Merge branch 'master' into new_makefile

.bowerrc

@@ -1,3 +0,0 @@
-{
-  "directory": "publichealth/static/libs"
-}

.buildpacks

@@ -1,3 +0,0 @@
-https://github.com/heroku/heroku-buildpack-nodejs
-https://github.com/ejholmes/heroku-buildpack-bower
-https://github.com/heroku/heroku-buildpack-python

Pipfile

@@ -30,6 +30,6 @@ Pillow = ">=4.0.0"
 puput = ">=1.0.0"
 python-dotenv = "*"
 stellar = "*"
-wagtail = ">=2.0"
+wagtail = ">=2.0,<2.13"
 whitenoise = "*"
 django-toolbelt = "*"

README.md

@@ -15,7 +15,7 @@ To set up a full development environment, follow all these instructions.
 
 **Frontend setup**
 
-Make sure a recent version of node.js (we recommend using [nave.sh](https://gipublichealth/static/org/archive-message.htmlthub.com/isaacs/nave)), then:
+Use the LTS version of node.js (we recommend using [nave.sh](https://gipublichealth/static/org/archive-message.htmlthub.com/isaacs/nave) with `nave use lts`), then:
 
 ```
 npm install -g yarn grunt-cli
@@ -32,10 +32,16 @@ If you are only working on the frontend, you can start a local webserver and wor
 
 **Backend setup**
 
-If not using Vagrant: after installing Python 3, from the project folder, deploy system packages and create a virtual environment as detailed (for Ubuntu users) below:
+If not using Vagrant: after installing Python 3, from the project folder, deploy system packages (here shown for Ubuntu users) for the development libraries of Python, libJPEG and libPQ (Postgres Client):
 
 ```
-sudo apt-get install python3-venv python3-dev libjpeg-dev
+sudo apt-get install python3-dev libjpeg-dev libpq-dev
+```
+
+Create a virtual environment as below:
+
+```
+sudo apt-get install python3-venv
 
 pyvenv env
 . env/bin/activate
@@ -77,7 +83,14 @@ Now access the admin panel with the user account you created earlier: http://loc
 
 ## Troubleshooting
 
-- Issues with migrating database tables in SQLite during development? Try `./manage.py migrate --fake`
+Issues with migrating database tables in SQLite during development? Try `./manage.py migrate --fake`
+
+Trouble installing packages with npm or yarn? Add IPv6 addresses to your hosts:
+
+   2606:4700:10::6814:162e nodejs.org
+   2606:4700::6810:1823 registry.npmjs.org
+   2606:4700::6810:1123 registry.yarnpkg.com
+   2a0a:e5c0:2:10::8c52:790a codeload.github.com
 
 ## Production notes
 
@@ -85,58 +98,46 @@ We use [Ansible](https://www.ansible.com) and [Docker Compose](https://docs.dock
 
 To use Docker Compose to manually deploy the site, copy `ansible/roles/web/templates/docker-compose.j2` to `/docker-compose.yml` and fill in all `{{ variables }}`. This can also be done automatically in Ansible.
 
-Install or update the following roles from [Ansible Galaxy](https://docs.ansible.com/ansible/latest/reference_appendices/galaxy.html) to use our scripts:
+To update all roles from [Ansible Galaxy](https://docs.ansible.com/ansible/latest/reference_appendices/galaxy.html) used in our install scripts:
 
 ```
-ansible-galaxy install \
-   dev-sec.nginx-hardening \
-   dev-sec.ssh-hardening \
-   dev-sec.os-hardening \
-   geerlingguy.nodejs
+ansible-galaxy install `ls ansible/roles -x -I wagtail` --force
 ```
 
 To check that the scripts and roles are correctly installed, use this command to do a "dry run":
 
 ```
-ansible-playbook ansible/*.yaml -i ansible/inventories/production --list-tasks
+ansible-playbook ansible/*.yaml -i ansible/inventories/lagoon --list-tasks
 ```
 
 If you only want to run a certain set of actions, subset the tags which you see in the output above. For example, to only update the NGINX configuration:
 
 ```
-ansible-playbook ansible/web.yaml -i ansible/inventories/production --tags "nginx_template_config"
+ansible-playbook ansible/web.yaml -i ansible/inventories/lagoon --tags "nginx_template_config"
 ```
 
 To do production deployments, you need to obtain SSH and vault keys from your system administrator (who has followed the Ansible guide to set up a vault..), and place these in a `.keys` folder. To deploy a site:
 
 ```
-ansible-playbook ansible/*.yaml -i ansible/inventories/production
+ansible-playbook ansible/*.yaml -i ansible/inventories/lagoon
 ```
 
 For an update release with a specific version (tag or branch), use (the `-v` parameter showing output of commands):
 
 ```
-ansible-playbook ansible/site.yaml -i ansible/inventories/production --tags release -v -e gitversion=<v*.*.*>
+ansible-playbook ansible/site.yaml -i ansible/inventories/lagoon --tags release -v -e gitversion=<v*.*.*>
 ```
 
 You can also use the `gitrepo` parameter to use a different fork of the source code.
 
 Once the basic system set up, i.e. you have an `ansible` user in the sudoers and docker group, you are ready to run the playbook.
 
-The typical order of deployment is:
-
-- internet.yaml
-- docker.yaml
-- node.yaml
-- web.yaml
-- wagtail.yaml
-
 ### Production releases
 
 For further deployment and system maintenance we have a `Makefile` which automates Docker Compose tasks. This should be converted to use [Ansible Container](http://docs.ansible.com/ansible-container/getting_started.html). In the meantime, start a release with Ansible, then complete it using `make`, i.e.:
 
 ```
-ansible-playbook -i ansible/inventories/production --tags release ansible/wagtail.yaml
+ansible-playbook -i ansible/inventories/lagoon --tags release ansible/wagtail.yaml
 ssh -i .keys/ansible.pem ansible@<server-ip> "cd <release_dir> && make release"
 ```
 

ansible/alpha.yaml

@@ -3,13 +3,10 @@
   gather_facts: True
   vars:
     ssh_server_ports: "{{ vault_ssh_server_ports }}"
-    nginx_add_header: []
     sysctl_overwrite:
       # Enable IPv4 traffic forwarding.
       net.ipv4.ip_forward: 1
   roles:
     - role: dev-sec.os-hardening
     - role: dev-sec.ssh-hardening
-    - role: nginxinc.nginx
-    - role: dev-sec.nginx-hardening
     - role: jnv.unattended-upgrades

ansible/inventories/carbon/group_vars/webservers/vault.yaml

@@ -0,0 +1,48 @@
+$ANSIBLE_VAULT;1.1;AES256
+32616665363039353938346565666133353839663266373534373330363932316531363932656135
+6166636334613037346432353262333738353930316362610a633337373066313236656562666531
+61636661666636636132306134393733303537363933376166363338306163633466363966343439
+3731346464663438390a353135366630313438376264656632656261623563333538333661623766
+61656336643236303137656166363936653533626165346338386165636438396332636366663262
+63656231303834343130363864396233623161386533383531333366643865323932613931623133
+30306432636666666535643533313935356232613035633935383532616565356163303164313464
+33373936343135346431653034303839346364346434353930306363323165646666633062363661
+37313638383935656234336136353662353139333462656433383164393030326464393934646236
+33666262656365356663366638636661653734656633383664646230313832336263306134666239
+65336335636264383330646365633565373531633866613162666139343761633639613134323064
+32656162393965353133663930373564643766366136313465663933323761366164623036376236
+64383666366562616337346237313761313237613264346336373538346465376361363037353332
+36343530353138353862363632613536386139333630623237343763303439393761326165393330
+65346262303231623331643963643432626562363962363530633331646139393330646330386139
+63356330363538313932663034636638333062313063343830386435613264303165316334386336
+61626666376164356237633165316462343165313638623061343730346462343462363332313230
+38633230393665626362333661666439633938346339316130393839356362613231616465373335
+64623466386634653464393434336261313237313064656534353437346461656634626539636336
+32366136636333363637373430643538666533613031643234613635316461366362633635643232
+65653732383637306635373637363162333339646530616663396137383333636336333936303734
+65653065363164306337623338623437353231343062626138353834643239323261383237353266
+63383534656233393166396330393161356265306439643463616535333533643261616136643533
+36663564303566393632633530366533393833643262363338616533323263393234373163623265
+65306330323865323364353235663261383365333462343933333165383239386566663731303963
+62313636623837333233373863393835323564633264666536356434663662636163383566613131
+39383930313663313034653462323330366531656130383761353339653933636661663439333138
+32633339303166393035393039323433386630376433646466653763383632303766343837363234
+38633662613431656330393130666437363963373863323433376566393634383332636662646565
+33656337393835353231623935613236353633633037663632663634393064376662373963633035
+33613139393031613363376162366138626132313430633865363461326634656362323039303238
+62306137343132633736663662306532353831333033613662383762613938346465366661393366
+64616436323364313165623633343434653531616232643036326238333565623132393465336433
+37336337346434323033393732336465323731326263663332346466623138636265633236626565
+32393639643563613761303464353265376464363266353631656238346233303330373136313332
+62623239636636306134623831386136666466333263663637326262373030653837353464363434
+33376238303736393536626463623033333738343030633634323765626332366230323133626161
+61356137663232393534616466353662353731343632653839326437313632653334656539653030
+39623830396363396566313466366335366666643235666666393036666437333737643033353337
+33333263393566633935333136353465366363353930383535633064346366646538323634383537
+30636535336236313131666665313832363937613461306635386539366434323465346235326265
+34393166623564376439396531653539313563356364383733363131303662623163313736366261
+34326565626233646162303532626136363237373531643966653437326436363038613961663064
+34383232316634653130393230633665616537363130326366303938306636363534636534383231
+37656432663134303630663533376339336236356466646366303939616239613462363232383734
+65663062386264376330656130313135373138303431633063633135373339653437613930626263
+633861393035376438633031393935356530

ansible/inventories/carbon/webservers

@@ -0,0 +1,13 @@
+$ANSIBLE_VAULT;1.1;AES256
+65373566353363396261353836316461353537636561316565353137306636373330306361396438
+3435646636363566346635323838346138306239653735320a306263616264343862393065626234
+61633866336565363137353231656534356538333661663961333938336233396439333564666334
+3934373332383231380a316436663639323062373636363635656664663564363866373665376337
+34653036396639313735326436663966393538316136663839623938343164626335626661336432
+62333061376565613731663932326539333137386662653264616338333662613939656538663039
+36623062366332346166663937626537613738633839666330623034653561663536646364653939
+61313230326564653632353966343135353762356663653931653331633633653735623066386462
+34326666313634633635353761633936313264393163333566353937623235313635656166323966
+37373339353236633566376539373632663862626232383065666464633337336562333966383161
+66613765643266636435353866636165393666313439373361323338653839643136343364356130
+37363764653366633738

ansible/inventories/files/carbon/cloudflare.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCX+OAurxr0r4KC
+l6nyf/xZGEu3G/LZEWiFYhYTHZZAVyeUtYBzjGiLiswbtnsFu4bDutvfX3OSynWd
+TMBwc0sj8PO0+cJ5Bd9VGA2+PdEHpVWSXfc1c3a4s7C8xwrpxBfsxe3WtQ+lEfI2
+y8h+zVES0af2KDbg/xuipTnsIHRWt1mF7uRw/3R9vYXF44HQbE9c+NOv6knY3sax
+xdTq7gKifM1JNIjocEo/r7kgTLW/S5fGbZaffjWopZeXwehXMvK2RR43awkOMg4w
+xjhzO6wqC3Wlo9WQ7s3TfcZNE39ipa+lCo/eVzTphYm2gKW/MCG506lR7/s2mudw
+p/gAyM5tAgMBAAECggEAA3qMGyrL9FTo07dytEfaDWoLyvsQod0O+5qlWbZVgE8z
+wJOFB2AWlox3Tp0XOigy61u6zmVUyRk+/E+g9LysOCblqpCwXcJ/fGcADYjvC3yX
+4FwBSCUb+cS3OM2vl26d2OrQ88ISQ8Y3jqnh2DE3+Ap6N0gatXzGyQAnkBr6vsS2
+TTEud/nQsaznD4rUaNcfDFHs8IbYGiDUleFuhsZTj44tUg9whIpDCKba4IAAdU5k
+cyvWktd2XGlSuKUZsYuNrcydKZqhjleZq88/VccHtjP8O9L4+63BLost+VcznI3Y
+vVT9eqhQwIZYIVsI0tj5X4EWXEyPDsluM/P5GnopMQKBgQDHppcwWhYsB80Jf4FO
+TZAxvASMbMlxCdn3jhXt6mmucssqpiu9jQywnYFdEKGG5id40Cq4aJqZFo4534Og
+0gTTWsYAJ94dpYDHrC/iqT9WOB8HQVO6UVVzfZu2L25EUQkW9dqEIGufeHtVdK6N
+hm0ak1HfnoYhh7wVth+GuK4ICQKBgQDC3VrGsRJLeiHZAL/lIFzGUvG7MnEWE259
+Kf+GfnOa4hDDnd7bzK4L+3Ll8Nvo+Og1VZqnJlvMX6IqVO2lv/RgfBGYuCD1I/Og
+b6sZ2+X0S3OYUYGn1hkiiidB8QUALh30Q2JrTs6IPl6XZdPiX8LKi7U0UXJvgnm9
+nLJMZtyERQKBgQC5yiopobu+T6gbbZ8r+fv0fE4TS20OFyfSOlPn6dtcrpCn6KkN
+pMOpW3k13LMj8OvMfpMyto0fZyEFdB1uu+InuPJG1NLa7dfweCi7mdpJ5sHhI4bB
+/MwzRDFyEaNgSbTWvAUULYNZjGnhdUq2guDm+S8YlNGnREPgRHIEEbpJ2QKBgENK
+OvmX1fB4aU3NQ3a02TSnGdCB16k+5o2UPifMbNFUNWPHlVijcoqytveOV/I4Wb9p
+IzGLPnHxqEcj8rik85eJ4G2zT7Y3Rv7k8NnKJLtafr1fj/1MInvZ5zqPJyHryu45
+grf5i7pihzmSsTtfxB07Z0R8x56YGMAQZ0WY05ddAoGACVilm2mfLenQDT8bUvor
+++zrdk2zdvDRLgYiWu/+O7UhJF8P0ozCYmqeTsgcjKuqgqyfuBNwTKmUeaPbvmxr
+CM+gKBmuinQNNF3OjkoRv77fMkMS1+uUZ03iPjIgLz6J4cobdKRvcjVxLfPgyrJp
+n0R2KghPhNb9l/XIgqeJNGw=
+-----END PRIVATE KEY-----

ansible/inventories/files/carbon/cloudflare.pem

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIFADCCA+igAwIBAgIUK7EkF7xtZ1tTux+Q2ygKgP5cAScwDQYJKoZIhvcNAQEL
+BQAwgYsxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTQw
+MgYDVQQLEytDbG91ZEZsYXJlIE9yaWdpbiBTU0wgQ2VydGlmaWNhdGUgQXV0aG9y
+aXR5MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlh
+MB4XDTE5MTAxNzE1MzAwMFoXDTM0MTAxMzE1MzAwMFowYjEZMBcGA1UEChMQQ2xv
+dWRGbGFyZSwgSW5jLjEdMBsGA1UECxMUQ2xvdWRGbGFyZSBPcmlnaW4gQ0ExJjAk
+BgNVBAMTHUNsb3VkRmxhcmUgT3JpZ2luIENlcnRpZmljYXRlMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl/jgLq8a9K+Cgpep8n/8WRhLtxvy2RFohWIW
+Ex2WQFcnlLWAc4xoi4rMG7Z7BbuGw7rb319zksp1nUzAcHNLI/DztPnCeQXfVRgN
+vj3RB6VVkl33NXN2uLOwvMcK6cQX7MXt1rUPpRHyNsvIfs1REtGn9ig24P8boqU5
+7CB0VrdZhe7kcP90fb2FxeOB0GxPXPjTr+pJ2N7GscXU6u4ConzNSTSI6HBKP6+5
+IEy1v0uXxm2Wn341qKWXl8HoVzLytkUeN2sJDjIOMMY4czusKgt1paPVkO7N033G
+TRN/YqWvpQqP3lc06YWJtoClvzAhudOpUe/7NprncKf4AMjObQIDAQABo4IBgjCC
+AX4wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
+ATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQqrDW0atPbYUVW62/oonVTxNlU3TAf
+BgNVHSMEGDAWgBQk6FNXXXw0QIep65TbuuEWePwppDBABggrBgEFBQcBAQQ0MDIw
+MAYIKwYBBQUHMAGGJGh0dHA6Ly9vY3NwLmNsb3VkZmxhcmUuY29tL29yaWdpbl9j
+YTCBggYDVR0RBHsweYISKi5wdWJsaWMtaGVhbHRoLmNoggkqLnNwaGMuY2iCFmdl
+c3VuZGhlaXRzbWFuaWZlc3QuY2iCEW1hbmlmZXN0ZXNhbnRlLmNoghJuZ28tYWxs
+aWFuei1lYmsuY2iCEHB1YmxpYy1oZWFsdGguY2iCB3NwaGMuY2gwOAYDVR0fBDEw
+LzAtoCugKYYnaHR0cDovL2NybC5jbG91ZGZsYXJlLmNvbS9vcmlnaW5fY2EuY3Js
+MA0GCSqGSIb3DQEBCwUAA4IBAQCnkhHew7PXdOcJduzRTtBX1oBRpAiky92RkM5/
+jweojEt3I8QIjs1m/7ZUYCQW8grmBRS75x6geKy9prmHoRcRB0Akc6QfDSRBYaK/
+AADSmShPYPFenicVDMOt9hSAYBHihmf5muPIZ/4yrK+FLPpPZibKi7ODmBzZ6Slz
+NILCxV8Yz0PG7hGQru8ey0YEno2RBLIIhkzJs80X79r25mdUNVnvk98AbXwF2eyl
+njNs7/eKemEe5Ia7OD9R33L/c36hr5HPTnXEfmcUqSeLq0mpoy8xWgsg7ykLUqmy
+j6QT71+TT4P1WYYEXwTl0mPqD51Kn7AZCgmq8RMZ83/ocGF9
+-----END CERTIFICATE-----

