From a111a20cc851c6858e6842aecc5183feaa4c2d62 Mon Sep 17 00:00:00 2001 From: sjat Date: Sun, 14 Jun 2026 16:47:42 +0200 Subject: [PATCH] test(base): Molecule coverage for ssh hardening + fail2ban Add explicit base__ssh_authorised_keys: [] default to prevent undefined-var errors in Molecule. Extend verify.yml with sshd drop-in validation, PasswordAuthentication check, and fail2ban jail assertion. Pre-create /run/sshd in ssh.yml so sshd -t works in containers before the service has ever started. Co-Authored-By: Claude Opus 4.8 (1M context) --- roles/base/defaults/main.yml | 1 + roles/base/molecule/default/verify.yml | 15 +++++++++++++++ roles/base/tasks/ssh.yml | 8 ++++++++ 3 files changed, 24 insertions(+) diff --git a/roles/base/defaults/main.yml b/roles/base/defaults/main.yml index 19832e3..cbdf34d 100644 --- a/roles/base/defaults/main.yml +++ b/roles/base/defaults/main.yml @@ -19,3 +19,4 @@ base__fail2ban_maxretry: 5 base__fail2ban_bantime: 1h base__fail2ban_findtime: 10m # base__ssh_authorised_keys lives in group_vars/all/vars.yml (per-person control keys). +base__ssh_authorised_keys: [] diff --git a/roles/base/molecule/default/verify.yml b/roles/base/molecule/default/verify.yml index 86326be..25056d0 100644 --- a/roles/base/molecule/default/verify.yml +++ b/roles/base/molecule/default/verify.yml @@ -47,3 +47,18 @@ - name: Syntax-check the rendered ruleset (no apply) ansible.builtin.command: nft -c -f /etc/nftables.conf changed_when: false + + - name: Sshd drop-in present and config valid + ansible.builtin.command: sshd -t + changed_when: false + tags: [verify] + + - name: PasswordAuthentication is disabled + ansible.builtin.command: grep -q '^PasswordAuthentication no' /etc/ssh/sshd_config.d/10-boma.conf + changed_when: false + tags: [verify] + + - name: Fail2ban sshd jail configured + ansible.builtin.command: grep -q '^\[sshd\]' /etc/fail2ban/jail.d/sshd.local + changed_when: false + tags: [verify] diff --git a/roles/base/tasks/ssh.yml b/roles/base/tasks/ssh.yml index 8ef7eba..82aecee 100644 --- a/roles/base/tasks/ssh.yml +++ b/roles/base/tasks/ssh.yml @@ -14,6 +14,14 @@ mode: "0644" notify: reload sshd +- name: Ensure sshd privilege-separation directory exists (required for sshd -t) + ansible.builtin.file: + path: /run/sshd + state: directory + owner: root + group: root + mode: "0755" + - name: Validate the full sshd config (drop-in included) ansible.builtin.command: sshd -t changed_when: false