Merge pull request #419 from treydock/fixes

Notify sshd when conf.d files change

Author: ghoneycutt

manifests/config_file_server.pp

@@ -43,5 +43,6 @@
     group   => $group,
     mode    => $mode,
     content => epp('ssh/config_file.epp', { 'lines' => $lines, 'custom' => $custom }),
+    notify  => $ssh::server::notify_service,
   }
 }

manifests/server.pp

@@ -605,6 +605,12 @@
     $packages_require = undef
   }
 
+  if $manage_service {
+    $notify_service = Service['sshd_service']
+  } else {
+    $notify_service = undef
+  }
+
   file { 'sshd_config' :
     ensure  => file,
     path    => $config_path,
@@ -626,7 +632,7 @@
       recurse => $include_dir_purge,
       force   => $include_dir_purge,
       require => $packages_require,
-      notify  => Service['sshd_service'],
+      notify  => $notify_service,
     }
   } else {
     $include_dir = undef

spec/classes/server_spec.rb

@@ -106,6 +106,7 @@
             purge: 'true',
             recurse: 'true',
             force: 'true',
+            notify: 'Service[sshd_service]',
           )
         end
       else
@@ -143,7 +144,7 @@
     supported_os: [
       {
         'operatingsystem'        => 'RedHat',
-        'operatingsystemrelease' => ['7'],
+        'operatingsystemrelease' => ['8'],
       },
     ],
   }

spec/defines/config_file_server_spec.rb

@@ -31,11 +31,25 @@
             'group'   => 'root',
             'mode'    => '0600',
             'content' => content_header,
+            'notify'  => 'Service[sshd_service]',
           },
         )
       end
     end
 
+    context 'when not managing the sshd service' do
+      let(:pre_condition) do
+        <<-PP
+          class { 'ssh::server':
+            manage_service => false,
+          }
+        PP
+      end
+
+      it { is_expected.to compile.with_all_deps }
+      it { is_expected.to contain_file('/etc/ssh/sshd_config.d/ing.conf').without_notify }
+    end
+
     context "on #{os} with ensure set to valid value" do
       let(:params) { { ensure: 'absent' } }
 

spec/fixtures/testing/Debian-11_sshd_config

@@ -3,9 +3,9 @@
 #
 # See https://man.openbsd.org/sshd_config for more info
 
+Include /etc/ssh/sshd_config.d/*.conf
 AcceptEnv LANG
 AcceptEnv LC_*
-Include /etc/ssh/sshd_config.d/*.conf
 KbdInteractiveAuthentication no
 PrintMotd no
 Subsystem sftp /usr/lib/openssh/sftp-server

spec/fixtures/testing/RedHat-9_sshd_config

@@ -3,6 +3,6 @@
 #
 # See https://man.openbsd.org/sshd_config for more info
 
-AuthorizedKeysFile .ssh/authorized_keys
 Include /etc/ssh/sshd_config.d/*.conf
+AuthorizedKeysFile .ssh/authorized_keys
 Subsystem sftp /usr/libexec/openssh/sftp-server

spec/fixtures/testing/Ubuntu-20.04_sshd_config

@@ -3,6 +3,7 @@
 #
 # See https://man.openbsd.org/sshd_config for more info
 
+Include /etc/ssh/sshd_config.d/*.conf
 AcceptEnv LANG
 AcceptEnv LC_ADDRESS
 AcceptEnv LC_ALL
@@ -27,7 +28,6 @@ GSSAPICleanupCredentials yes
 HostbasedAuthentication no
 IgnoreRhosts yes
 IgnoreUserKnownHosts no
-Include /etc/ssh/sshd_config.d/*.conf
 KbdInteractiveAuthentication yes
 LoginGraceTime 120
 PasswordAuthentication yes

spec/fixtures/testing/Ubuntu-22.04_sshd_config

@@ -3,9 +3,9 @@
 #
 # See https://man.openbsd.org/sshd_config for more info
 
+Include /etc/ssh/sshd_config.d/*.conf
 AcceptEnv LANG
 AcceptEnv LC_*
-Include /etc/ssh/sshd_config.d/*.conf
 KbdInteractiveAuthentication no
 PasswordAuthentication yes
 PrintMotd no

templates/sshd_config.erb

@@ -3,6 +3,9 @@
 #
 # See https://man.openbsd.org/sshd_config for more info
 
+<% if @include != nil -%>
+Include <%= @include %>
+<% end -%>
 <% if @accept_env != nil -%>
 <%   @accept_env.each do |v| -%>
 AcceptEnv <%= v %>
@@ -132,9 +135,6 @@ IgnoreRhosts <%= @ignore_rhosts %>
 <% if @ignore_user_known_hosts != nil -%>
 IgnoreUserKnownHosts <%= @ignore_user_known_hosts %>
 <% end -%>
-<% if @include != nil -%>
-Include <%= @include %>
-<% end -%>
 <% if @ip_qos != nil -%>
 IPQoS <%= @ip_qos %>
 <% end -%>