ansible/inventories/files/nations/cloudflare.key

@@ -0,0 +1,90 @@
+$ANSIBLE_VAULT;1.1;AES256
+37396437326330653831623831646432643031303962636636353931303064636262343439383238
+3965386661613063656436346661363633613866646435630a333962393066636239643165643666
+37346330313165643263656230373633363135376535376536373961633366613339333263376230
+3164363738313339310a336235336465623835333262333866636434653066313736356138353461
+30303332303264643839393462346236316464376138653832633331303365646565343237386662
+61393166313138396334313132663165653131313532663331323237626163633764346162303564
+64343034363139326238383633353463616135366636613262356366663364616438366432343463
+61353135663234663231643865616430636466306161323336363866383838393931363134316532
+62616336346134306363643533303030343531363930346361313864323166343536366564353166
+39643762656364623765626334313663313337326537353664323464363661323665646665656634
+33313332336461663333393632383330616434626362613832663030303334326662323562646535
+34616139343436383866323362363633333632363666626561396534633734393432333363333330
+66643864383133303634333432306332623534643232353963323665623833316237316231303831
+33393431623136323239346261626430643266653262373262396530623338383232646263366361
+65316336393661626537343666373332613030633138376533373331643966616630393036343462
+34623664623339383030373666346131633836393338616462303563643038383463353462643862
+64303037343765616666663635333264363039376463623766353833623337643639343631353931
+61373361636231386334643337356664333061333834656632363762313466613661666234383133
+66333766363264373939336133303830333136336439303136326539383231323235656262363338
+66653666616634653233343032326461396361643266666565633933303532653035663130663736
+37323434393639646435386432656563363961333265353065653564343037326131333333666237
+31363461656632613931656239326132346338346264643232643165613936643863626130616631
+61663439366338383033613135306533393933353933326561386537613263616132616337353534
+39336565656631323530303965323466636663643266373165303937336465646132663839313136
+30316330393535346265323763376639323363333734323334366234323531373763613439353035
+64383361346638653364656338623465663532383836643433323330343834313564363331323834
+61353333366465636266316264306262326263343139313631326161663165313561393162616236
+39626439656436336134346232653662373336623734666239316365303265373061343234306439
+61363236396231383265366264386236313736643962316562373962383832306231336363346537
+35613032353832383463663366396539333263616262386337353235653632633764303730313062
+32636430653136656538306630316235666331346466633834616632333139663232323464386239
+66653362303139373261656533373866646363373965323962623063313532396664393436363135
+35333333306563626239653938653732613630323464363034346638393631386531613963316338
+64303833316466333439323065323539343933303861626665396565373761333634653435376562
+65626165393937643261626266626430643962633963373839663736373332643162343332373762
+64633166653665333933393937383763313166646462356232346332363632363833373366316463
+35343536613264613230353334666630373964386165663162623533303136366338626531306533
+35623565356234653763356134376635303634353961653831666438643265313230343530393336
+65323762643034376635636234653139366439313233383539666365376130623539613732376636
+64366636346366303533656461326263376566613461633436333336346236653932386230656661
+61393533623131326164343263643666376334366134326433323630623436333132633962323837
+35303034353161363131376266336466663138633961363030356536623834353163623264626233
+37643562396232393932633536343232633334303039396163656231313462386435303839656431
+30386632336434353638386166306565643930623831393834343237373861393731353334646466
+36656237393635373039333161326134333064393863353663323261353430613064313661383064
+63316138653131343334646330643435643532386537373163666639646532663366643534343438
+33366138373230306161653061393538373664373639346261373230313133353561613236353761
+33613333313231336661303635356531323536353836323765306533333864643834616533343161
+33396632343938333633343430393364636139626161303834383535656639376633393133643139
+61346365373465613861646631353039656465373665623535333936653135353936343035313662
+32643537303630633764656563336434313533623166323738353836666565626333326662636139
+31303630653039363065616432353334396231303430313166643532343861353262636336656238
+33643064373839376261316633646430336663356663393366303032376131333437653630663736
+30386235386261306633303538323464626464303962303133333933393164653933396430393464
+35313234356534323032323161326630313738316466386139313138653738373232386462313961
+32316464316532306330333932613537376562613761323737396537346466663037303839653430
+35363237306334386631396537306332646563386538626533323337313438393439323035363064
+37346434643966326366636238383262373231613566303462373539336333346166323138623033
+33393533396438653439663430653930343233356131393562396232393537326562616131643261
+63666237393835326635623265636434373031666639356563333436666362633363303466383366
+66343464616666383531653966636130336530623532616566333737396338386165623961636438
+36383564326661343865366230313731343232646331663464663932313663333065623965613565
+65343138376561656537313663373135633463636537633131306237363062346239343162363332
+39303365373561316465363134393635623636363839653839643866636164663932633165326662
+36303362333862306531363238643266623631643337656636373139653531616538656132646631
+64656236366235393235353865636232363239336136376430376236623537643833356163383133
+63626434393736303233656433353734303763326362363436633939333433333932663131336530
+66663936666464313135376466633364663231636531346331383739323735363132326162383830
+34386163656131326365333534306437616435303239333233356430636166643361623333636436
+34363065636335336230633565373366303666393961303066623662306461623365333431663964
+39303366343964373438316135393164383262633438633665346562626337336666646463343461
+62386632616563643162383465656631623731616562663733356266346637343936366439623736
+61313037373834306438363430373636383466613334386165656238343038353831633139363362
+31333735306631613732363661326136663938666135626232636531616435626364633263353662
+61313239326239316130353236316434623261363565343831336339613965336664666132376637
+30313436306239633461633931306633333562396639643836663937303965353831383065653261
+61623839346438316364373634376665633831366434373135646537643735613230346564363630
+61356666323937393164643636393262373039613139663437353939383839326162346463393562
+61316365346361383266326135616638323762326661373764346437386539313466633337323939
+37653938373236333763626135313237363761623539663038303234623634343836313861653336
+61303365656633643435633061643761656339623231303065306435366535386434343635343538
+33343037626165633039663632646532386364626635306138623938656563336433636130613033
+32363233343061383065653231646439396465353337656636356166383263356665626238356139
+66636537313461393865336639626163306438623630303663633163363339323863616339336432
+61356138353363366639383764633862393234626533373736366130326334333861636537633537
+38383233313063646539613931323837373530343935623562666431633431396538383331396632
+35326266333930343236333937363030356231303061393362373536303337633964646132393862
+39393963326136666361663363653936356333663565316331663331376636303966376637343236
+64636531306635323731663334396663306262333730653335363364633839333339

ansible/inventories/files/nations/cloudflare.pem

@@ -0,0 +1,122 @@
+$ANSIBLE_VAULT;1.1;AES256
+36363564613066383633626239613031613162623365303031383037303365383835353462343835
+3031636161616532613464623932343761323932653831640a306336386331326363396335376231
+37363230353662383430633763396264623066636563366365633631623137626463303662396134
+6665306336636535360a313035303031303431353437363263646539386132666561653433363939
+38373463303933303133393730353831393862366232323532373635663435623638613762616537
+33343931333939626139353439343965373935616436663864363234326235363530616334636465
+34343836313761353332353232613964356363306538366633623131636264396434366666336134
+32643230333666363139313165626636306562646236663964656466643735663961303565316265
+38316436356262666334393264363966633737346635663135356633306463336437383030383264
+66653435626566303637353039373539373961643338376464626165366434363431373364313636
+38366632313532653539326138396434666434613731303662643134346535386435393531626639
+62666436636366316338313630663665623736326465336432396366356239666261373863656536
+35613138646635353362393963383665653764306137306462343063316137656137616135363663
+37373937626564343233376562623430393231376636323563353637386230323161323230396531
+64303136363562306162326664373639323866393833656266366662666434343963333038616566
+64383462306237346564323238373963363630326266626330383261626231346439373138323531
+35323430643063653638636164623334336630633661353331363831636665616666313438396334
+61386138613738653038633233653565336435393530363730613637353438363434373637373362
+65326435666264376433653865323730303664303231363963323539353532653364626562333162
+30656539336631633065346166383835633261393463623866313866343764626333313432643530
+31613666613462663662616131333531666533343661346333383539343638393336366235666437
+37313264323434326538303736666535616362613334396133313363336532343335636631646331
+38656633393863303934313466333530333737376235396233323839393030396530323862363763
+30616561303165386331356562333164373830663531366662643463303466383765663032613166
+64313465303362316465373134663264616234346530373031643830386166653038616134353632
+64376637643534373864373030323232356430316434323765363861303462366232666136626663
+39626261396263316434366462376563326439396438373966303933643931383730373834616166
+36646134336336353334623165656361623436346465396463393530633463373930393139626365
+61306339313662643130303733613636623433646332646335306163386637626532646630623139
+37323366366231363864663132373964363837356236623162306336343631333361616635376430
+32386465376334396134626133313764326637613966626364343831636234363437333662666339
+33393331666562306264346339663965343364353938646634393432363363393131616234663237
+33363461613233643461623338396335333032316566623233633538653566336138386464656533
+37303835306234613163376362353964383935623465396362616164616233323437336566666136
+31383536656438386536333766616334633739353731303766666433323230613339653265646463
+66633161663339656433653535373865353463306135653739656330363064633563613531336365
+36646262353566336135316462666138313732333864353431383762646662346362313863613932
+62613038626661396637396366636264373537373966333938663931663532353862636561393764
+66313065393963306564393637616231386137633465306164343234373665383265326462373961
+35333766613232376234363336663865343663656631353565366461343964643265623064616562
+64656462313333376534313333646630383462343935333439623061343464316139313331663966
+30613236333239396137346361613830633738386162306633303033613938643138646465636364
+36626236396633306162623461393764643661353634303237303862666136323337333362383538
+38613866643032653565616266363637643036326465393734633239386535373038653464396563
+39623561363862393131623764366261323932643733383066373436346236326630383966383433
+35373835323436396235636337303564646433386431356165383337343334316432613065316133
+66303937626631396334323838636436393533356535346436613531376330313230623439363136
+33333839343239353762663130623735643262363036376433373963333937326533323466383235
+61363639393835633035396634316538386463333461383334346438303134396433613665303664
+38613532383562613862333765616665643134616532373762643432663337643132663233326664
+66356530633561343862326666313264323637313239366161663031343265303833376539653430
+37643435313265306135393736396535336333373665613836633465373761373266613031633636
+65623363623134323430386632653232303461636162323466386564346565636532373438323839
+66386463333635653535623139643235383437313761363532316561343939336166383562666335
+31626561633264323766303565653566393164646638353861653838363466646639633361646536
+65656235626330333538666365383230373563373230353263666361633965396133393430323165
+30333066656231333738633264396162363063646532656265663232346135373330613566323131
+36323966373832663564383433383235356664306439323764303638623736633262623533366532
+61353938323462633637313263663238626535366234393864343533383561356532363564323963
+63663033633866366366633161383238663537303339386239373035343061613066346532333533
+32363964666235653062316164393634393337326136363235343231386633323436373762633337
+65336430366539363461363165346537346134616135346139633235366334363266336566663738
+36643331376161383532316366363766303463656137333864336163326238626138643939613237
+30323062326465306561313364323630343238393531613963353065663861363336616331643065
+39623533303861363263333461633637623164333762316665323835353334323364666466623839
+62323839326339383231346233323636663261316439653035313265326237326266393331646365
+33643639386131333063663463323534383737636563346463316433646361363338616631376431
+63653434303736366266373937626261646230653363636661613034363863343539363832366361
+34643832376662336632363533323666303530343933636234376631646536336261336566336264
+39633637343537323865356266383864303462303538373565623566316635663366626438626237
+66366438656634336364623639653736353836343739646237633734373834636530633238653132
+38363833333937623738323935373034626464316536646435613036663938643436366566323036
+39376339666131653365376265626131626136313663306339316230303934353231343437306161
+35656634353732386337323364343431333631356664343333353963663537373431333562356330
+65636238663438653864633938636664373637313163633766613963343563366464623437323530
+61376133623531326435313737396261393130646239323239336530353466303362336136306136
+36386564633236326530643236626630313561653630616564616139623033303438363235343136
+63333164653332323630666535663237376632323339383563333639343931333536353032653761
+61616364313739663462333336306164623365383236616539386132373733613763386166373235
+30323834316532616464323539383362653161303461333465383333353465356133623862323464
+34623661653263613366623933393330313038663837363834336561306538363335613263643362
+32636665383662613835356630636537303561663532383039633163326566336631313564643936
+37633031663133343164333032386262343861653665653663323732393130636263343932666636
+35613335386237323832663832346438633764383039616138656636633565316566636335643734
+36653931633336343665353762326336376435653963386666626534636533306632646162356561
+61656336373730666663306536336461356130663866623431646330346161376634303732313461
+37656362346636343063396662636633383633306231616363396635343533346139616438306433
+62663262656430326533613864383232356564336565643733633336626466633265366132653962
+32373963386264343132623338363263383136663963623463353239386133333932316663306331
+66396265396235383630323830353962376266393933396563666434333534633931626534663865
+37363839633135646435383535663965363437363231613162393864323161663330633266363033
+38373634323733356464313461626261633136646661613833306362306339386434666362303435
+66343430363631326366383437336338636534646664383461653733353531623466373831623631
+35393934386235356138633833333265316464363064626463316139616666613664623136663731
+65656637633436643333343738613433323733636465303762623438316162356138663838343765
+34353433353066383634643536366562633864623039383032303365323261313966646262323332
+66373235343265356639656434353865393239343965366462346435353165346333326131656565
+30613061636636353233316637313338326635643238353937323236353032386461646363633563
+30343636376338613363303964356334666439633136336530303964316563313561623034666631
+65313464306535313863663937303565323164383537336334383437343234316437643338343231
+61326365383534643931623361373339333666626463306336623464393062313762393064346634
+39643030353063396635616139666130633235636434383861333938343039373731643166313364
+64306239666639363739323137663231653761356239633236343936313939346562633530666532
+31343032623139363130633136353036646231326339623037336533353064356165303932666536
+66646537333663313034336236373037306636343632643636663634626235323038306134306564
+34656631623439636633333830623462616364653431323035393331333331396163633539393364
+38633662366631633431653864373739333039663966383765303863343036633337636636643436
+35393962333732383732663063316532393332666332623934326166393236393936646337346564
+39373935383136356362623339363432396632396534623030656333663165643363633038336465
+35653430613738306232636632356135343533306139393334333439646136353432386365633137
+63326639613166343262343037303536363230613666313932616565373932333538326633396137
+37366562383662646461633639343338333766643564376431333332326564626434666338313466
+63396137353862653835613339646532343561373261393432393632396235326466373338333762
+39313637316462333333376539623261343139386164653664636133313434353937376230303865
+38323061663833666563366133653635323466326231346637656337366333393863366332333338
+31636239633436646633623165333833343737383137303263326361346531623237323937313762
+31323261656331656362323364313231373930666639383730633234643738663330326436303334
+34373439373538323364396433613033656333346261656338646237313236303261346636636362
+62386162323163626635363039383031663738666430653964346430646532656162373933356338
+33323631623936623236373932613133646631306566333061616538356434363165636464636235
+62643461383139633361326463306162333530363365663064353266343734353361

ansible/inventories/lagoon/group_vars/webservers/vars.yaml

@@ -0,0 +1,29 @@
+---
+
+django_project_name: publichealth
+
+elasticsearch_heap_size: 1g
+
+memcached_memory_allocation_mb: 256
+
+nginx_worker_processes: 2
+nginx_worker_connections: 1024
+
+domain: "{{ vault_domain }}"
+
+allowed_domains: "{{ vault_allowed_domains }}"
+
+django_email_key: "{{ vault_django_email_key }}"
+django_email_domain: "{{ vault_django_email_domain }}"
+django_email_from: "{{ vault_django_email_from }}"
+
+django_secret_key: "{{ vault_django_secret_key }}"
+
+# Default: postgres://postgres:@postgres:5432/postgres
+django_postgres_url: "{{ vault_django_postgres_url }}"
+
+# Default: http://elasticsearch:9200
+django_elasticsearch_url: "{{ vault_django_elasticsearch_url }}"
+
+# Default: redis://redis:6379
+django_redis_url: "{{ vault_django_redis_url }}"

ansible/nginx.yaml

@@ -0,0 +1,8 @@
+- hosts: webservers
+  become: True
+  gather_facts: True
+  vars:
+    nginx_add_header: []
+  roles:
+    - role: nginxinc.nginx
+    - role: dev-sec.nginx-hardening

ansible/node.yaml

@@ -6,5 +6,5 @@
     - role: geerlingguy.nodejs
       nodejs_install_npm_user: ansible
       nodejs_npm_global_packages:
-        - name: bower
+        - name: yarn
         - name: grunt-cli

ansible/roles/dev-sec.nginx-hardening/meta/.galaxy_install_info

@@ -1,2 +1,2 @@
-install_date: Fri May 15 20:29:19 2020
+install_date: Thu Feb 18 15:39:21 2021
 version: 2.1.0

ansible/roles/dev-sec.os-hardening/.github/workflows/changelog.yml

@@ -1,34 +0,0 @@
-name: Create Changelog
-
-on:
-  pull_request:
-    types: [closed]
-
-  release:
-    types: [published]
-
-  issues:
-    types: [closed, edited]
-
-jobs:
-  generate_changelog:
-    runs-on: ubuntu-latest
-    name: Generate changelog for master branch
-    steps:
-      - uses: actions/checkout@v1
-
-      - name: Generate changelog
-        uses: charmixer/auto-changelog-action@v1
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: push
-        uses: github-actions-x/commit@v2.6
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          push-branch: 'master'
-          commit-message: 'update changelog'
-          force-add: 'true'
-          files: CHANGELOG.md
-          name: dev-sec CI
-          email: github@gumpri.ch

ansible/roles/dev-sec.os-hardening/.github/workflows/release.yml

@@ -25,17 +25,35 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Generate changelog
-        uses: charmixer/auto-changelog-action@v1
+        uses: charmixer/auto-changelog-action@8095796
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          future_release: ${{ steps.version.outputs.next-version }}
+
+      - name: Generate changelog for the release
+        uses: charmixer/auto-changelog-action@8095796
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           since_tag: ${{ steps.previoustag.outputs.tag }}
           future_release: ${{ steps.version.outputs.next-version }}
+          output: CHANGELOGRELEASE.md
+
+      - name: push changelog
+        uses: github-actions-x/commit@v2.6
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          push-branch: 'master'
+          commit-message: 'update changelog'
+          force-add: 'true'
+          files: CHANGELOG.md
+          name: dev-sec CI
+          email: hello@dev-sec.io
 
       - name: Read CHANGELOG.md
         id: package
         uses: juliangruber/read-file-action@v1
         with:
-          path: ./CHANGELOG.md
+          path: ./CHANGELOGRELEASE.md
 
       - name: Create Release draft
         id: create_release

ansible/roles/dev-sec.os-hardening/.kitchen.vagrant.yml

@@ -33,6 +33,9 @@ platforms:
 - name: centos-6
   driver_config:
     box: bento/centos-6.7
+    provision: true
+    vagrantfiles:
+      - rhel6_provision.rb
 - name: centos-7
   driver_config:
     box: bento/centos-7
@@ -42,6 +45,9 @@ platforms:
 - name: oracle-6
   driver_config:
     box: bento/oracle-6
+    provision: true
+    vagrantfiles:
+      - rhel6_provision.rb
 - name: oracle-7
   driver_config:
     box: bento/oracle-7
@@ -57,6 +63,11 @@ platforms:
 - name: opensuse_tumbleweed
   driver_config:
     box: opensuse/Tumbleweed.x86_64
+    provision: true
+    vagrantfiles:
+      - suse_provision.rb
+  provisioner:
+    ansible_binary_path: "/usr/local/bin"
 
 verifier:
   name: inspec

ansible/roles/dev-sec.os-hardening/.kitchen.yml

@@ -2,7 +2,16 @@
 driver:
   name: docker
   use_sudo: false
-  privileged: true
+  cap_add:
+    - SYS_ADMIN
+  volume:
+    - /sys/fs/cgroup:/sys/fs/cgroup:ro
+  run_options:
+    tmpfs:
+      - /tmp
+      - /run
+      - /run/lock
+  run_command: /sbin/init
   http_proxy: <%= ENV['http_proxy'] || nil %>
   https_proxy: <%= ENV['https_proxy'] || nil %>
 
