 22.04 finally ships with drop-in directory support so we touch
+# just included file with highest priority by default
+__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
+__sshd_config_mode: "0644"
+# the defaults here represent the defaults shipped in the main sshd_config
+__sshd_defaults:
+  Include: /etc/ssh/sshd_config.d/*.conf
+  KbdInteractiveAuthentication: no
+  UsePAM: yes
+  AcceptEnv: LANG LC_*
+  Subsystem: "sftp  /usr/lib/openssh/sftp-server"
+
+__sshd_runtime_directory: /run/sshd
+
+__sshd_drop_in_dir: /etc/ssh/sshd_config.d/
+__sshd_main_config_file: /etc/ssh/sshd_config