@@ -28,95 +37,108 @@ platforms:
   driver:
     image: rndmh3ro/docker-centos6-ansible:latest
     platform: centos
+    provision_command:
+      - sed -i '/loginuid/d' /etc/pam.d/sshd
+
 - name: centos7-ansible-latest
   driver:
     image: rndmh3ro/docker-centos7-ansible:latest
     platform: centos
-    run_command: /sbin/init
     provision_command:
-      - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
+      - sed -i '/nologin/d' /etc/pam.d/sshd
       - systemctl enable sshd.service
+
 - name: centos8-ansible-latest
   driver:
     image: rndmh3ro/docker-centos8-ansible:latest
     platform: centos
-    run_command: /sbin/init
     provision_command:
-      - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
+      - sed -i '/nologin/d' /etc/pam.d/sshd
       - systemctl enable sshd.service
+  provisioner:
+    ansible_binary_path: "/usr/local/bin"
+
 - name: oracle6-ansible-latest
   driver:
     image: rndmh3ro/docker-oracle6-ansible:latest
     platform: centos
+    provision_command:
+      - sed -i '/loginuid/d' /etc/pam.d/sshd
+
 - name: oracle7-ansible-latest
   driver:
     image: rndmh3ro/docker-oracle7-ansible:latest
-    run_command: /sbin/init
     platform: centos
     provision_command:
-      - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
+      - yum -y install initscripts
+      - sed -i '/nologin/d' /etc/pam.d/sshd
       - systemctl enable sshd.service
+
 - name: ubuntu1604-ansible-latest
   driver:
     image: rndmh3ro/docker-ubuntu1604-ansible:latest
     platform: ubuntu
-    run_command: /sbin/init
     provision_command:
       - systemctl enable ssh.service
+
 - name: ubuntu1804-ansible-latest
   driver:
     image: rndmh3ro/docker-ubuntu1804-ansible:latest
     platform: ubuntu
-    run_command: /sbin/init
     provision_command:
       - systemctl enable ssh.service
+
 - name: debian9-ansible-latest
   driver:
     image: rndmh3ro/docker-debian9-ansible:latest
     platform: debian
-    run_command: /sbin/init
     provision_command:
       - apt install -y systemd-sysv
       - systemctl enable ssh.service
+
 - name: debian10-ansible-latest
   driver:
     image: rndmh3ro/docker-debian10-ansible:latest
     platform: debian
-    run_command: /sbin/init
     provision_command:
       - apt install -y systemd-sysv
       - systemctl enable ssh.service
+
 - name: amazon-ansible-latest
   driver:
     image: rndmh3ro/docker-amazon-ansible:latest
     platform: centos
-    run_command: /sbin/init
     provision_command:
-      - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
+      - sed -i '/nologin/d' /etc/pam.d/sshd
       - systemctl enable sshd.service
+
 - name: fedora-ansible-latest
   driver:
     image: rndmh3ro/docker-fedora-ansible:latest
     platform: centos
-    run_command: /sbin/init
     provision_command:
       - dnf install -y python
-      - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
+      - sed -i '/nologin/d' /etc/pam.d/sshd
       - systemctl enable sshd.service
+
 - name: opensuse_tumbleweed-ansible-latest
   driver:
     image: rndmh3ro/docker-opensuse_tumbleweed-ansible
     platform: opensuse
     provision_command:
-      - zypper -n install python-xml rpm-python
-      - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
+      - zypper -n install python-xml
+      - sed -i '/nologin/d' /etc/pam.d/sshd
+      - sed -i '/systemd/d' /etc/pam.d/common-session
       - systemctl enable sshd.service
 
 verifier:
   name: inspec
   sudo: true
   inspec_tests:
-    - https://github.com/dev-sec/tests-os-hardening
+    - https://github.com/dev-sec/linux-baseline
+  controls:
+    # skip sysctl checks, since they make no sense in docker
+    - /^(?!sysctl-|package-07).+/
 
 suites:
 - name: os

ansible/roles/dev-sec.os-hardening/.travis.yml

@@ -2,63 +2,31 @@
 services: docker
 
 env:
-  - distro: centos6
-    version: latest
-    init: /sbin/init
-
-  - distro: centos7
-    init: /lib/systemd/systemd
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
-    version: latest
-
-  - distro: centos8
-    init: /lib/systemd/systemd
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
-    version: latest
-
-  - distro: fedora
-    init: /lib/systemd/systemd
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
-    version: latest
-
-  - distro: oracle6
-    version: latest
-    init: /sbin/init
-
-#  - distro: oracle7
-#    init: /lib/systemd/systemd
-#    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
-#    version: latest
-
-  - distro: ubuntu1604
-    version: latest
-    init: /lib/systemd/systemd
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
-
-  - distro: ubuntu1804
-    version: latest
-    init: /lib/systemd/systemd
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
-
-  - distro: debian9
-    version: latest
-    init: /lib/systemd/systemd
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
-
-  - distro: debian10
-    version: latest
-    init: /lib/systemd/systemd
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
-
-  - distro: amazon
-    init: /lib/systemd/systemd
-    version: latest
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
-
-  # - distro: opensuse_tumbleweed
-  #   init: /usr/lib/systemd/systemd
-  #   version: latest
-  #   run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro --volume=/run:/run:ro"
+  global:
+    - version=latest
+    - init=/sbin/init
+    - run_opts="--cap-add SYS_ADMIN"
+    - volume="/sys/fs/cgroup:/sys/fs/cgroup:ro"
+  jobs:
+    - distro=centos6
+      volume=":"
+      run_opts=""
+    - distro=centos7
+    - distro=centos8
+    - distro=oracle6
+      volume=":"
+      run_opts=""
+#    - distro=oracle7
+    - distro=ubuntu1604
+    - distro=ubuntu1804
+    - distro=debian9
+      init=/lib/systemd/systemd
+    - distro=debian10
+    - distro=amazon
+    - distro=fedora
+      init=/lib/systemd/systemd
+    - distro=opensuse_tumbleweed
+      run_opts="--privileged"
 
 before_install:
   # Pull container
@@ -70,7 +38,7 @@ script:
 
   - container_id=$(mktemp)
   # Run container in detached state.
-  - 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-os-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"'
+  - 'docker run --detach --volume="${volume}" --volume="${PWD}":/etc/ansible/roles/ansible-os-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"'
 
   # Output Ansible version from docker image
   - 'docker exec "$(cat ${container_id})" ansible-playbook --version'
@@ -79,7 +47,7 @@ script:
   - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-os-hardening/tests/test.yml --diff'
 
    # Verify role
-  - 'inspec exec https://github.com/dev-sec/linux-baseline/ -t docker://$(cat ${container_id}) --controls=os-01 os-02 os-03 os-04 os-05 os-05b os-06 os-07 os-09 os-10 os-11 package-01 package-02 package-03 package-05 package-06 package-08 package-09 --no-distinct-exit'
+  - 'inspec exec https://github.com/dev-sec/linux-baseline/ -t docker://$(cat ${container_id}) --no-distinct-exit'
 
 notifications:
   webhooks: https://galaxy.ansible.com/api/v1/notifications/

ansible/roles/dev-sec.os-hardening/CHANGELOG.md

@@ -1,8 +1,71 @@
 # Changelog
 
-## [Unreleased](https://github.com/dev-sec/ansible-os-hardening/tree/HEAD)
+## [6.2.0](https://github.com/dev-sec/ansible-os-hardening/tree/6.2.0) (2020-08-16)
 
-[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.0...HEAD)
+[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.1.0...6.2.0)
+
+**Implemented enhancements:**
+
+- Optimize and unify when clause [\#295](https://github.com/dev-sec/ansible-os-hardening/pull/295) ([Alexhha](https://github.com/Alexhha))
+- use find module instead of shell [\#294](https://github.com/dev-sec/ansible-os-hardening/pull/294) ([danielkubat](https://github.com/danielkubat))
+- improve testing [\#287](https://github.com/dev-sec/ansible-os-hardening/pull/287) ([schurzi](https://github.com/schurzi))
+
+**Fixed bugs:**
+
+- Inconsistent use of role vars/role defaults [\#284](https://github.com/dev-sec/ansible-os-hardening/issues/284)
+
+**Closed issues:**
+
+- Consider using find module instead of shell [\#293](https://github.com/dev-sec/ansible-os-hardening/issues/293)
+- Optimize logical OR in when clause [\#292](https://github.com/dev-sec/ansible-os-hardening/issues/292)
+- vfat added to dev-sec.conf, but efi is used [\#288](https://github.com/dev-sec/ansible-os-hardening/issues/288)
+- OpenSUSE Support [\#249](https://github.com/dev-sec/ansible-os-hardening/issues/249)
+
+**Merged pull requests:**
+
+- fix fedora build [\#296](https://github.com/dev-sec/ansible-os-hardening/pull/296) ([rndmh3ro](https://github.com/rndmh3ro))
+- move hidepid vars into defaults so theyre overwritable [\#285](https://github.com/dev-sec/ansible-os-hardening/pull/285) ([rndmh3ro](https://github.com/rndmh3ro))
+
+## [6.1.0](https://github.com/dev-sec/ansible-os-hardening/tree/6.1.0) (2020-07-21)
+
+[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.3...6.1.0)
+
+**Implemented enhancements:**
+
+- Mount proc filesystem using hidepid option [\#283](https://github.com/dev-sec/ansible-os-hardening/pull/283) ([alegrey91](https://github.com/alegrey91))
+
+**Fixed bugs:**
+
+- Is it safe to use on Debian 10? The build is failing. [\#281](https://github.com/dev-sec/ansible-os-hardening/issues/281)
+
+**Closed issues:**
+
+- The state of the galaxy release [\#269](https://github.com/dev-sec/ansible-os-hardening/issues/269)
+
+**Merged pull requests:**
+
+- do not blacklist used filesystems [\#289](https://github.com/dev-sec/ansible-os-hardening/pull/289) ([schurzi](https://github.com/schurzi))
+- install procps in debian so sysctl.conf exists [\#282](https://github.com/dev-sec/ansible-os-hardening/pull/282) ([rndmh3ro](https://github.com/rndmh3ro))
+
+## [6.0.3](https://github.com/dev-sec/ansible-os-hardening/tree/6.0.3) (2020-06-06)
+
+[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.2...6.0.3)
+
+**Implemented enhancements:**
+
+- unify changelog and release actions [\#279](https://github.com/dev-sec/ansible-os-hardening/pull/279) ([rndmh3ro](https://github.com/rndmh3ro))
+
+## [6.0.2](https://github.com/dev-sec/ansible-os-hardening/tree/6.0.2) (2020-06-02)
+
+[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.1...6.0.2)
+
+**Implemented enhancements:**
+
+- purge insecure packages [\#275](https://github.com/dev-sec/ansible-os-hardening/pull/275) ([chris-rock](https://github.com/chris-rock))
+
+## [6.0.1](https://github.com/dev-sec/ansible-os-hardening/tree/6.0.1) (2020-05-09)
+
+[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.0...6.0.1)
 
 **Implemented enhancements:**
 
@@ -19,7 +82,7 @@
 - Add Debian Buster support for ansible-os-hardening [\#233](https://github.com/dev-sec/ansible-os-hardening/issues/233)
 - Add CentOS 8 support for ansible-os-hardening [\#232](https://github.com/dev-sec/ansible-os-hardening/issues/232)
 - Add selinux configuration [\#154](https://github.com/dev-sec/ansible-os-hardening/issues/154)
-- Make useradd defaults in login.defs dependent on OS [\#266](https://github.com/dev-sec/ansible-os-hardening/pull/266) ([Aisbergg](https://github.com/Aisbergg))
+- Make useradd defaults in login.defs dependent on OS [\#266](https://github.com/dev-sec/ansible-os-hardening/pull/266) ([aisbergg](https://github.com/aisbergg))
 - Add kernel hardening parameters from Tails and CIS Benchmark [\#263](https://github.com/dev-sec/ansible-os-hardening/pull/263) ([kravietz](https://github.com/kravietz))
 - add ansible-lint [\#262](https://github.com/dev-sec/ansible-os-hardening/pull/262) ([rndmh3ro](https://github.com/rndmh3ro))
 - Remove trailing space [\#261](https://github.com/dev-sec/ansible-os-hardening/pull/261) ([kravietz](https://github.com/kravietz))
@@ -28,7 +91,7 @@
 - Standardize the var ordering [\#251](https://github.com/dev-sec/ansible-os-hardening/pull/251) ([dustinmiller1337](https://github.com/dustinmiller1337))
 - Add intial support for OpenSUSE [\#250](https://github.com/dev-sec/ansible-os-hardening/pull/250) ([dustinmiller1337](https://github.com/dustinmiller1337))
 - Make max\_log\_file\_action for auditd configurable [\#246](https://github.com/dev-sec/ansible-os-hardening/pull/246) ([jandd](https://github.com/jandd))
-- Add exception in sysctl task [\#240](https://github.com/dev-sec/ansible-os-hardening/pull/240) ([okupriyanov](https://github.com/okupriyanov))
+- Add exception in sysctl task [\#240](https://github.com/dev-sec/ansible-os-hardening/pull/240) ([ghost](https://github.com/ghost))
 - Fedora - Use new auto ansible\_python\_interpreter for dnf [\#239](https://github.com/dev-sec/ansible-os-hardening/pull/239) ([jaredledvina](https://github.com/jaredledvina))
 - add test support for CentOS8 [\#237](https://github.com/dev-sec/ansible-os-hardening/pull/237) ([yeoldegrove](https://github.com/yeoldegrove))
 - Support configuring SELinux and default to enforcing [\#236](https://github.com/dev-sec/ansible-os-hardening/pull/236) ([jaredledvina](https://github.com/jaredledvina))
@@ -47,7 +110,7 @@
 - Add a "don't fail on error" switch ? [\#148](https://github.com/dev-sec/ansible-os-hardening/issues/148)
 - Addressing issue \#255 [\#258](https://github.com/dev-sec/ansible-os-hardening/pull/258) ([ljkimmel](https://github.com/ljkimmel))
 - Fix \#247, cleanup conditions [\#248](https://github.com/dev-sec/ansible-os-hardening/pull/248) ([fernandezcuesta](https://github.com/fernandezcuesta))
-- Fix error on applying the sysctl vars on containers [\#243](https://github.com/dev-sec/ansible-os-hardening/pull/243) ([okupriyanov](https://github.com/okupriyanov))
+- Fix error on applying the sysctl vars on containers [\#243](https://github.com/dev-sec/ansible-os-hardening/pull/243) ([ghost](https://github.com/ghost))
 - Update location of NSA RHEL 5 Guide [\#235](https://github.com/dev-sec/ansible-os-hardening/pull/235) ([jaredledvina](https://github.com/jaredledvina))
 
 ## [5.2.1](https://github.com/dev-sec/ansible-os-hardening/tree/5.2.1) (2019-06-09)
@@ -123,9 +186,7 @@
 - Rename pam\_passwdqd.j2 to pam\_passwdqc.j2 [\#172](https://github.com/dev-sec/ansible-os-hardening/pull/172) ([martinbydefault](https://github.com/martinbydefault))
 - Use package state 'present' since 'installed' is deprecated [\#168](https://github.com/dev-sec/ansible-os-hardening/pull/168) ([Normo](https://github.com/Normo))
 - Update syntax to Ansible 2.4 [\#161](https://github.com/dev-sec/ansible-os-hardening/pull/161) ([thomasjpfan](https://github.com/thomasjpfan))
-- add amazon linux testing [\#160](https://github.com/dev-sec/ansible-os-hardening/pull/160) ([rndmh3ro](https://github.com/rndmh3ro))
 - Add support for Amazon Linux [\#158](https://github.com/dev-sec/ansible-os-hardening/pull/158) ([woneill](https://github.com/woneill))
-- install and configure auditd - fix inspec package-08 [\#144](https://github.com/dev-sec/ansible-os-hardening/pull/144) ([rndmh3ro](https://github.com/rndmh3ro))
 - Remove deprecated include for static tasks and use instead import\_tasks fix \#131 [\#132](https://github.com/dev-sec/ansible-os-hardening/pull/132) ([HelioCampos](https://github.com/HelioCampos))
 
 **Fixed bugs:**
@@ -148,12 +209,14 @@
 
 - Update some RH settings in this role [\#155](https://github.com/dev-sec/ansible-os-hardening/issues/155)
 - Removal of core dump hardening configuration if core dumps are allowed [\#129](https://github.com/dev-sec/ansible-os-hardening/issues/129)
+- add amazon linux testing [\#160](https://github.com/dev-sec/ansible-os-hardening/pull/160) ([rndmh3ro](https://github.com/rndmh3ro))
 - Don't create home for system accounts [\#156](https://github.com/dev-sec/ansible-os-hardening/pull/156) ([oakey-b1](https://github.com/oakey-b1))
 - Prevent disabling of filesystems via whitelist [\#153](https://github.com/dev-sec/ansible-os-hardening/pull/153) ([manuelprinz](https://github.com/manuelprinz))
 - Add kernel hardening settings from Ubuntu /etc/sysctl.d [\#150](https://github.com/dev-sec/ansible-os-hardening/pull/150) ([kravietz](https://github.com/kravietz))
 - Removal of core dump hardening configuration if core dumps are allowed [\#146](https://github.com/dev-sec/ansible-os-hardening/pull/146) ([martinbydefault](https://github.com/martinbydefault))
 - add missing sysctl parameter [\#143](https://github.com/dev-sec/ansible-os-hardening/pull/143) ([rndmh3ro](https://github.com/rndmh3ro))
 - update readme [\#139](https://github.com/dev-sec/ansible-os-hardening/pull/139) ([rndmh3ro](https://github.com/rndmh3ro))
+- add modprobe template, control os-10 [\#138](https://github.com/dev-sec/ansible-os-hardening/pull/138) ([rndmh3ro](https://github.com/rndmh3ro))
 
 **Fixed bugs:**
 
@@ -184,7 +247,7 @@
 
 **Implemented enhancements:**
 
-- add modprobe template, control os-10 [\#138](https://github.com/dev-sec/ansible-os-hardening/pull/138) ([rndmh3ro](https://github.com/rndmh3ro))
+- install and configure auditd - fix inspec package-08 [\#144](https://github.com/dev-sec/ansible-os-hardening/pull/144) ([rndmh3ro](https://github.com/rndmh3ro))
 - new task for delete netrc files, control os-09 [\#137](https://github.com/dev-sec/ansible-os-hardening/pull/137) ([rndmh3ro](https://github.com/rndmh3ro))
 - add passwd task, control os-03 [\#136](https://github.com/dev-sec/ansible-os-hardening/pull/136) ([rndmh3ro](https://github.com/rndmh3ro))
 - remove prelink package, control package-09 [\#135](https://github.com/dev-sec/ansible-os-hardening/pull/135) ([rndmh3ro](https://github.com/rndmh3ro))

ansible/roles/dev-sec.os-hardening/README.md

@@ -1,7 +1,6 @@
 # os-hardening (Ansible Role)
 
 [![Build Status](http://img.shields.io/travis/dev-sec/ansible-os-hardening.svg)][1]
-[![Gitter Chat](https://badges.gitter.im/Join%20Chat.svg)][2]
 [![Ansible Galaxy](https://img.shields.io/badge/galaxy-os--hardening-660198.svg)][3]
 
 ## Description
@@ -81,6 +80,8 @@ If you're using Docker / Kubernetes+Docker you'll need to override the ipv4 ip f
 | `ufw_default_forward_policy` | DROP | set default forward policy of ufw to `DROP` |
 | `os_auditd_enabled` | true | Set to false to disable installing and configuring auditd. |
 | `os_auditd_max_log_file_action` | `keep_logs` | Defines the behaviour of auditd when its log file is filled up. Possible other values are described in the auditd.conf man page. The most common alternative to the default may be `rotate`. |
+| `hidepid_option` | `2` | `0`: This is the default setting and gives you the default behaviour. `1`: With this option an normal user would not see other processes but their own about ps, top etc, but he is still able to see process IDs in /proc. `2`: Users are only able too see their own processes (like with hidepid=1), but also the other process IDs are hidden for them in /proc. |
+| `proc_mnt_options` | `rw,nosuid,nodev,noexec,relatime,hidepid={{ hidepid_option }}` | Mount proc with hardenized options, including `hidepid` with variable value. |
 
 ## Packages
 

ansible/roles/dev-sec.os-hardening/defaults/main.yml

@@ -278,3 +278,6 @@ os_auditd_max_log_file_action: keep_logs
 os_selinux_state: enforcing
 # Set the SELinux polixy.
 os_selinux_policy: targeted
+
+hidepid_option: '2' # allowed values: 0, 1, 2
+proc_mnt_options: 'rw,nosuid,nodev,noexec,relatime,hidepid={{ hidepid_option }}'

ansible/roles/dev-sec.os-hardening/meta/.galaxy_install_info

@@ -1,2 +1,2 @@
-install_date: Fri May 15 20:29:23 2020
-version: 6.0.1
+install_date: Thu Feb 18 15:39:25 2021
+version: 6.2.0

ansible/roles/dev-sec.os-hardening/rhel6_provision.rb

@@ -0,0 +1,7 @@
+Vagrant.configure(2) do |config|
+  config.vm.provision "shell", inline: <<-SHELL
+    rpm -i http://mirror.de.leaseweb.net/epel/6/x86_64/epel-release-6-8.noarch.rpm
+    sed -i 's/\\(mirrorlist=http\\)s/\\1/' /etc/yum.repos.d/epel.repo
+    yum install -y ansible libselinux-python
+  SHELL
+end

ansible/roles/dev-sec.os-hardening/suse_provision.rb

@@ -0,0 +1,7 @@
+Vagrant.configure(2) do |config|
+  config.vm.provision "shell", inline: <<-SHELL
+      zypper -n install python2-setuptools
+      mkdir -p /usr/local/lib/python2.7/site-packages/
+      ln -s /usr/local/bin/pip /usr/bin/
+  SHELL
+end

ansible/roles/dev-sec.os-hardening/tasks/apt.yml

@@ -3,4 +3,5 @@
   apt:
     name: '{{ os_security_packages_list }}'
     state: 'absent'
+    purge: 'yes'
   when: os_security_packages_clean | bool

ansible/roles/dev-sec.os-hardening/tasks/auditd.yml

@@ -1,5 +1,4 @@
 ---
-
 - name: install auditd package | package-08
   package:
     name: '{{ auditd_package }}'

ansible/roles/dev-sec.os-hardening/tasks/hardening.yml

@@ -56,10 +56,9 @@
   tags: yum
 
 - import_tasks: apt.yml
-  when: ansible_facts.distribution == 'Debian' or ansible_facts.distribution == 'Ubuntu'
+  when: ansible_facts.distribution in ['Debian', 'Ubuntu']
   tags: apt
 
 - import_tasks: selinux.yml
   tags: selinux
-  when:
-    - ansible_facts.selinux.status == 'enabled'
+  when: ansible_facts.selinux.status == 'enabled'

ansible/roles/dev-sec.os-hardening/tasks/limits.yml

@@ -1,5 +1,4 @@
 ---
-
 - block:
   - name: create limits.d-directory if it does not exist | sysctl-31a, sysctl-31b
     file:

ansible/roles/dev-sec.os-hardening/tasks/main.yml

@@ -1,4 +1,3 @@
 ---
-
 - import_tasks: hardening.yml
   when: os_hardening_enabled | bool

ansible/roles/dev-sec.os-hardening/tasks/minimize_access.yml

@@ -48,3 +48,11 @@
     group: 'root'
     mode: '0750'
   when: '"change_user" not in os_security_users_allow'
+
+- name: set option hidepid for proc filesystem
+  mount:
+    path: /proc
+    src: proc
+    fstype: proc
+    opts: '{{ proc_mnt_options }}'
+    state: present

ansible/roles/dev-sec.os-hardening/tasks/modprobe.yml

@@ -12,7 +12,15 @@
 - name: remove vfat from fs-list if efi is used
   set_fact:
     os_unused_filesystems: "{{ os_unused_filesystems | difference('vfat') }}"
-  when: efi_installed.stat.isdir is defined and efi_installed.stat.isdir
+  when:
+    - efi_installed.stat.isdir is defined
+    - efi_installed.stat.isdir
+
+- name: remove used filesystems from fs-list
+  set_fact:
+    os_unused_filesystems: "{{ os_unused_filesystems | difference(ansible_mounts | map(attribute='fstype') | list) }}"
+  # we cannot do this on el6 and below, because these systems don't support the map function
+  when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7')
 
 - name: disable unused filesystems | os-10
   template:

ansible/roles/dev-sec.os-hardening/tasks/pam.yml

@@ -121,6 +121,7 @@
 - name: Gather package facts
   package_facts:
     manager: auto
+  when: ansible_facts.os_family != 'Suse'
 
 - name: NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
   template:
@@ -129,4 +130,6 @@
     mode: '0640'
     owner: 'root'
     group: 'root'
-  when: "'libuser' in ansible_facts.packages"
+  when:
+    - ansible_facts.os_family != 'Suse'
+    - "'libuser' in ansible_facts.packages"

ansible/roles/dev-sec.os-hardening/tasks/sysctl.yml

@@ -13,15 +13,16 @@
     owner: 'root'
     group: 'root'
     mode: '0544'
-  when: ansible_facts.distribution == 'RedHat' or ansible_facts.distribution == 'Fedora' or
-        ansible_facts.distribution == 'CentOS' or ansible_facts.distribution == 'Amazon'
+  when: ansible_facts.distribution in ['Amazon', 'CentOS', 'Fedora', 'RedHat']
 
 - name: install initramfs-tools
   apt:
     name: 'initramfs-tools'
     state: 'present'
     update_cache: true
-  when: ansible_facts.os_family == 'Debian' and os_security_kernel_enable_module_loading
+  when:
+    - ansible_facts.os_family == 'Debian'
+    - os_security_kernel_enable_module_loading
 
 - name: rebuild initramfs with starting pack of modules, if module loading at runtime is disabled
   template:
@@ -32,7 +33,9 @@
     mode: '0440'
   notify:
     - update-initramfs
-  when: ansible_facts.os_family == 'Debian' and os_security_kernel_enable_module_loading
+  when:
+    - ansible_facts.os_family == 'Debian'
+    - os_security_kernel_enable_module_loading
   register: initramfs
 
 - name: change sysctls
@@ -60,14 +63,16 @@
         reload: yes
         ignoreerrors: yes
       with_dict: '{{ sysctl_rhel_config }}'
-      when: ((ansible_facts.distribution == 'RedHat' or ansible_facts.distribution == 'Fedora' or ansible_facts.distribution == 'CentOS') and
+      when: ((ansible_facts.distribution in ['CentOS', 'Fedora', 'RedHat']) and
             ansible_distribution_version|int is version('7', '<')) or ansible_facts.distribution == 'Amazon'
 
-  when: ansible_virtualization_type not in ['docker', 'openvz', 'lxc']
+  when: ansible_virtualization_type not in ['docker', 'lxc', 'openvz']
 
 - name: Apply ufw defaults
   template:
     src: 'etc/default/ufw.j2'
     dest: '/etc/default/ufw'
-  when: ufw_manage_defaults and (ansible_facts.distribution == 'Debian' or ansible_facts.distribution == 'Ubuntu')
+  when:
+    - ufw_manage_defaults
+    - ansible_facts.distribution in ['Debian', 'Ubuntu']
   tags: ufw

ansible/roles/dev-sec.os-hardening/tasks/yum.yml

@@ -3,35 +3,42 @@
   file:
     name: '/etc/yum.repos.d/{{ item }}.repo'
     state: 'absent'
-  with_items:
+  loop:
     - 'CentOS-Debuginfo'
     - 'CentOS-Media'
     - 'CentOS-Vault'
   when: os_security_packages_clean | bool
 
 - name: get yum-repository-files
-  shell: 'find /etc/yum.repos.d/ -type f -name *.repo'
-  changed_when: False
+  find:
+    paths: '/etc/yum.repos.d'
+    patterns: '*.repo'
   register: yum_repos
 
-  # for the 'default([])' see here:
-  # https://github.com/dev-sec/ansible-os-hardening/issues/99 and
-  # https://stackoverflow.com/questions/37067827/ansible-deprecation-warning-for-undefined-variable-despite-when-clause
-  #
-  # failed_when is needed because by default replace module will fail if the file doesn't exists.
-  # status.rc is only defined if an error accrued and only error code (rc) 257 will be ignored.
-  # All other errors will still be raised.
+# for the 'default([])' see here:
+# https://github.com/dev-sec/ansible-os-hardening/issues/99 and
+# https://stackoverflow.com/questions/37067827/ansible-deprecation-warning-for-undefined-variable-despite-when-clause
+- name: activate gpg-check for yum-repository-files
+  replace:
+    path: '{{ item.path }}'
+    regexp: '^\s*gpgcheck.*'
+    replace: 'gpgcheck=1'
+  with_items:
+    - '{{ yum_repos.files | default([]) }}'
+
+# failed_when is needed because by default replace module will fail if the file doesn't exists.
+# status.rc is only defined if an error accrued and only error code (rc) 257 will be ignored.
+# All other errors will still be raised.
 - name: activate gpg-check for config files
   replace:
-    dest: '{{ item }}'
-    regexp: '^\s*gpgcheck: 0'
-    replace: 'gpgcheck: 1'
+    path: '{{ item }}'
+    regexp: '^\s*gpgcheck\W.*'
+    replace: 'gpgcheck=1'
   register: status
   failed_when: status.rc is defined and status.rc != 257
-  with_flattened:
+  loop:
     - '/etc/yum.conf'
     - '/etc/dnf/dnf.conf'
-    - '{{ yum_repos.stdout_lines| default([]) }}' # noqa 104
     - '/etc/yum/pluginconf.d/rhnplugin.conf'
 
 - name: remove deprecated or insecure packages | package-01 - package-09

ansible/roles/dev-sec.os-hardening/tests/test.yml

@@ -13,6 +13,10 @@
       apt:
         update_cache: yes
       when: ansible_facts.os_family == 'Debian'
+    - name: install required tools on debian
+      apt:
+        name: procps
+      when: ansible_facts.os_family == 'Debian'
     - name: install required tools on fedora
       dnf:
         name:
@@ -20,6 +24,9 @@
           - findutils
           - procps-ng
       when: ansible_facts.distribution == 'Fedora'
+    - name: install required tools on SuSE
+      shell: "zypper -n install python-xml"
+      when: ansible_facts.os_family == 'Suse'
     - name: create recursing symlink to test minimize access
       shell: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz"
   vars:

ansible/roles/dev-sec.ssh-hardening/.github/workflows/changelog.yml

@@ -1,34 +0,0 @@
-name: Create Changelog
-
-on:
-  pull_request:
-    types: [closed]
-
-  release:
-    types: [published]
-
-  issues:
-    types: [closed, edited]
-
-jobs:
-  generate_changelog:
-    runs-on: ubuntu-latest
-    name: Generate changelog for master branch
-    steps:
-      - uses: actions/checkout@v1
-
-      - name: Generate changelog
-        uses: charmixer/auto-changelog-action@v1
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: push
-        uses: github-actions-x/commit@v2.6
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          push-branch: 'master'
-          commit-message: 'update changelog'
-          force-add: 'true'
-          files: CHANGELOG.md
-          name: dev-sec CI
-          email: github@gumpri.ch

ansible/roles/dev-sec.ssh-hardening/.github/workflows/release.yml

@@ -25,18 +25,35 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Generate changelog
-        uses: charmixer/auto-changelog-action@v1
+        uses: charmixer/auto-changelog-action@8095796
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          future_release: ${{ steps.version.outputs.next-version }}
+
+      - name: Generate changelog for the release
+        uses: charmixer/auto-changelog-action@8095796
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           since_tag: ${{ steps.previoustag.outputs.tag }}
-          # wait for https://github.com/CharMixer/auto-changelog-action/pull/3
-          #future_release: ${{ steps.version.outputs.next-version }}
+          future_release: ${{ steps.version.outputs.next-version }}
+          output: CHANGELOGRELEASE.md
+
+      - name: push changelog
+        uses: github-actions-x/commit@v2.6
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          push-branch: 'master'
+          commit-message: 'update changelog'
+          force-add: 'true'
+          files: CHANGELOG.md
+          name: dev-sec CI
+          email: hello@dev-sec.io
 
       - name: Read CHANGELOG.md
         id: package
         uses: juliangruber/read-file-action@v1
         with:
-          path: ./CHANGELOG.md
+          path: ./CHANGELOGRELEASE.md
 
       - name: Create Release draft
         id: create_release

ansible/roles/dev-sec.ssh-hardening/.kitchen.vagrant.yml

@@ -33,6 +33,9 @@ platforms:
 - name: centos-7
   driver_config:
     box: bento/centos-7
+- name: centos-8
+  driver_config:
+    box: bento/centos-8
 - name: oracle-6
   driver_config:
     box: bento/oracle-6

ansible/roles/dev-sec.ssh-hardening/.kitchen.yml

@@ -2,7 +2,16 @@
 driver:
   name: docker
   use_sudo: false
-  privileged: true
+  cap_add:
+    - SYS_ADMIN
+  volume:
+    - /sys/fs/cgroup:/sys/fs/cgroup:ro
+  run_options:
+    tmpfs:
+      - /tmp
+      - /run
+      - /run/lock
+  run_command: /sbin/init
   http_proxy: <%= ENV['http_proxy'] || nil %>
   https_proxy: <%= ENV['https_proxy'] || nil %>
 
@@ -28,72 +37,96 @@ platforms:
   driver:
     image: rndmh3ro/docker-centos6-ansible:latest
     platform: centos
+    provision_command:
+      - sed -i '/loginuid/d' /etc/pam.d/sshd
+
 - name: centos7-ansible-latest
   driver:
     image: rndmh3ro/docker-centos7-ansible:latest
     platform: centos
-    run_command: /sbin/init
     provision_command:
-      - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
+      - sed -i '/nologin/d' /etc/pam.d/sshd
       - systemctl enable sshd.service
+
+- name: centos8-ansible-latest
+  driver:
+    image: rndmh3ro/docker-centos8-ansible:latest
+    platform: centos
+    provision_command:
+      - sed -i '/nologin/d' /etc/pam.d/sshd
+      - systemctl enable sshd.service
+  provisioner:
+    ansible_binary_path: "/usr/local/bin"
+
 - name: oracle6-ansible-latest
   driver:
     image: rndmh3ro/docker-oracle6-ansible:latest
     platform: centos
+    provision_command:
+      - sed -i '/loginuid/d' /etc/pam.d/sshd
+
 - name: oracle7-ansible-latest
   driver:
     image: rndmh3ro/docker-oracle7-ansible:latest
-    run_command: /sbin/init
     platform: centos
     provision_command:
-      - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
+      - sed -i '/nologin/d' /etc/pam.d/sshd
       - systemctl enable sshd.service
+
 - name: ubuntu1604-ansible-latest
   driver:
     image: rndmh3ro/docker-ubuntu1604-ansible:latest
     platform: ubuntu
-    run_command: /sbin/init
     provision_command:
       - systemctl enable ssh.service
+
 - name: ubuntu1804-ansible-latest
   driver:
     image: rndmh3ro/docker-ubuntu1804-ansible:latest
     platform: ubuntu
-    run_command: /sbin/init
     provision_command:
       - systemctl enable ssh.service
+
 - name: debian9-ansible-latest
   driver:
     image: rndmh3ro/docker-debian9-ansible:latest
     platform: debian
-    run_command: /sbin/init
     provision_command:
       - apt install -y systemd-sysv
       - systemctl enable ssh.service
+
 - name: debian10-ansible-latest
   driver:
     image: rndmh3ro/docker-debian10-ansible
     platform: debian
-    run_command: /sbin/init
     provision_command:
       - apt install -y systemd-sysv
       - systemctl enable ssh.service
+
 - name: amazon-ansible-latest
   driver:
     image: rndmh3ro/docker-amazon-ansible:latest
     platform: centos
-    run_command: /sbin/init
     provision_command:
-      - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
+      - sed -i '/nologin/d' /etc/pam.d/sshd
       - systemctl enable sshd.service
+
 - name: fedora-ansible-latest
   driver:
     image: rndmh3ro/docker-fedora-ansible:latest
     platform: centos
-    run_command: /sbin/init
     provision_command:
-      - dnf install -y python
-      - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
+      - dnf install -y python procps-ng
+      - sed -i '/nologin/d' /etc/pam.d/sshd
+      - systemctl enable sshd.service
+
+- name: arch-ansible-latest
+  driver:
+    image: rndmh3ro/docker-arch-ansible:latest
+    platform: arch
+    run_command: /usr/lib/systemd/systemd
+    provision_command:
+      - sed -i '/nologin/d' /etc/pam.d/sshd
       - systemctl enable sshd.service
 
 verifier:

ansible/roles/dev-sec.ssh-hardening/.travis.yml

@@ -2,53 +2,32 @@
 services: docker
 
 env:
-  - distro: centos6
-    version: latest
-    init: /sbin/init
-
-  - distro: centos7
-    init: /usr/lib/systemd/systemd
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
-    version: latest
-
-  - distro: oracle6
-    version: latest
-    init: /sbin/init
-
-#  - distro: oracle7
-#    init: /usr/lib/systemd/systemd
-#    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
-#    version: latest
-
-  - distro: ubuntu1604
-    version: latest
-    init: /lib/systemd/systemd
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
-
-  - distro: ubuntu1804
-    version: latest
-    init: /lib/systemd/systemd
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
-
-  - distro: debian9
-    version: latest
-    init: /lib/systemd/systemd
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
-
-  - distro: debian10
-    version: latest
-    init: /lib/systemd/systemd
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
-
-  - distro: amazon
-    init: /lib/systemd/systemd
-    version: latest
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
-
-  - distro: fedora
-    init: /lib/systemd/systemd
-    version: latest
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+  global:
+    - version=latest
+    - init=/sbin/init
+    - run_opts="--cap-add SYS_ADMIN"
+    - volume="/sys/fs/cgroup:/sys/fs/cgroup:ro"
+  jobs:
+    - distro=centos6
+      volume=":"
+      run_opts=""
+    - distro=centos7
+    - distro=centos8
+    - distro=oracle6
+      volume=":"
+      run_opts=""
+#    - distro=oracle7
+    - distro=ubuntu1604
+    - distro=ubuntu1804
+    - distro=debian9
+      init=/lib/systemd/systemd
+    - distro=debian10
+    - distro=amazon
+    - distro=fedora
+      init=/lib/systemd/systemd
+    - distro=arch
+      init=/usr/lib/systemd/systemd
+      run_opts="--privileged"
 
 before_install:
   # Pull container
@@ -60,17 +39,14 @@ script:
 
   - container_id=$(mktemp)
   # Run container in detached state.
-  - 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-ssh-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"'
+  - 'docker run --detach --volume="${volume}" --volume="${PWD}":/etc/ansible/roles/ansible-ssh-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"'
 
   # Test role.
   - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/tests/default_custom.yml --diff'
   - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/tests/default.yml --diff'
 
   # Verify role
-  # remove the UseLogin-check, see here for reasons: https://github.com/dev-sec/ansible-ssh-hardening/pull/141
-  - 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --controls=sshd-01 sshd-02 sshd-03 sshd-04 sshd-05 sshd-06 sshd-07 sshd-08 sshd-09 sshd-10 sshd-11 sshd-12 sshd-13 sshd-14 sshd-15 sshd-16 sshd-17 sshd-18 sshd-19 sshd-20 sshd-21 sshd-22 sshd-23 sshd-24 sshd-25 sshd-26 sshd-27 sshd-28 sshd-29 sshd-30 sshd-31 sshd-32 sshd-33 sshd-34 sshd-35 sshd-36 sshd-37 sshd-38 sshd-39 sshd-40 sshd-41 sshd-42 sshd-43 sshd-44 sshd-45 sshd-46 sshd-47 sshd-48 --no-distinct-exit'
-  # remove UseRoaming and RhostsRSAAuthentication because these options are deprecated - ssh-14, ssh-15, ssh-21
-  - 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --controls=ssh-01 ssh-02 ssh-03 ssh-04 ssh-05 ssh-06 ssh-07 ssh-08 ssh-09 ssh-10 ssh-11 ssh-12 ssh-13 ssh-14 ssh-15 ssh-16 ssh-17 ssh-18 ssh-19 ssh-20 --no-distinct-exit'
+  - 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --no-distinct-exit'
 
 notifications:
   webhooks: https://galaxy.ansible.com/api/v1/notifications/

ansible/roles/dev-sec.ssh-hardening/CHANGELOG.md

@@ -1,8 +1,147 @@
 # Changelog
 
-## [Unreleased](https://github.com/dev-sec/ansible-ssh-hardening/tree/HEAD)
+## [9.7.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.7.0) (2020-08-09)
 
-[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/8.0.0...HEAD)
+[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/9.6.0...9.7.0)
+
+**Implemented enhancements:**
+
+- add separate option for controlling motd via pam [\#320](https://github.com/dev-sec/ansible-ssh-hardening/pull/320) ([schurzi](https://github.com/schurzi))
+
+## [9.6.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.6.0) (2020-07-28)
+
+[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/9.5.0...9.6.0)
+
+**Implemented enhancements:**
+
+- add SmartOS support [\#294](https://github.com/dev-sec/ansible-ssh-hardening/pull/294) ([aqw](https://github.com/aqw))
+
+**Fixed bugs:**
+
+- fix local kitchen tests [\#318](https://github.com/dev-sec/ansible-ssh-hardening/pull/318) ([schurzi](https://github.com/schurzi))
+- fix sftp\_umask; store as literal not octal [\#317](https://github.com/dev-sec/ansible-ssh-hardening/pull/317) ([aqw](https://github.com/aqw))
+
+**Closed issues:**
+
+- Make SSH banner path configurable [\#315](https://github.com/dev-sec/ansible-ssh-hardening/issues/315)
+
+## [9.5.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.5.0) (2020-07-27)
+
+[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/9.4.0...9.5.0)
+
+**Implemented enhancements:**
+
+- add ssh\_banner\_path variable [\#316](https://github.com/dev-sec/ansible-ssh-hardening/pull/316) ([liteua](https://github.com/liteua))
+- rework CRYPTO\_POLICY handling for fedora [\#314](https://github.com/dev-sec/ansible-ssh-hardening/pull/314) ([schurzi](https://github.com/schurzi))
+
+**Fixed bugs:**
+
+- network\_ipv6\_enable: true not working [\#311](https://github.com/dev-sec/ansible-ssh-hardening/issues/311)
+
+**Closed issues:**
+
+- RHEL/CentOS 8 requires removal or editing of /etc/crypto-policies/back-ends/openssh\*.config [\#275](https://github.com/dev-sec/ansible-ssh-hardening/issues/275)
+
+**Merged pull requests:**
+
+- improve testing in kitchen and travis [\#313](https://github.com/dev-sec/ansible-ssh-hardening/pull/313) ([schurzi](https://github.com/schurzi))
+
+## [9.4.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.4.0) (2020-07-21)
+
+[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/9.3.0...9.4.0)
+
+**Implemented enhancements:**
+
+- Add CentOS 8 support for ansible-ssh-hardening [\#247](https://github.com/dev-sec/ansible-ssh-hardening/issues/247)
+- adding specific things for IPv6 support [\#312](https://github.com/dev-sec/ansible-ssh-hardening/pull/312) ([altf4arnold](https://github.com/altf4arnold))
+- add support for CentOS8 [\#309](https://github.com/dev-sec/ansible-ssh-hardening/pull/309) ([schurzi](https://github.com/schurzi))
+- README: New section on server port and idempotency [\#307](https://github.com/dev-sec/ansible-ssh-hardening/pull/307) ([nununo](https://github.com/nununo))
+
+**Fixed bugs:**
+
+- CBC Ciphers should be disabled by default. [\#308](https://github.com/dev-sec/ansible-ssh-hardening/issues/308)
+
+**Closed issues:**
+
+- Idempotency when changing sshd ports [\#299](https://github.com/dev-sec/ansible-ssh-hardening/issues/299)
+- Simplify crypto.yml checks with blocks [\#256](https://github.com/dev-sec/ansible-ssh-hardening/issues/256)
+- Possibility for customising host key algorithms? [\#243](https://github.com/dev-sec/ansible-ssh-hardening/issues/243)
+
+## [9.3.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.3.0) (2020-07-09)
+
+[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/9.2.0...9.3.0)
+
+**Implemented enhancements:**
+
+- Add support for X11 configuration [\#297](https://github.com/dev-sec/ansible-ssh-hardening/issues/297)
+- add blocks to crypto.yml checks [\#305](https://github.com/dev-sec/ansible-ssh-hardening/pull/305) ([schurzi](https://github.com/schurzi))
+- fix typo in hardening.yml [\#304](https://github.com/dev-sec/ansible-ssh-hardening/pull/304) ([schurzi](https://github.com/schurzi))
+- allow customization of X11Forwarding [\#300](https://github.com/dev-sec/ansible-ssh-hardening/pull/300) ([divialth](https://github.com/divialth))
+
+**Fixed bugs:**
+
+- fix package install in tests [\#301](https://github.com/dev-sec/ansible-ssh-hardening/pull/301) ([rndmh3ro](https://github.com/rndmh3ro))
+
+**Closed issues:**
+
+- Typo in hardening.yml [\#303](https://github.com/dev-sec/ansible-ssh-hardening/issues/303)
+- Task create sshd\_config and set permissions fails [\#302](https://github.com/dev-sec/ansible-ssh-hardening/issues/302)
+
+## [9.2.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.2.0) (2020-06-25)
+
+[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/9.1.1...9.2.0)
+
+**Implemented enhancements:**
+
+- Add RHEL 8 Support  [\#261](https://github.com/dev-sec/ansible-ssh-hardening/issues/261)
+- Add option to create 'LocalPort' match blocks [\#295](https://github.com/dev-sec/ansible-ssh-hardening/pull/295) ([aisbergg](https://github.com/aisbergg))
+- Add archlinux support [\#291](https://github.com/dev-sec/ansible-ssh-hardening/pull/291) ([djesionek](https://github.com/djesionek))
+- Harmonize style [\#290](https://github.com/dev-sec/ansible-ssh-hardening/pull/290) ([aisbergg](https://github.com/aisbergg))
+
+**Merged pull requests:**
+
+- add centos 8 to meta [\#298](https://github.com/dev-sec/ansible-ssh-hardening/pull/298) ([rndmh3ro](https://github.com/rndmh3ro))
+
+## [9.1.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.1.1) (2020-06-06)
+
+[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/9.1.0...9.1.1)
+
+**Implemented enhancements:**
+
+- unify changelog and release actions [\#289](https://github.com/dev-sec/ansible-ssh-hardening/pull/289) ([rndmh3ro](https://github.com/rndmh3ro))
+
+**Fixed bugs:**
+
+- AllowTCPForwarding set to `no` although I have `ssh\_allow\_tcp\_forwarding: yes` [\#286](https://github.com/dev-sec/ansible-ssh-hardening/issues/286)
+- `ssh\_allow\_tcp\_forwarding`: use quotes for values [\#288](https://github.com/dev-sec/ansible-ssh-hardening/pull/288) ([jeanmonet](https://github.com/jeanmonet))
+
+## [9.1.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.1.0) (2020-06-02)
+
+[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/9.0.0...9.1.0)
+
+**Implemented enhancements:**
+
+- allow customization of login gracetime and max sessins [\#287](https://github.com/dev-sec/ansible-ssh-hardening/pull/287) ([chris-rock](https://github.com/chris-rock))
+
+## [9.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.0.0) (2020-05-18)
+
+[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/8.1.0...9.0.0)
+
+**Breaking changes:**
+
+- make ssh client-side compression configurable [\#284](https://github.com/dev-sec/ansible-ssh-hardening/pull/284) ([aqw](https://github.com/aqw))
+
+**Fixed bugs:**
+
+- Disable Ubuntu dynamic login MOTD [\#271](https://github.com/dev-sec/ansible-ssh-hardening/issues/271)
+
+**Closed issues:**
+
+- Ubuntu disable dynamic MOTD failing [\#283](https://github.com/dev-sec/ansible-ssh-hardening/issues/283)
+
+## [8.1.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/8.1.0) (2020-05-09)
+
+[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/8.0.0...8.1.0)
 
 **Implemented enhancements:**
 
@@ -377,7 +516,6 @@
 **Implemented enhancements:**
 
 - CentOS 7 selinux dependencies [\#76](https://github.com/dev-sec/ansible-ssh-hardening/issues/76)
-- install selinux dependencies, check for already installed semodule [\#79](https://github.com/dev-sec/ansible-ssh-hardening/pull/79) ([rndmh3ro](https://github.com/rndmh3ro))
 - Parameterise Banner and DebianBanner as defaults [\#77](https://github.com/dev-sec/ansible-ssh-hardening/pull/77) ([tsenart](https://github.com/tsenart))
 
 **Fixed bugs:**
@@ -386,6 +524,10 @@
 - Selinux issue [\#75](https://github.com/dev-sec/ansible-ssh-hardening/issues/75)
 - Running the tests locally [\#61](https://github.com/dev-sec/ansible-ssh-hardening/issues/61)
 
+**Closed issues:**
+
+- Applied-Crypto-Hardening project and new cyphers. [\#28](https://github.com/dev-sec/ansible-ssh-hardening/issues/28)
+
 ## [3.1.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/3.1.0) (2016-08-03)
 
 [Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/3.1...3.1.0)
@@ -401,6 +543,7 @@
 **Implemented enhancements:**
 
 - Add Xenial / Ubuntu 16.04 LTS to meta/main.yml [\#63](https://github.com/dev-sec/ansible-ssh-hardening/issues/63)
+- install selinux dependencies, check for already installed semodule [\#79](https://github.com/dev-sec/ansible-ssh-hardening/pull/79) ([rndmh3ro](https://github.com/rndmh3ro))
 - Use new ciphers, kex, macs and priv separation sandbox for redhat family 7 [\#73](https://github.com/dev-sec/ansible-ssh-hardening/pull/73) ([atomic111](https://github.com/atomic111))
 - add docker support [\#71](https://github.com/dev-sec/ansible-ssh-hardening/pull/71) ([rndmh3ro](https://github.com/rndmh3ro))
 - add always\_run: true to task. fix \#64 [\#69](https://github.com/dev-sec/ansible-ssh-hardening/pull/69) ([rndmh3ro](https://github.com/rndmh3ro))
@@ -462,19 +605,19 @@
 
 ## [1.2.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2.1) (2015-10-16)
 
-[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.2...1.2.1)
+[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.2.0...1.2.1)
 
 **Merged pull requests:**
 
 - Allow whitelisted groups on ssh [\#40](https://github.com/dev-sec/ansible-ssh-hardening/pull/40) ([fheinle](https://github.com/fheinle))
 
-## [1.2](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2) (2015-09-28)
-
-[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.2.0...1.2)
-
 ## [1.2.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2.0) (2015-09-28)
 
-[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.1.0...1.2.0)
+[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.2...1.2.0)
+
+## [1.2](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2) (2015-09-28)
+
+[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.1.0...1.2)
 
 **Merged pull requests:**
 
@@ -493,9 +636,7 @@
 **Closed issues:**
 
 - ssh\_ports - individual client/server config [\#33](https://github.com/dev-sec/ansible-ssh-hardening/issues/33)
-- Applied-Crypto-Hardening project and new cyphers. [\#28](https://github.com/dev-sec/ansible-ssh-hardening/issues/28)
 - UsePAM should probably default to yes on Red Hat Linux 7 [\#23](https://github.com/dev-sec/ansible-ssh-hardening/issues/23)
-- Running test-kitchen fails [\#2](https://github.com/dev-sec/ansible-ssh-hardening/issues/2)
 
 **Merged pull requests:**
 
@@ -527,6 +668,7 @@
 
 - add travis test for ubuntu 12.04 [\#7](https://github.com/dev-sec/ansible-ssh-hardening/issues/7)
 - Use handler for sshd restart [\#6](https://github.com/dev-sec/ansible-ssh-hardening/issues/6)
+- Running test-kitchen fails [\#2](https://github.com/dev-sec/ansible-ssh-hardening/issues/2)
 
 **Merged pull requests:**
 

ansible/roles/dev-sec.ssh-hardening/README.md

@@ -1,12 +1,11 @@
 # ssh-hardening (Ansible Role)
 
 [![Build Status](http://img.shields.io/travis/dev-sec/ansible-ssh-hardening.svg)][1]
-[![Gitter Chat](https://badges.gitter.im/Join%20Chat.svg)][2]
 [![Ansible Galaxy](https://img.shields.io/badge/galaxy-ssh--hardening-660198.svg)][3]
 
 ## Description
 
-This role provides secure ssh-client and ssh-server configurations.  It is intended to be compliant with the [DevSec SSH  Baseline](https://github.com/dev-sec/ssh-baseline).
+This role provides secure ssh-client and ssh-server configurations.  It is intended to be compliant with the [DevSec SSH Baseline](https://github.com/dev-sec/ssh-baseline).
 
 Warning: This role disables root-login on the target server! Please make sure you have another user with su or sudo permissions that can login into the server.
 
@@ -17,10 +16,10 @@ Warning: This role disables root-login on the target server! Please make sure yo
 ## Role Variables
 | Name           | Default Value | Description                        |
 | -------------- | ------------- | -----------------------------------|
-|`network_ipv6_enable` | false |true if IPv6 is needed|
+|`network_ipv6_enable` | false |true if IPv6 is needed. `ssh_listen_to` must also be set to listen to IPv6 addresses (for example `[::]`).|
 |`ssh_server_ports` | ['22'] |ports on which ssh-server should listen|
 |`ssh_client_port` | '22' |port to which ssh-client should connect|
-|`ssh_listen_to` | ['0.0.0.0'] |one or more ip addresses, to which ssh-server should listen to. Default is all adresseses, but should be configured to specific addresses for security reasons!|
+|`ssh_listen_to` | ['0.0.0.0'] |one or more ip addresses, to which ssh-server should listen to. Default is all IPv4 adresses, but should be configured to specific addresses for security reasons!|
 |`ssh_host_key_files` | [] |Host keys for sshd. If empty ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key'] will be used, as far as supported by the installed sshd version|
 |`ssh_host_key_algorithms` | [] | Host key algorithms that the server offers. If empty the [default list](https://man.openbsd.org/sshd_config#HostKeyAlgorithms) will be used, otherwise overrides the setting with specified list of algorithms|
 |`ssh_client_alive_interval` | 600 | specifies an interval for sending keepalive messages |
@@ -28,9 +27,10 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`ssh_permit_tunnel` | false | true if SSH Port Tunneling is required |
 |`ssh_remote_hosts` | [] | one or more hosts and their custom options for the ssh-client. Default is empty. See examples in `defaults/main.yml`.|
 |`ssh_permit_root_login` | no | Disable root-login. Set to `without-password` or `yes` to enable root-login |
-|`ssh_allow_tcp_forwarding` | no | `no` to disable TCP Forwarding. Set to `yes` to allow TCP Forwarding. If you are using OpenSSH >= 6.2 version, you can specify `yes`, `no`, `all` or `local`|
+|`ssh_allow_tcp_forwarding` | no | `'no'` to disable TCP Forwarding. Set to `'yes'` to allow TCP Forwarding. If you are using OpenSSH >= 6.2 version, you can specify `'yes'`, `'no'`, `'all'` or `'local'`. <br> *Note*: values passed to this variable must be strings, thus values `'yes'` and `'no'` should be passed with quotes. |
 |`ssh_gateway_ports` | `false` | `false` to disable binding forwarded ports to non-loopback addresses. Set to `true` to force binding on wildcard address. Set to `clientspecified` to allow the client to specify which address to bind to.|
 |`ssh_allow_agent_forwarding` | false | false to disable Agent Forwarding. Set to true to allow Agent Forwarding.|
+|`ssh_x11_forwarding` | false | false to disable X11 Forwarding. Set to true to allow X11 Forwarding.|
 |`ssh_pam_support` | true | true if SSH has PAM support.|
 |`ssh_use_pam` | true | false to disable pam authentication.|
 |`ssh_gssapi_support` | false | true if SSH has GSSAPI support.|
@@ -45,9 +45,10 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`ssh_authorized_principals_file` | '' | specifies the file containing principals that are allowed. Only used if ssh_trusted_user_ca_keys_file is set. |
 |`ssh_authorized_principals` | [] | list of hashes containing file paths and authorized principals, see default_custom.yml for all options. Only used if ssh_authorized_principals_file is set. |
 |`ssh_print_motd` | false | false to disable printing of the MOTD|
+|`ssh_print_pam_motd` | false | false to disable printing of the MOTD via pam (Debian and Ubuntu)|
 |`ssh_print_last_log` | false | false to disable display of last login information|
 |`sftp_enabled` | false | true to enable sftp configuration|
-|`sftp_umask` | 0027 | Specifies the umask for sftp|
+|`sftp_umask` | '0027' | Specifies the umask for sftp|
 |`sftp_chroot` | true | false to disable chroot for sftp|
 |`sftp_chroot_dir` | /home/%u | change default sftp chroot location|
 |`ssh_client_roaming` | false | enable experimental client roaming|
@@ -57,16 +58,21 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`ssh_client_password_login` | false | `true` to allow password-based authentication with the ssh client |
 |`ssh_server_password_login` | false | `true` to allow password-based authentication with the ssh server |
 |`ssh_banner` | `false` | `true` to print a banner on login |
+|`ssh_banner_path`| '/etc/sshd/banner.txt' | path to the SSH banner file |
 |`ssh_client_hardening` | `true` | `false` to stop harden the client |
 |`ssh_client_port` | `'22'` | Specifies the port number to connect on the remote host. |
-|`ssh_compression` | `false` | Specifies whether compression is enabled after the user has authenticated successfully. |
+|`ssh_client_compression` | `false` | Specifies whether the client requests compression. |
+|`ssh_compression` | `false` | Specifies whether server-side compression is enabled after the user has authenticated successfully. |
+|`ssh_login_grace_time` | `30s` | specifies the time allowed for successful authentication to the SSH server |
 |`ssh_max_auth_retries` | `2` | Specifies the maximum number of authentication attempts permitted per connection. |
+|`ssh_max_sessions` | `10` | Specifies the maximum number of open sessions permitted from a given connection. |
 |`ssh_print_debian_banner` | `false` | `true` to print debian specific banner |
 |`ssh_server_enabled` | `true` | `false` to disable the opensshd server |
 |`ssh_server_hardening` | `true` | `false` to stop harden the server |
 |`ssh_server_match_address` | '' | Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
 |`ssh_server_match_group` | '' | Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
 |`ssh_server_match_user` | '' | Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
+|`ssh_server_match_local_port` | '' | Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
 |`ssh_server_permit_environment_vars` | `no` | `yes` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd. With openssh version 7.8 it is possible to specify a whitelist of environment variable names in addition to global "yes" or "no" settings |
 |`ssh_server_accept_env_vars`| '' | Specifies what environment variables sent by the client will be copied into the session's enviroment, multiple environment variables may be separated by whitespace |
 |`ssh_use_dns` | `false` | Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. |
@@ -99,6 +105,12 @@ Example playbook:
       - "AcceptEnv LANG"
 ```
 
+## Changing the default port and idempotency
+
+This role uses the default port 22 or the port configured in the inventory to connect to the server. If the default `ssh` port is changed via `ssh_server_ports`, once the ssh server is restarted, it will still try to connect using the previous port. In order to run this role again on the same server the inventory will have to be updated to use the new ssh port.
+
+If idempotency is important, please consider using role [`ssh-hardening-fallback`](https://github.com/nununo/ansible-ssh-hardening-fallback), which is a wrapper around this role that falls back to port 22 if the configured port is unreachable.
+
 ## Example Playbook
 
     - hosts: localhost
@@ -120,6 +132,7 @@ bundle install
 ```
 
 ### Testing with Docker
+
 ```
 # fast test on one machine
 bundle exec kitchen test ssh-ubuntu1804-ansible-latest

ansible/roles/dev-sec.ssh-hardening/defaults/main.yml

@@ -1,48 +1,55 @@
 # true if IPv6 is needed
-network_ipv6_enable: false              # sshd + ssh
+network_ipv6_enable: false          # sshd + ssh
 
 # true if sshd should be started and enabled
-ssh_server_enabled: true               # sshd
+ssh_server_enabled: true            # sshd
 
 # true if DNS resolutions are needed, look up the remote host name, defaults to false from 6.8, see: http://www.openssh.com/txt/release-6.8
-ssh_use_dns: false                      # sshd
+ssh_use_dns: false                  # sshd
 
 # true or value if compression is needed
-ssh_compression: false                  # sshd
+ssh_client_compression: false       # ssh
+ssh_compression: false              # sshd
 
 # For which components (client and server) to generate the configuration for. Can be useful when running against a client without an SSH server.
 ssh_client_hardening: true          # ssh
 ssh_server_hardening: true          # sshd
 
 # If true, password login is allowed
-ssh_client_password_login: false          # ssh
-ssh_server_password_login: false          # sshd
+ssh_client_password_login: false    # ssh
+ssh_server_password_login: false    # sshd
 
 # ports on which ssh-server should listen
-ssh_server_ports: ['22']      # sshd
+ssh_server_ports: ['22']            # sshd
 
 # port to which ssh-client should connect
-ssh_client_port: '22'         # ssh
+ssh_client_port: '22'               # ssh
 
 # one or more ip addresses, to which ssh-server should listen to. Default is empty, but should be configured for security reasons!
-ssh_listen_to: ['0.0.0.0']    # sshd
+ssh_listen_to: ['0.0.0.0']          # sshd
 
 # Host keys to look for when starting sshd.
-ssh_host_key_files: []  # sshd
+ssh_host_key_files: []              # sshd
 
 # Specifies the host key algorithms that the server offers
-ssh_host_key_algorithms: []  # sshd
+ssh_host_key_algorithms: []         # sshd
+
+# specifies the time allowed for successful authentication to the SSH server
+ssh_login_grace_time: 30s
 
 # Specifies  the  maximum  number  of authentication attempts permitted per connection.  Once the number of failures reaches half this value, additional failures are logged.
 ssh_max_auth_retries: 2
 
-ssh_client_alive_interval: 300          # sshd
-ssh_client_alive_count: 3               # sshd
+# Specifies the maximum number of open sessions permitted from a given connection
+ssh_max_sessions: 10
+
+ssh_client_alive_interval: 300      # sshd
+ssh_client_alive_count: 3           # sshd
 
 # Allow SSH Tunnels
 ssh_permit_tunnel: false
 
-# Hosts with custom options.            # ssh
+# Hosts with custom options.        # ssh
 # Example:
 # ssh_remote_hosts:
 #   - names: ['example.com', 'example2.com']
@@ -52,23 +59,26 @@ ssh_permit_tunnel: false
 ssh_remote_hosts: []
 
 # Set this to "without-password" or "yes" to allow root to login
-ssh_permit_root_login: 'no'          # sshd
+ssh_permit_root_login: 'no'         # sshd
 
 # false to disable TCP Forwarding. Set to true to allow TCP Forwarding.
-ssh_allow_tcp_forwarding: 'no'        # sshd
+ssh_allow_tcp_forwarding: 'no'      # sshd
 
 # false to disable binding forwarded ports to non-loopback addresses. Set to true to force binding on wildcard address.
 # Set to 'clientspecified' to allow the client to specify which address to bind to.
-ssh_gateway_ports: false                # sshd
+ssh_gateway_ports: false            # sshd
 
 # false to disable Agent Forwarding. Set to true to allow Agent Forwarding.
-ssh_allow_agent_forwarding: false       # sshd
+ssh_allow_agent_forwarding: false   # sshd
+
+# false to disable X11 Forwarding. Set to true to allow X11 Forwarding.
+ssh_x11_forwarding: false   # sshd
 
 # true if SSH has PAM support
 ssh_pam_support: true
 
 # false to disable pam authentication.
-ssh_use_pam: true # sshd
+ssh_use_pam: true                   # sshd
 
 # specify AuthenticationMethods
 sshd_authenticationmethods: 'publickey'
@@ -80,29 +90,29 @@ ssh_gssapi_support: false
 ssh_kerberos_support: true
 
 # if specified, login is disallowed for user names that match one of the patterns.
-ssh_deny_users: ''      # sshd
+ssh_deny_users: ''                  # sshd
 
 # if specified, login is allowed only for user names that match one of the patterns.
-ssh_allow_users: ''      # sshd
+ssh_allow_users: ''                 # sshd
 
 # if specified, login is disallowed for users whose primary group or supplementary group list matches one of the patterns.
-ssh_deny_groups: ''      # sshd
+ssh_deny_groups: ''                 # sshd
 
 # if specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns.
-ssh_allow_groups: ''      # sshd
+ssh_allow_groups: ''                # sshd
 
 # change default file that contains the public keys that can be used for user authentication.
-ssh_authorized_keys_file: ''      # sshd
+ssh_authorized_keys_file: ''        # sshd
 
 # specifies the file containing trusted certificate authorities public keys used to sign user certificates.
-ssh_trusted_user_ca_keys_file: ''      # sshd
+ssh_trusted_user_ca_keys_file: ''   # sshd
 
 # set the trusted certificate authorities public keys used to sign user certificates.
 # Example:
 # ssh_trusted_user_ca_keys:
 #   - 'ssh-rsa ... comment1'
 #   - 'ssh-rsa ... comment2'
-ssh_trusted_user_ca_keys: []      # sshd
+ssh_trusted_user_ca_keys: []        # sshd
 
 # specifies the file containing principals that are allowed. Only used if ssh_trusted_user_ca_keys_file is set.
 # Example:
@@ -112,26 +122,30 @@ ssh_trusted_user_ca_keys: []      # sshd
 # replaced by the username of that user. After expansion, the path is taken to be
 # an absolute path or one relative to the user's home directory.
 #
-ssh_authorized_principals_file: ''      # sshd
+ssh_authorized_principals_file: ''  # sshd
 
 # list of hashes containing file paths and authorized principals. Only used if ssh_authorized_principals_file is set.
 # Example:
 # ssh_authorized_principals:
 #   - { path: '/etc/ssh/auth_principals/root', principals: [ 'root' ], owner: "{{ ssh_owner }}", group: "{{ ssh_group }}", directoryowner: "{{ ssh_owner }}", directorygroup: "{{ ssh_group}}" }
 #   - { path: '/etc/ssh/auth_principals/myuser', principals: [ 'masteradmin', 'webserver' ] }
-ssh_authorized_principals: []      # sshd
+ssh_authorized_principals: []       # sshd
 
 # false to disable printing of the MOTD
-ssh_print_motd: false      # sshd
+ssh_print_motd: false               # sshd
+ssh_print_pam_motd: false           # sshd
 
 # false to disable display of last login information
-ssh_print_last_log: false    # sshd
+ssh_print_last_log: false           # sshd
 
-# false to disable serving /etc/ssh/banner.txt before authentication is allowed
-ssh_banner: false # sshd
+# false to disable serving ssh warning banner before authentication is allowed
+ssh_banner: false                   # sshd
+
+# path to file with ssh warning banner 
+ssh_banner_path: '/etc/ssh/banner.txt'
 
 # false to disable distribution version leakage during initial protocol handshake
-ssh_print_debian_banner: false # sshd (Debian OS family only)
+ssh_print_debian_banner: false      # sshd (Debian OS family only)
 
 # true to enable sftp configuration
 sftp_enabled: false
@@ -140,7 +154,7 @@ sftp_enabled: false
 sftp_chroot: true
 
 # sftp default umask
-sftp_umask: 0027
+sftp_umask: '0027'
 
 # change default sftp chroot location
 sftp_chroot_dir: /home/%u
@@ -148,20 +162,23 @@ sftp_chroot_dir: /home/%u
 # enable experimental client roaming
 ssh_client_roaming: false
 
-# list of hashes (containing user and rules) to generate Match User blocks for.
-ssh_server_match_user: false            # sshd
+# list of hashes (containing user and rules) to generate Match User blocks for
+ssh_server_match_user: false        # sshd
 
-# list of hashes (containing group and rules) to generate Match Group blocks for.
-ssh_server_match_group: false           # sshd
+# list of hashes (containing group and rules) to generate Match Group blocks for
+ssh_server_match_group: false       # sshd
 
-# list of hashes (containing addresses/subnets and rules) to generate Match Address blocks for.
-ssh_server_match_address: false           # sshd
+# list of hashes (containing addresses/subnets and rules) to generate Match Address blocks for
+ssh_server_match_address: false     # sshd
+
+# list of hashes (containing port and rules) to generate Match LocalPort blocks for
+ssh_server_match_local_port: false  # sshd
 
 ssh_server_permit_environment_vars: 'no'
-ssh_server_accept_env_vars : ''
+ssh_server_accept_env_vars: ''
 
 # maximum number of concurrent unauthenticated connections to the SSH daemon
-ssh_max_startups: '10:30:100'           # sshd
+ssh_max_startups: '10:30:100'       # sshd
 
 ssh_ps53: 'yes'
 ssh_ps59: 'sandbox'
@@ -249,3 +266,7 @@ sshd_syslog_facility: 'AUTH'
 sshd_log_level: 'VERBOSE'
 
 sshd_strict_modes: yes
+
+# disable CRYPTO_POLICY to take settings from sshd configuration
+# see: https://access.redhat.com/solutions/4410591
+sshd_disable_crypto_policy: true

ansible/roles/dev-sec.ssh-hardening/files/sshd

@@ -0,0 +1,17 @@
+# Configuration file for the sshd service.
+
+# The server keys are automatically generated if they are missing.
+# To change the automatic creation, adjust sshd.service options for
+# example using  systemctl enable sshd-keygen@dsa.service  to allow creation
+# of DSA key or  systemctl mask sshd-keygen@rsa.service  to disable RSA key
+# creation.
+
+# Do not change this option unless you have hardware random
+# generator and you REALLY know what you are doing
+
+SSH_USE_STRONG_RNG=0
+# SSH_USE_STRONG_RNG=1
+
+# System-wide crypto policy:
+# To opt-out, uncomment the following line
+CRYPTO_POLICY=

ansible/roles/dev-sec.ssh-hardening/handlers/main.yml

@@ -1,4 +1,6 @@
 - name: restart sshd
-  service: name={{ sshd_service_name }} state=restarted
-  when: "(ssh_server_enabled|bool)"
+  service:
+    name: '{{ sshd_service_name }}'
+    state: restarted
+  when: ssh_server_enabled | bool
   become: yes

ansible/roles/dev-sec.ssh-hardening/meta/.galaxy_install_info

@@ -1,2 +1,2 @@
-install_date: Fri May 15 20:29:21 2020
-version: 8.1.0
+install_date: Thu Feb 18 15:39:23 2021
+version: 9.7.0

ansible/roles/dev-sec.ssh-hardening/meta/main.yml

@@ -10,6 +10,7 @@ galaxy_info:
       versions:
         - 6
         - 7
+        - 8
     - name: Ubuntu
       versions:
         - xenial
@@ -20,6 +21,8 @@ galaxy_info:
         - buster
     - name: Amazon
     - name: Fedora
+    - name: Archlinux
+    - name: SmartOS
   galaxy_tags:
     - system
     - security

ansible/roles/dev-sec.ssh-hardening/tasks/ca_keys_and_principals.yml

@@ -1,5 +1,5 @@
 ---
-- name: Set ssh CA pub keys
+- name: set ssh CA pub keys
   template:
     src: 'trusted_user_ca_keys.j2'
     dest: '{{ ssh_trusted_user_ca_keys_file }}'
@@ -8,20 +8,20 @@
     group: '{{ ssh_group }}'
   notify: restart sshd
 
-- name: Create ssh authorized principals directories
+- name: create ssh authorized principals directories
   file:
     path: '{{ item.path | dirname }}'
     mode: '{{ item.directorymode | default(0700) }}'
     owner: '{{ item.directoryowner | default(ssh_owner) }}'
     group: '{{ item.directorygroup | default(ssh_group) }}'
     state: directory
-  with_items: '{{ ssh_authorized_principals }}'
+  loop: '{{ ssh_authorized_principals }}'
 
-- name: Set ssh authorized principals
+- name: set ssh authorized principals
   template:
     src: 'authorized_principals.j2'
     dest: '{{ item.path }}'
     mode: '{{ item.filemode | default(0600) }}'
     owner: '{{ item.owner| default(ssh_owner) }}'
     group: '{{ item.group | default(ssh_group) }}'
-  with_items: '{{ ssh_authorized_principals }}'
+  loop: '{{ ssh_authorized_principals }}'

ansible/roles/dev-sec.ssh-hardening/tasks/crypto.yml

@@ -1,75 +0,0 @@
----
-
-- name: set hostkeys according to openssh-version
-  set_fact:
-    ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key']
-  when: sshd_version is version('6.3', '>=') and not ssh_host_key_files
-
-- name: set hostkeys according to openssh-version
-  set_fact:
-    ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key']
-  when: sshd_version is version('6.0', '>=') and not ssh_host_key_files
-
-- name: set hostkeys according to openssh-version
-  set_fact:
-    ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key']
-  when: sshd_version is version('5.3', '>=') and not ssh_host_key_files
-
-###
-
-- name: set macs according to openssh-version if openssh >= 7.6
-  set_fact:
-    ssh_macs: '{{ ssh_macs_76_default }}'
-  when: sshd_version is version('7.6', '>=') and not ssh_macs
-
-- name: set macs according to openssh-version if openssh >= 6.6
-  set_fact:
-    ssh_macs: '{{ ssh_macs_66_default }}'
-  when: sshd_version is version('6.6', '>=') and not ssh_macs
-
-- name: set macs according to openssh-version
-  set_fact:
-    ssh_macs: '{{ ssh_macs_59_default }}'
-  when: sshd_version is version('5.9', '>=') and not ssh_macs
-
-- name: set macs for Enterprise Linux >= 6.5 (openssh 5.3 with backports)
-  set_fact:
-    ssh_macs: '{{ ssh_macs_53_el_6_5_default }}'
-  when:
-    - ansible_facts.distribution in ['CentOS', 'OracleLinux', 'RedHat']
-    - ansible_facts.distribution_version is version('6.5', '>=')
-    - not ssh_macs
-
-- name: set macs according to openssh-version
-  set_fact:
-    ssh_macs: '{{ ssh_macs_53_default }}'
-  when: sshd_version is version('5.3', '>=') and not ssh_macs
-
-###
-
-- name: set ciphers according to openssh-version if openssh >= 6.6
-  set_fact:
-    ssh_ciphers: '{{ ssh_ciphers_66_default }}'
-  when: sshd_version is version('6.6', '>=') and not ssh_ciphers
-
-- name: set ciphers according to openssh-version
-  set_fact:
-    ssh_ciphers: '{{ ssh_ciphers_53_default }}'
-  when: sshd_version is version('5.3', '>=') and not ssh_ciphers
-
-###
-
-- name: set kex according to openssh-version if openssh >= 8.0
-  set_fact:
-    ssh_kex: '{{ ssh_kex_80_default }}'
-  when: sshd_version is version('8.0', '>=') and not ssh_kex
-
-- name: set kex according to openssh-version if openssh >= 6.6
-  set_fact:
-    ssh_kex: '{{ ssh_kex_66_default }}'
-  when: sshd_version is version('6.6', '>=') and not ssh_kex
-
-- name: set kex according to openssh-version
-  set_fact:
-    ssh_kex: '{{ ssh_kex_59_default }}'
-  when: sshd_version is version('5.9', '>=') and not ssh_kex

ansible/roles/dev-sec.ssh-hardening/tasks/crypto_ciphers.yml

@@ -0,0 +1,10 @@
+---
+- name: set ciphers according to openssh-version if openssh >= 5.3
+  set_fact:
+    ssh_ciphers: '{{ ssh_ciphers_53_default }}'
+  when: sshd_version is version('5.3', '>=')
+
+- name: set ciphers according to openssh-version if openssh >= 6.6
+  set_fact:
+    ssh_ciphers: '{{ ssh_ciphers_66_default }}'
+  when: sshd_version is version('6.6', '>=')

ansible/roles/dev-sec.ssh-hardening/tasks/crypto_hostkeys.yml

@@ -0,0 +1,21 @@
+---
+- name: set hostkeys according to openssh-version if openssh >= 5.3
+  set_fact:
+    ssh_host_key_files:
+      - "{{ ssh_host_keys_dir }}/ssh_host_rsa_key"
+  when: sshd_version is version('5.3', '>=')
+
+- name: set hostkeys according to openssh-version if openssh >= 6.0
+  set_fact:
+    ssh_host_key_files:
+      - "{{ ssh_host_keys_dir }}/ssh_host_rsa_key"
+      - "{{ ssh_host_keys_dir }}/ssh_host_ecdsa_key"
+  when: sshd_version is version('6.0', '>=')
+
+- name: set hostkeys according to openssh-version if openssh >= 6.3
+  set_fact:
+    ssh_host_key_files:
+      - "{{ ssh_host_keys_dir }}/ssh_host_rsa_key"
+      - "{{ ssh_host_keys_dir }}/ssh_host_ecdsa_key"
+      - "{{ ssh_host_keys_dir }}/ssh_host_ed25519_key"
+  when: sshd_version is version('6.3', '>=')

ansible/roles/dev-sec.ssh-hardening/tasks/crypto_kex.yml

@@ -0,0 +1,15 @@
+---
+- name: set kex according to openssh-version if openssh >= 5.9
+  set_fact:
+    ssh_kex: '{{ ssh_kex_59_default }}'
+  when: sshd_version is version('5.9', '>=')
+
+- name: set kex according to openssh-version if openssh >= 6.6
+  set_fact:
+    ssh_kex: '{{ ssh_kex_66_default }}'
+  when: sshd_version is version('6.6', '>=')
+
+- name: set kex according to openssh-version if openssh >= 8.0
+  set_fact:
+    ssh_kex: '{{ ssh_kex_80_default }}'
+  when: sshd_version is version('8.0', '>=')

ansible/roles/dev-sec.ssh-hardening/tasks/crypto_macs.yml

@@ -0,0 +1,27 @@
+---
+- name: set macs according to openssh-version if openssh >= 5.3
+  set_fact:
+    ssh_macs: '{{ ssh_macs_53_default }}'
+  when: sshd_version is version('5.3', '>=')
+
+- name: set macs for Enterprise Linux >= 6.5 (openssh 5.3 with backports)
+  set_fact:
+    ssh_macs: '{{ ssh_macs_53_el_6_5_default }}'
+  when:
+    - ansible_facts.distribution in ['CentOS', 'OracleLinux', 'RedHat']
+    - ansible_facts.distribution_version is version('6.5', '>=')
+
+- name: set macs according to openssh-version if openssh >= 5.9
+  set_fact:
+    ssh_macs: '{{ ssh_macs_59_default }}'
+  when: sshd_version is version('5.9', '>=')
+
+- name: set macs according to openssh-version if openssh >= 6.6
+  set_fact:
+    ssh_macs: '{{ ssh_macs_66_default }}'
+  when: sshd_version is version('6.6', '>=')
+
+- name: set macs according to openssh-version if openssh >= 7.6
+  set_fact:
+    ssh_macs: '{{ ssh_macs_76_default }}'
+  when: sshd_version is version('7.6', '>=')

ansible/roles/dev-sec.ssh-hardening/tasks/hardening.yml

@@ -1,11 +1,11 @@
 ---
-- name: Set OS dependent variables
+- name: set OS dependent variables
   include_vars: '{{ item }}'
   with_first_found:
-   - '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml'
-   - '{{ ansible_facts.distribution }}.yml'
-   - '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml'
-   - '{{ ansible_facts.os_family }}.yml'
+    - '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml'
+    - '{{ ansible_facts.distribution }}.yml'
+    - '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml'
+    - '{{ ansible_facts.os_family }}.yml'
 
 - name: get openssh-version
   command: ssh -V
@@ -17,8 +17,21 @@
   set_fact:
     sshd_version: "{{ sshd_version_raw.stderr | regex_replace('.*_([0-9]*.[0-9]).*', '\\1') }}"
 
-- name: include tasks to create crypo-vars
-  include_tasks: crypto.yml
+- name: set default for ssh_host_key_files if not supplied
+  include_tasks: crypto_hostkeys.yml
+  when: not ssh_host_key_files
+
+- name: set default for ssh_macs if not supplied
+  include_tasks: crypto_macs.yml
+  when: not ssh_macs
+
+- name: set default for ssh_ciphers if not supplied
+  include_tasks: crypto_ciphers.yml
+  when: not ssh_ciphers
+
+- name: set default for ssh_kex if not supplied
+  include_tasks: crypto_kex.yml
+  when: not ssh_kex
 
 - name: create revoked_keys and set permissions to root/600
   template:
@@ -37,7 +50,7 @@
     mode: '0600'
     owner: '{{ ssh_owner }}'
     group: '{{ ssh_group }}'
-    validate: '/usr/sbin/sshd -T -C user=root -C host=localhost -C addr=localhost -f %s'
+    validate: '{{ sshd_path }} -T -C user=root -C host=localhost -C addr=localhost -C lport=22 -f %s'
   notify: restart sshd
   when: ssh_server_hardening | bool
 
@@ -48,10 +61,11 @@
     control: optional
     module_path: pam_motd.so
     state: absent
+    backup: yes
   when:
     - ssh_server_hardening | bool
     - ssh_pam_support | bool
-    - not (ssh_print_motd | bool)
+    - not (ssh_print_pam_motd | bool)
 
 - name: create ssh_config and set permissions to root/644
   template:
@@ -62,7 +76,7 @@
     group: '{{ ssh_group }}'
   when: ssh_client_hardening | bool
 
-- name: Check if {{ sshd_moduli_file }} contains weak DH parameters
+- name: check if {{ sshd_moduli_file }} contains weak DH parameters
   shell: awk '$5 < {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }}
   register: sshd_register_moduli
   changed_when: false
@@ -84,3 +98,17 @@
 - name: include selinux specific tasks
   include_tasks: selinux.yml
   when: ansible_facts.selinux and ansible_facts.selinux.status == "enabled"
+
+- name: gather package facts
+  package_facts:
+  check_mode: no
+  when:
+    - sshd_disable_crypto_policy | bool
+
+- name: disable SSH server CRYPTO_POLICY
+  copy:
+    src: sshd
+    dest: /etc/sysconfig/sshd
+  when:
+    - sshd_disable_crypto_policy | bool
+    - ('crypto-policies' in ansible_facts.packages)

ansible/roles/dev-sec.ssh-hardening/tasks/main.yml

@@ -1,4 +1,3 @@
 ---
-
 - include_tasks: hardening.yml
   when: ssh_hardening_enabled | bool

ansible/roles/dev-sec.ssh-hardening/tasks/selinux.yml

@@ -4,14 +4,13 @@
     name: '{{ ssh_selinux_packages }}'
     state: present
 
-- name: "authorize {{ ssh_server_ports }} ports for selinux"
+- name: authorize {{ ssh_server_ports }} ports for selinux
   seport:
     ports: '{{ item }}'
     proto: tcp
     setype: ssh_port_t
     state: present
-  with_items:
-    - "{{ ssh_server_ports }}"
+  loop: '{{ ssh_server_ports }}'
 
 - name: check if ssh_password module is already installed
   shell: 'set -o pipefail && semodule -l | grep ssh_password'
@@ -22,35 +21,41 @@
   changed_when: false
   check_mode: no
 
-# The following tasks only get executed when selinux is in state enforcing, UsePam is 'no' and the ssh_password module is installed.
-# See this issue for more info: https://github.com/hardening-io/ansible-ssh-hardening/issues/23
-- block:
-  - name: Create selinux custom policy drop folder
-    file:
-      path: '{{ ssh_custom_selinux_dir }}'
-      state: 'directory'
-      owner: 'root'
-      group: 'root'
-      mode: '0750'
+# The following tasks only get executed when selinux is in state enforcing,
+# UsePam is 'no' and the ssh_password module is not installed. See this issue for
+# more info: https://github.com/hardening-io/ansible-ssh-hardening/issues/23
+- when:
+    - not (ssh_use_pam | bool)
+    - ('ssh_password' not in ssh_password_module.stdout)
+  block:
+    - name: create selinux custom policy drop folder
+      file:
+        path: '{{ ssh_custom_selinux_dir }}'
+        state: 'directory'
+        owner: 'root'
+        group: 'root'
+        mode: '0750'
 
-  - name: Distributing custom selinux policies
-    copy:
-      src: 'ssh_password'
-      dest: '{{ ssh_custom_selinux_dir }}'
+    - name: distributing custom selinux policies
+      copy:
+        src: 'ssh_password'
+        dest: '{{ ssh_custom_selinux_dir }}'
 
-  - name: check and compile policy
-    command: checkmodule -M -m -o {{ ssh_custom_selinux_dir }}/ssh_password.mod {{ ssh_custom_selinux_dir }}/ssh_password
+    - name: check and compile policy
+      command: checkmodule -M -m -o {{ ssh_custom_selinux_dir }}/ssh_password.mod {{ ssh_custom_selinux_dir }}/ssh_password
 
-  - name: create selinux policy module package
-    command: semodule_package -o {{ ssh_custom_selinux_dir }}/ssh_password.pp  -m {{ ssh_custom_selinux_dir }}/ssh_password.mod
+    - name: create selinux policy module package
+      command: semodule_package -o {{ ssh_custom_selinux_dir }}/ssh_password.pp  -m {{ ssh_custom_selinux_dir }}/ssh_password.mod
 
-  - name: install selinux policy
-    command: semodule -i {{ ssh_custom_selinux_dir }}/ssh_password.pp
+    - name: install selinux policy
+      command: semodule -i {{ ssh_custom_selinux_dir }}/ssh_password.pp
 
-  when: not ssh_use_pam | bool and ssh_password_module.stdout.find('ssh_password') != 0
 
-# The following tasks only get executed when selinux is installed, UsePam is 'yes' and the ssh_password module is installed.
-# See http://danwalsh.livejournal.com/12333.html for more info
+# The following tasks only get executed when selinux is installed, UsePam is
+# 'yes' and the ssh_password module is installed. See
+# http://danwalsh.livejournal.com/12333.html for more info
 - name: remove selinux-policy when Pam is used, because Allowing sshd to read the shadow file directly is considered a potential security risk
   command: semodule -r ssh_password
-  when: ssh_use_pam | bool and ssh_password_module.stdout.find('ssh_password') == 0
+  when:
+    - ssh_use_pam | bool
+    - ('ssh_password' in ssh_password_module.stdout)

ansible/roles/dev-sec.ssh-hardening/templates/authorized_principals.j2

@@ -1,4 +1,4 @@
-# {{ansible_managed|comment}}
+{{ ansible_managed | comment }}
 
 {% for principal in item.principals %}
 {{ principal }}

ansible/roles/dev-sec.ssh-hardening/templates/openssh.conf.j2

@@ -1,9 +1,10 @@
-# {{ansible_managed|comment}}
+#jinja2: trim_blocks: "true", lstrip_blocks: "true"
+{{ ansible_managed | comment }}
 
 # This is the ssh client system-wide configuration file.
 # See ssh_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen.
 
-{% if ssh_custom_options -%}
+{% if ssh_custom_options %}
 # Custom configuration that overwrites default configuration
 # ==========================================================
 {% for line in ssh_custom_options %}
@@ -17,14 +18,14 @@
 # Address family should always be limited to the active network configuration.
 AddressFamily {{ 'any' if network_ipv6_enable else 'inet' }}
 
-{% for host in ssh_remote_hosts -%}
+{% for host in ssh_remote_hosts %}
 {% if loop.first %}
 # Host-specific configuration
 {% endif %}
 Host {{ host.names | join(' ') }}
-  {{ host.options | join("\n") | indent(2) }}
+  {{ host.options | join('\n') | indent(2) }}
 
-{% endfor -%}
+{% endfor %}
 
 # Global defaults for all Hosts
 Host *
@@ -60,16 +61,16 @@ StrictHostKeyChecking ask
 # -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html)
 #
 
-{# This outputs "Ciphers <list-of-ciphers>" if ssh_ciphers is defined or "#Ciphers" if ssh_ciphers is undefined #}
-{{ "Ciphers "+ssh_ciphers| join(',') if ssh_ciphers else "Ciphers"|comment }}
+{# This outputs 'Ciphers <list-of-ciphers>' if ssh_ciphers is defined or '#Ciphers' if ssh_ciphers is undefined #}
+{{ 'Ciphers ' ~ ssh_ciphers|join(',') if ssh_ciphers else 'Ciphers'|comment }}
 
 # **Hash algorithms** -- Make sure not to use SHA1 for hashing, unless it is really necessary.
 # Weak HMAC is sometimes required if older package versions are used
 # eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case.
 #
 
-{# This outputs "MACs <list-of-macs>" if ssh_macs is defined or "#MACs" if ssh_macs is undefined #}
-{{ "MACs "+ssh_macs| join(',') if ssh_macs else "MACs"|comment }}
+{# This outputs 'MACs <list-of-macs>' if ssh_macs is defined or '#MACs' if ssh_macs is undefined #}
+{{ 'MACs ' ~ ssh_macs|join(',') if ssh_macs else 'MACs'|comment }}
 
 # Alternative setting, if OpenSSH version is below v5.9
 #MACs hmac-ripemd160
@@ -79,8 +80,8 @@ StrictHostKeyChecking ask
 # eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case.
 # based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf
 
-{# This outputs "KexAlgorithms <list-of-algos>" if ssh_kex is defined or "#KexAlgorithms" if ssh_kex is undefined #}
-{{ "KexAlgorithms "+ssh_kex| join(',') if ssh_kex else "KexAlgorithms"|comment }}
+{# This outputs 'KexAlgorithms <list-of-algos>' if ssh_kex is defined or '#KexAlgorithms' if ssh_kex is undefined #}
+{{ 'KexAlgorithms ' ~ ssh_kex|join(',') if ssh_kex else 'KexAlgorithms'|comment }}
 
 # Disable agent forwarding, since local agent could be accessed through forwarded connection.
 ForwardAgent no
@@ -113,8 +114,7 @@ PermitLocalCommand no
 # Misc. configuration
 # ===================
 
-# Enable compression. More pressure on the CPU, less on the network.
-Compression yes
+Compression {{ 'yes' if (ssh_client_compression|bool) else 'no' }}
 
 #EscapeChar ~
 #VisualHostKey yes

ansible/roles/dev-sec.ssh-hardening/templates/opensshd.conf.j2

@@ -1,12 +1,13 @@
-# {{ansible_managed|comment}}
+#jinja2: trim_blocks: "true", lstrip_blocks: "true"
+{{ ansible_managed | comment }}
 
 # This is the ssh client system-wide configuration file.
 # See sshd_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen.
 
-{% if sshd_custom_options -%}
+{% if sshd_custom_options %}
 # Custom configuration that overwrites default configuration
 # ==========================================================
-{% for line in sshd_custom_options -%}
+{% for line in sshd_custom_options %}
 {{ line }}
 {% endfor %}
 {% endif %}
@@ -18,26 +19,26 @@
 PermitRootLogin {{ ssh_permit_root_login }}
 
 # Define which port sshd should listen to. Default to `22`.
-{% for port in ssh_server_ports -%}
-Port {{port}}
+{% for port in ssh_server_ports %}
+Port {{ port }}
 {% endfor %}
 
 # Address family should always be limited to the active network configuration.
 AddressFamily {{ 'any' if (network_ipv6_enable|bool) else 'inet' }}
 
 # Define which addresses sshd should listen to. Default to `0.0.0.0`, ie make sure you put your desired address in here, since otherwise sshd will listen to everyone.
-{% for address in ssh_listen_to -%}
-ListenAddress {{address}}
+{% for address in ssh_listen_to %}
+ListenAddress {{ address }}
 {% endfor %}
 
 # List HostKeys here.
-{% for key in ssh_host_key_files -%}
-HostKey {{key}}
+{% for key in ssh_host_key_files %}
+HostKey {{ key }}
 {% endfor %}
 
 # Specifies the host key algorithms that the server offers.
 {% if sshd_version is version('5.8', '>=') %}
-{{ "HostKeyAlgorithms "+ssh_host_key_algorithms| join(',') if ssh_host_key_algorithms else "HostKeyAlgorithms"|comment }}
+{{ "HostKeyAlgorithms " ~ ssh_host_key_algorithms|join(',') if ssh_host_key_algorithms else "HostKeyAlgorithms"|comment }}
 {% endif %}
 
 # Security configuration
@@ -62,16 +63,16 @@ LogLevel {{ sshd_log_level }}
 # -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html)
 #
 
-{# This outputs "Ciphers <list-of-ciphers>" if ssh_ciphers is defined or "#Ciphers" if ssh_ciphers is undefined #}
-{{ "Ciphers "+ssh_ciphers| join(',') if ssh_ciphers else "Ciphers"|comment }}
+{# This outputs 'Ciphers <list-of-ciphers>' if ssh_ciphers is defined or '#Ciphers' if ssh_ciphers is undefined #}
+{{ 'Ciphers ' ~ ssh_ciphers|join(',') if ssh_ciphers else 'Ciphers'|comment }}
 
 # **Hash algorithms** -- Make sure not to use SHA1 for hashing, unless it is really necessary.
 # Weak HMAC is sometimes required if older package versions are used
 # eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case.
 #
 
-{# This outputs "MACs <list-of-macs>" if ssh_macs is defined or "#MACs" if ssh_macs is undefined #}
-{{ "MACs "+ssh_macs| join(',') if ssh_macs else "MACs"|comment }}
+{# This outputs 'MACs <list-of-macs>' if ssh_macs is defined or '#MACs' if ssh_macs is undefined #}
+{{ 'MACs ' ~ ssh_macs|join(',') if ssh_macs else 'MACs'|comment }}
 
 # Alternative setting, if OpenSSH version is below v5.9
 #MACs hmac-ripemd160
@@ -81,8 +82,8 @@ LogLevel {{ sshd_log_level }}
 # eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case.
 # based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf
 
-{# This outputs "KexAlgorithms <list-of-algos>" if ssh_kex is defined or "#KexAlgorithms" if ssh_kex is undefined #}
-{{ "KexAlgorithms "+ssh_kex| join(',') if ssh_kex else "KexAlgorithms"|comment }}
+{# This outputs 'KexAlgorithms <list-of-algos>' if ssh_kex is defined or '#KexAlgorithms' if ssh_kex is undefined #}
+{{ 'KexAlgorithms ' ~ ssh_kex|join(',') if ssh_kex else 'KexAlgorithms'|comment }}
 
 # Authentication
 # --------------
@@ -92,13 +93,17 @@ LogLevel {{ sshd_log_level }}
 UseLogin no
 {% endif %}
 {% if sshd_version is version('7.5', '<') %}
-UsePrivilegeSeparation {% if (ansible_facts.distribution == 'Debian' and ansible_facts.distribution_major_version <= '6') or (ansible_facts.os_family in ['Oracle Linux', 'RedHat'] and ansible_facts.distribution_major_version <= '6' and not ansible_facts.distribution == 'Amazon') -%}{{ssh_ps53}}{% else %}{{ssh_ps59}}{% endif %}
+UsePrivilegeSeparation {{
+  (ansible_facts.distribution == 'Debian' and ansible_facts.distribution_major_version <= '6')
+  or (ansible_facts.os_family in ['Oracle Linux', 'RedHat'] and ansible_facts.distribution_major_version <= '6' and not ansible_facts.distribution == 'Amazon')
+  | ternary(ssh_ps53, ssh_ps59)
+}}
 {% endif %}
 
-LoginGraceTime 30s
-MaxAuthTries {{ssh_max_auth_retries}}
-MaxSessions 10
-MaxStartups {{ssh_max_startups}}
+LoginGraceTime {{ ssh_login_grace_time }}
+MaxAuthTries {{ ssh_max_auth_retries }}
+MaxSessions {{ ssh_max_sessions }}
+MaxStartups {{ ssh_max_startups }}
 
 # Enable public key authentication
 PubkeyAuthentication yes
@@ -109,7 +114,7 @@ IgnoreUserKnownHosts yes
 HostbasedAuthentication no
 
 # Enable PAM to enforce system wide rules
-{% if ssh_pam_support -%}
+{% if ssh_pam_support %}
 UsePAM {{ 'yes' if (ssh_use_pam|bool) else 'no' }}
 {% endif %}
 
@@ -124,7 +129,7 @@ PasswordAuthentication {{ 'yes' if (ssh_server_password_login|bool) else 'no' }}
 PermitEmptyPasswords no
 ChallengeResponseAuthentication {{ 'yes' if (ssh_challengeresponseauthentication|bool) else 'no' }}
 
-{% if ssh_kerberos_support -%}
+{% if ssh_kerberos_support %}
 # Only enable Kerberos authentication if it is configured.
 KerberosAuthentication no
 KerberosOrLocalPasswd no
@@ -137,29 +142,29 @@ GSSAPIAuthentication {{ 'yes' if ssh_gssapi_support else 'no' }}
 GSSAPICleanupCredentials yes
 
 # In case you don't use PAM (`UsePAM no`), you can alternatively restrict users and groups here. For key-based authentication this is not necessary, since all keys must be explicitely enabled.
-{% if ssh_deny_users -%}
-DenyUsers {{ssh_deny_users}}
+{% if ssh_deny_users %}
+DenyUsers {{ ssh_deny_users }}
 {% endif %}
 
-{% if ssh_allow_users -%}
-AllowUsers {{ssh_allow_users}}
+{% if ssh_allow_users %}
+AllowUsers {{ ssh_allow_users }}
 {% endif %}
 
-{% if ssh_deny_groups -%}
-DenyGroups {{ssh_deny_groups}}
+{% if ssh_deny_groups %}
+DenyGroups {{ ssh_deny_groups }}
 {% endif %}
 
-{% if ssh_allow_groups -%}
-AllowGroups {{ssh_allow_groups}}
+{% if ssh_allow_groups %}
+AllowGroups {{ ssh_allow_groups }}
 {% endif %}
 
-{% if ssh_authorized_keys_file -%}
+{% if ssh_authorized_keys_file %}
 AuthorizedKeysFile {{ ssh_authorized_keys_file }}
 {% endif %}
 
-{% if ssh_trusted_user_ca_keys_file -%}
+{% if ssh_trusted_user_ca_keys_file %}
 TrustedUserCAKeys {{ ssh_trusted_user_ca_keys_file }}
-{% if ssh_authorized_principals_file -%}
+{% if ssh_authorized_principals_file %}
 AuthorizedPrincipalsFile {{ ssh_authorized_principals_file }}
 {% endif %}
 {% endif %}
@@ -171,8 +176,8 @@ AuthorizedPrincipalsFile {{ ssh_authorized_principals_file }}
 TCPKeepAlive no
 
 # Manage `ClientAlive..` signals via interval and maximum count. This will periodically check up to a `..CountMax` number of times within `..Interval` timeframe, and abort the connection once these fail.
-ClientAliveInterval {{ssh_client_alive_interval}}
-ClientAliveCountMax {{ssh_client_alive_count}}
+ClientAliveInterval {{ ssh_client_alive_interval }}
+ClientAliveCountMax {{ ssh_client_alive_count }}
 
 # Disable tunneling
 PermitTunnel {{ 'yes' if (ssh_permit_tunnel|bool) else 'no' }}
@@ -189,19 +194,19 @@ AllowTcpForwarding {{ ssh_allow_tcp_forwarding if (ssh_allow_tcp_forwarding in (
 # no real advantage without denied shell access
 AllowAgentForwarding {{ 'yes' if (ssh_allow_agent_forwarding|bool) else 'no' }}
 
-{% if ssh_gateway_ports|bool -%}
+{% if ssh_gateway_ports|bool %}
 # Port forwardings are forced to bind to the wildcard address
 GatewayPorts yes
-{% elif ssh_gateway_ports == 'clientspecified' -%}
+{% elif ssh_gateway_ports == 'clientspecified' %}
 # Clients allowed to specify which address to bind port forwardings to
 GatewayPorts clientspecified
-{% else -%}
+{% else %}
 # Do not allow remote port forwardings to bind to non-loopback addresses.
 GatewayPorts no
 {% endif %}
 
 # Disable X11 forwarding, since local X11 display could be accessed through forwarded connection.
-X11Forwarding no
+X11Forwarding {{ 'yes' if (ssh_x11_forwarding|bool) else 'no' }}
 X11UseLocalhost yes
 
 # User environment configuration
@@ -209,7 +214,7 @@ X11UseLocalhost yes
 
 PermitUserEnvironment {{ ssh_server_permit_environment_vars }}
 
-{% if ssh_server_accept_env_vars -%}
+{% if ssh_server_accept_env_vars %}
 AcceptEnv {{ ssh_server_accept_env_vars }}
 {% endif %}
 
@@ -226,16 +231,16 @@ PrintMotd {{ 'yes' if (ssh_print_motd|bool) else 'no' }}
 PrintLastLog {{ 'yes' if (ssh_print_last_log|bool) else 'no' }}
 {% endif %}
 
-Banner {{ '/etc/ssh/banner.txt' if (ssh_banner|bool) else 'none' }}
+Banner {{ ssh_banner_path if (ssh_banner|bool) else 'none' }}
 
-{% if ansible_facts.os_family == 'Debian' -%}
+{% if ansible_facts.os_family == 'Debian' %}
 DebianBanner {{ 'yes' if (ssh_print_debian_banner|bool) else 'no' }}
 {% endif %}
 
 # Reject keys that are explicitly blacklisted
 RevokedKeys /etc/ssh/revoked_keys
 
-{% if sftp_enabled -%}
+{% if sftp_enabled %}
 # SFTP matching configuration
 # ===========================
 # Configuration, in case SFTP is used
@@ -256,39 +261,51 @@ Match Group sftponly
     PermitRootLogin no
     X11Forwarding no
 {% endif %}
+{% if ssh_server_match_address %}
 
-{% if ssh_server_match_address -%}
 # Address matching configuration
 # ============================
 
-{% for item in ssh_server_match_address -%}
+{% for item in ssh_server_match_address %}
 Match Address {{ item.address }}
   {% for rule in item.rules %}
     {{ rule | indent(4) }}
   {% endfor %}
 {% endfor %}
 {% endif %}
+{% if ssh_server_match_group %}
 
-{% if ssh_server_match_group -%}
 # Group matching configuration
 # ============================
 
-{% for item in ssh_server_match_group -%}
+{% for item in ssh_server_match_group %}
 Match Group {{ item.group }}
   {% for rule in item.rules %}
     {{ rule | indent(4) }}
   {% endfor %}
 {% endfor %}
 {% endif %}
+{% if ssh_server_match_user %}
 
-{% if ssh_server_match_user -%}
 # User matching configuration
 # ===========================
 
-{% for item in ssh_server_match_user -%}
+{% for item in ssh_server_match_user %}
 Match User {{ item.user }}
   {% for rule in item.rules %}
     {{ rule | indent(4) }}
   {% endfor %}
 {% endfor %}
 {% endif %}
+{% if ssh_server_match_local_port %}
+
+# LocalPort matching configuration
+# ================================
+
+{% for item in ssh_server_match_local_port %}
+Match LocalPort {{ item.port }}
+  {% for rule in item.rules %}
+    {{ rule | indent(4) }}
+  {% endfor %}
+{% endfor %}
+{% endif %}

ansible/roles/dev-sec.ssh-hardening/templates/revoked_keys.j2

@@ -1,4 +1,5 @@
-# {{ansible_managed|comment}}
+{{ ansible_managed | comment }}
+
 {% for key in ssh_server_revoked_keys %}
-{{key}}
+{{ key }}
 {% endfor %}

ansible/roles/dev-sec.ssh-hardening/templates/trusted_user_ca_keys.j2

@@ -1,5 +1,5 @@
-# {{ansible_managed|comment}}
+{{ ansible_managed | comment }}
 
-{% for item in ssh_trusted_user_ca_keys %}
-{{ item }}
+{% for key in ssh_trusted_user_ca_keys %}
+{{ key }}
 {% endfor %}

ansible/roles/dev-sec.ssh-hardening/tests/default.yml

@@ -7,25 +7,48 @@
         ansible_python_interpreter: /usr/bin/python3
       when: ansible_facts.distribution == 'Fedora'
 
-    - package: name="{{ packages }}" state=present
-      vars:
-        packages:
+    - yum:
+        name:
           - openssh-clients
           - openssh-server
           - libselinux-python
+        state: present
+        update_cache: true
       ignore_errors: true
-    - apt: name="{{packages}}" state=present update_cache=true
-      vars:
-        packages:
-          - "openssh-client"
-          - "openssh-server"
+
+    - dnf:
+        name:
+          - openssh-clients
+          - openssh-server
+          - procps-ng
+        state: present
+        update_cache: true
       ignore_errors: true
-    - file: path="/var/run/sshd" state=directory
+
+    - apt:
+        name:
+          - openssh-client
+          - openssh-server
+        state: present
+        update_cache: true
+      ignore_errors: true
+
+    - file:
+        path: "/var/run/sshd"
+        state: directory
+
+    - pacman:
+        name:
+          - "openssh"
+          - "awk"
+        state: present
+        update_cache: true
+      ignore_errors: true
+
     - name: create ssh host keys
       command: "ssh-keygen -A"
-      when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or 
+      when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or
             ansible_facts.distribution == "Fedora" or
             ansible_facts.distribution == "Amazon"
-
   roles:
     - ansible-ssh-hardening

ansible/roles/dev-sec.ssh-hardening/tests/default_custom.yml

@@ -7,23 +7,47 @@
         ansible_python_interpreter: /usr/bin/python3
       when: ansible_facts.distribution == 'Fedora'
 
-    - package: name="{{ packages }}" state=present
-      vars:
-        packages:
+    - yum:
+        name:
           - openssh-clients
           - openssh-server
           - libselinux-python
+        state: present
+        update_cache: true
       ignore_errors: true
-    - apt: name="{{packages}}" state=present update_cache=true
-      vars:
-        packages:
-          - "openssh-client"
-          - "openssh-server"
+
+    - dnf:
+        name:
+          - openssh-clients
+          - openssh-server
+          - procps-ng
+        state: present
+        update_cache: true
       ignore_errors: true
-    - file: path="/var/run/sshd" state=directory
+
+    - apt:
+        name:
+          - openssh-client
+          - openssh-server
+        state: present
+        update_cache: true
+      ignore_errors: true
+
+    - file:
+        path: "/var/run/sshd"
+        state: directory
+
+    - pacman:
+        name:
+          - "openssh"
+          - "awk"
+        state: present
+        update_cache: true
+      ignore_errors: true
+
     - name: create ssh host keys
       command: "ssh-keygen -A"
-      when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or 
+      when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or
             ansible_facts.distribution == "Fedora" or
             ansible_facts.distribution == "Amazon"
 
@@ -56,6 +80,9 @@
     sftp_enabled: true
     sftp_chroot: true
     #ssh_server_enabled: false
+    ssh_server_ports:
+      - 22
+      - 222
     ssh_server_match_address:
       - address: '192.168.1.1/24'
         rules:
@@ -71,6 +98,11 @@
         rules:
           - 'AllowTcpForwarding yes'
           - 'AllowAgentForwarding no'
+    ssh_server_match_local_port:
+      - port: 222
+        rules:
+          - 'AllowTcpForwarding yes'
+          - 'AllowAgentForwarding no'
     ssh_remote_hosts:
       - names: ['example.com', 'example2.com']
         options: ['Port 2222', 'ForwardAgent yes']

ansible/roles/dev-sec.ssh-hardening/vars/Archlinux.yml

@@ -0,0 +1,10 @@
+---
+sshd_path: /usr/sbin/sshd
+ssh_host_keys_dir: '/etc/ssh'
+sshd_service_name: sshd
+ssh_owner: root
+ssh_group: root
+
+# CRYPTO_POLICY is not supported on Archlinux 
+# and the package check only works in Ansible >2.10
+sshd_disable_crypto_policy: false

ansible/roles/dev-sec.ssh-hardening/vars/Debian.yml

@@ -1,3 +1,6 @@
+---
+sshd_path: /usr/sbin/sshd
+ssh_host_keys_dir: '/etc/ssh'
 sshd_service_name: ssh
 ssh_owner: root
 ssh_group: root

ansible/roles/dev-sec.ssh-hardening/vars/Fedora.yml

@@ -1,3 +1,6 @@
+---
+sshd_path: /usr/sbin/sshd
+ssh_host_keys_dir: '/etc/ssh'
 sshd_service_name: sshd
 ssh_owner: root
 ssh_group: root

ansible/roles/dev-sec.ssh-hardening/vars/FreeBSD.yml

@@ -1,3 +1,6 @@
+---
+sshd_path: /usr/sbin/sshd
+ssh_host_keys_dir: '/etc/ssh'
 sshd_service_name: sshd
 ssh_owner: root
 ssh_group: wheel

ansible/roles/dev-sec.ssh-hardening/vars/OpenBSD.yml

@@ -1,3 +1,6 @@
+---
+sshd_path: /usr/sbin/sshd
+ssh_host_keys_dir: '/etc/ssh'
 sshd_service_name: sshd
 ssh_owner: root
 ssh_group: wheel

ansible/roles/dev-sec.ssh-hardening/vars/Oracle Linux.yml

@@ -1,3 +1,6 @@
+---
+sshd_path: /usr/sbin/sshd
+ssh_host_keys_dir: '/etc/ssh'
 sshd_service_name: sshd
 ssh_owner: root
 ssh_group: root

ansible/roles/dev-sec.ssh-hardening/vars/RedHat.yml

@@ -1,3 +1,6 @@
+---
+sshd_path: /usr/sbin/sshd
+ssh_host_keys_dir: '/etc/ssh'
 sshd_service_name: sshd
 ssh_owner: root
 ssh_group: root

ansible/roles/dev-sec.ssh-hardening/vars/RedHat_8.yml

@@ -1,3 +1,6 @@
+---
+sshd_path: /usr/sbin/sshd
+ssh_host_keys_dir: '/etc/ssh'
 sshd_service_name: sshd
 ssh_owner: root
 ssh_group: root

ansible/roles/dev-sec.ssh-hardening/vars/SmartOS.yml

@@ -0,0 +1,8 @@
+---
+sshd_path: /usr/lib/ssh/sshd
+ssh_host_keys_dir: '/var/ssh'
+sshd_service_name: ssh
+ssh_owner: root
+ssh_group: root
+
+ssh_pam_support: false

ansible/roles/geerlingguy.docker/.ansible-lint

@@ -1,2 +1,3 @@
 skip_list:
   - '306'
+  - '106'

ansible/roles/geerlingguy.docker/.github/stale.yml

@@ -1,5 +1,5 @@
 # Configuration for probot-stale - https://github.com/probot/stale
-
+---
 # Number of days of inactivity before an Issue or Pull Request becomes stale
 daysUntilStale: 90
 

ansible/roles/geerlingguy.docker/.github/workflows/ci.yml

@@ -0,0 +1,72 @@
+---
+name: CI
+'on':
+  pull_request:
+  push:
+    branches:
+      - master
+  schedule:
+    - cron: "0 7 * * 0"
+
+defaults:
+  run:
+    working-directory: 'geerlingguy.docker'
+
+jobs:
+
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the codebase.
+        uses: actions/checkout@v2
+        with:
+          path: 'geerlingguy.docker'
+
+      - name: Set up Python 3.
+        uses: actions/setup-python@v2
+        with:
+          python-version: '3.x'
+
+      - name: Install test dependencies.
+        run: pip3 install yamllint ansible-lint
+
+      - name: Lint code.
+        run: |
+          yamllint .
+          ansible-lint
+
+  molecule:
+    name: Molecule
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        distro:
+          - centos8
+          - centos7
+          - ubuntu2004
+          - ubuntu1804
+          - debian10
+          - debian9
+          - fedora31
+
+    steps:
+      - name: Check out the codebase.
+        uses: actions/checkout@v2
+        with:
+          path: 'geerlingguy.docker'
+
+      - name: Set up Python 3.
+        uses: actions/setup-python@v2
+        with:
+          python-version: '3.x'
+
+      - name: Install test dependencies.
+        run: pip3 install ansible molecule[docker] docker
+
+      - name: Run Molecule tests.
+        run: molecule test
+        env:
+          PY_COLORS: '1'
+          ANSIBLE_FORCE_COLOR: '1'
+          MOLECULE_DISTRO: ${{ matrix.distro }}

ansible/roles/geerlingguy.docker/.github/workflows/release.yml

@@ -0,0 +1,38 @@
+---
+# This workflow requires a GALAXY_API_KEY secret present in the GitHub
+# repository or organization.
+#
+# See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy
+# See: https://github.com/ansible/galaxy/issues/46
+
+name: Release
+'on':
+  push:
+    tags:
+      - '*'
+
+defaults:
+  run:
+    working-directory: 'geerlingguy.docker'
+
+jobs:
+
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the codebase.
+        uses: actions/checkout@v2
+        with:
+          path: 'geerlingguy.docker'
+
+      - name: Set up Python 3.
+        uses: actions/setup-python@v2
+        with:
+          python-version: '3.x'
+
+      - name: Install Ansible.
+        run: pip3 install ansible-base
+
+      - name: Trigger a new import on Galaxy.
+        run: ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2)

ansible/roles/geerlingguy.docker/.travis.yml

@@ -1,31 +0,0 @@
----
-language: python
-services: docker
-
-env:
-  global:
-    - ROLE_NAME: docker
-  matrix:
-    - MOLECULE_DISTRO: centos8
-    - MOLECULE_DISTRO: centos7
-    - MOLECULE_DISTRO: ubuntu1804
-    - MOLECULE_DISTRO: ubuntu1604
-    - MOLECULE_DISTRO: debian10
-    - MOLECULE_DISTRO: debian9
-
-install:
-  # Install test dependencies.
-  - pip install molecule yamllint ansible-lint docker
-
-before_script:
-  # Use actual Ansible Galaxy role name for the project directory.
-  - cd ../
-  - mv ansible-role-$ROLE_NAME geerlingguy.$ROLE_NAME
-  - cd geerlingguy.$ROLE_NAME
-
-script:
-  # Run tests.
-  - molecule test
-
-notifications:
-  webhooks: https://galaxy.ansible.com/api/v1/notifications/

ansible/roles/geerlingguy.docker/.yamllint

@@ -1,6 +1,11 @@
 ---
 extends: default
+
 rules:
   line-length:
     max: 200
     level: warning
+
+ignore: |
+  .github/stale.yml
+  .travis.yml

ansible/roles/geerlingguy.docker/README.md

@@ -1,6 +1,6 @@
 # Ansible Role: Docker
 
-[![Build Status](https://travis-ci.org/geerlingguy/ansible-role-docker.svg?branch=master)](https://travis-ci.org/geerlingguy/ansible-role-docker)
+[![CI](https://github.com/geerlingguy/ansible-role-docker/workflows/CI/badge.svg?event=push)](https://github.com/geerlingguy/ansible-role-docker/actions?query=workflow%3ACI)
 
 An Ansible Role that installs [Docker](https://www.docker.com) on Linux.
 
@@ -28,7 +28,7 @@ You can control whether the package is installed, uninstalled, or at the latest
 Variables to control the state of the `docker` service, and whether it should start on boot. If you're installing Docker inside a Docker container without systemd or sysvinit, you should set these to `stopped` and set the enabled variable to `no`.
 
     docker_install_compose: true
-    docker_compose_version: "1.25.4"
+    docker_compose_version: "1.26.0"
     docker_compose_path: /usr/local/bin/docker-compose
 
 Docker Compose installation options.
@@ -39,17 +39,17 @@ Docker Compose installation options.
     docker_apt_ignore_key_error: True
     docker_apt_gpg_key: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg
 
-(Used only for Debian/Ubuntu.) You can switch the channel to `edge` if you want to use the Edge release.
+(Used only for Debian/Ubuntu.) You can switch the channel to `nightly` if you want to use the Nightly release.
 
 You can change `docker_apt_gpg_key` to a different url if you are behind a firewall or provide a trustworthy mirror.
 Usually in combination with changing `docker_apt_repository` as well.
 
     docker_yum_repo_url: https://download.docker.com/linux/centos/docker-{{ docker_edition }}.repo
-    docker_yum_repo_enable_edge: '0'
+    docker_yum_repo_enable_nightly: '0'
     docker_yum_repo_enable_test: '0'
     docker_yum_gpg_key: https://download.docker.com/linux/centos/gpg
 
-(Used only for RedHat/CentOS.) You can enable the Edge or Test repo by setting the respective vars to `1`.
+(Used only for RedHat/CentOS.) You can enable the Nightly or Test repo by setting the respective vars to `1`.
 
 You can change `docker_yum_gpg_key` to a different url if you are behind a firewall or provide a trustworthy mirror.
 Usually in combination with changing `docker_yum_repository` as well.

ansible/roles/geerlingguy.docker/defaults/main.yml

@@ -11,10 +11,10 @@ docker_restart_handler_state: restarted
 
 # Docker Compose options.
 docker_install_compose: true
-docker_compose_version: "1.25.4"
+docker_compose_version: "1.26.0"
 docker_compose_path: /usr/local/bin/docker-compose
 
-# Used only for Debian/Ubuntu. Switch 'stable' to 'edge' if needed.
+# Used only for Debian/Ubuntu. Switch 'stable' to 'nightly' if needed.
 docker_apt_release_channel: stable
 docker_apt_arch: amd64
 docker_apt_repository: "deb [arch={{ docker_apt_arch }}] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} {{ docker_apt_release_channel }}"
@@ -23,7 +23,7 @@ docker_apt_gpg_key: https://download.docker.com/linux/{{ ansible_distribution |
 
 # Used only for RedHat/CentOS/Fedora.
 docker_yum_repo_url: https://download.docker.com/linux/{{ (ansible_distribution == "Fedora") | ternary("fedora","centos") }}/docker-{{ docker_edition }}.repo
-docker_yum_repo_enable_edge: '0'
+docker_yum_repo_enable_nightly: '0'
 docker_yum_repo_enable_test: '0'
 docker_yum_gpg_key: https://download.docker.com/linux/centos/gpg
 

ansible/roles/geerlingguy.docker/meta/.galaxy_install_info

@@ -1,2 +1,2 @@
-install_date: Fri May 15 20:32:50 2020
-version: 2.7.0
+install_date: Sat Feb 20 13:56:42 2021
+version: 3.0.0

ansible/roles/geerlingguy.docker/meta/main.yml

@@ -2,6 +2,7 @@
 dependencies: []
 
 galaxy_info:
+  role_name: docker
   author: geerlingguy
   description: Docker for Linux.
   company: "Midwestern Mac, LLC"
@@ -23,6 +24,7 @@ galaxy_info:
       versions:
         - xenial
         - bionic
+        - focal
   galaxy_tags:
     - web
     - system

ansible/roles/geerlingguy.docker/molecule/default/converge.yml

@@ -8,5 +8,17 @@
       apt: update_cache=yes cache_valid_time=600
       when: ansible_os_family == 'Debian'
 
+    - name: Wait for systemd to complete initialization.  # noqa 303
+      command: systemctl is-system-running
+      register: systemctl_status
+      until: >
+        'running' in systemctl_status.stdout or
+        'degraded' in systemctl_status.stdout
+      retries: 30
+      delay: 5
+      when: ansible_service_mgr == 'systemd'
+      changed_when: false
+      failed_when: systemctl_status.rc > 1
+
   roles:
     - role: geerlingguy.docker

ansible/roles/geerlingguy.docker/molecule/default/molecule.yml

@@ -3,10 +3,6 @@ dependency:
   name: galaxy
 driver:
   name: docker
-lint: |
-  set -e
-  yamllint .
-  ansible-lint
 platforms:
   - name: instance
     image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"

ansible/roles/geerlingguy.docker/tasks/setup-RedHat.yml

@@ -20,12 +20,13 @@
     group: root
     mode: 0644
 
-- name: Configure Docker Edge repo.
+- name: Configure Docker Nightly repo.
   ini_file:
     dest: '/etc/yum.repos.d/docker-{{ docker_edition }}.repo'
-    section: 'docker-{{ docker_edition }}-edge'
+    section: 'docker-{{ docker_edition }}-nightly'
     option: enabled
-    value: '{{ docker_yum_repo_enable_edge }}'
+    value: '{{ docker_yum_repo_enable_nightly }}'
+    mode: 0644
 
 - name: Configure Docker Test repo.
   ini_file:
@@ -33,9 +34,17 @@
     section: 'docker-{{ docker_edition }}-test'
     option: enabled
     value: '{{ docker_yum_repo_enable_test }}'
+    mode: 0644
 
-- name: Install containerd separately (CentOS 8).
-  package:
-    name: https://download.docker.com/linux/centos/7/x86_64/stable/Packages/containerd.io-1.2.6-3.3.el7.x86_64.rpm
-    state: present
+- name: Configure containerd on RHEL 8.
+  block:
+    - name: Ensure container-selinux is installed.
+      package:
+        name: container-selinux
+        state: present
+
+    - name: Ensure containerd.io is installed.
+      package:
+        name: containerd.io
+        state: present
   when: ansible_distribution_major_version | int == 8

ansible/roles/geerlingguy.nodejs/meta/.galaxy_install_info

@@ -1,2 +1,2 @@
-install_date: Fri May 15 20:27:04 2020
+install_date: Thu Feb 18 15:39:27 2021
 version: 5.1.1

ansible/roles/jnv.unattended-upgrades/.ansible-lint

@@ -0,0 +1,2 @@
+skip_list:
+  - '503'

ansible/roles/jnv.unattended-upgrades/.github/workflows/ansible-linting-check.yml

@@ -0,0 +1,17 @@
+name: Ansible Lint check
+# visit https://github.com/marketplace/actions/ansible-lint for infos
+
+on: [push, pull_request]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+
+    - name: Lint Ansible Playbook
+      uses: ansible/ansible-lint-action@master
+      with:
+        targets: "."

ansible/roles/jnv.unattended-upgrades/README.md

@@ -46,8 +46,10 @@ On some hosts you may find that the unattended-upgrade's cronfile `/etc/cron.dai
     * Default: `false` (don't send any e-mail)
 * `unattended_mail_only_on_error`: send e-mail only on errors, otherwise e-mail will be sent every time there's a package upgrade.
     * Default: `false`
-* `unattended_remove_unused_dependencies`: do automatic removal of new unused dependencies after the upgrade.
+* `unattended_remove_unused_dependencies`: do automatic removal of all unused dependencies after the upgrade.
     * Default: `false`
+* `unattended_remove_new_unused_dependencies`: do automatic removal of new unused dependencies after the upgrade.
+    * Default: `true`
 * `unattended_automatic_reboot`: Automatically reboot system if any upgraded package requires it, immediately after the upgrade.
     * Default: `false`
 * `unattended_automatic_reboot_time`: Automatically reboot system if any upgraded package requires it, at the specific time (_HH:MM_) instead of immediately after the upgrade.
@@ -56,6 +58,10 @@ On some hosts you may find that the unattended-upgrade's cronfile `/etc/cron.dai
     * Default: disabled
 * `unattended_ignore_apps_require_restart`: unattended-upgrades won't automatically upgrade some critical packages requiring restart after an upgrade (i.e. there is `XB-Upgrade-Requires: app-restart` directive in their debian/control file). With this option set to `true`, unattended-upgrades will upgrade these packages regardless of the directive.
     * Default: `false`
+* `unattended_syslog_enable`: Write events to syslog, which is useful in environments where syslog messages are sent to a central store.
+    * Default: `false`
+* `unattended_syslog_facility`: Write events to the specified syslog facility, or the daemon facility if not specified. Will only have affect if `unattended_syslog_enable` is set to `true`.
+    * Default: `daemon`
 * `unattended_verbose`: Define verbosity level of APT for periodic runs. The output will be sent to root.
     * Possible options:
       * `0`: no report