add blocks to crypto.yml checks

schurzi · schurzi · commit 83263cf8ceb7 · 2020-07-09T00:30:45.000+02:00
moved the check for user supplied settings to block head and reversed
order of assignments to compensate for the missing check on the set
variable

Signed-off-by: Martin Schurz &lt;Martin.Schurz@t-systems.com&gt;
diff --git a/tasks/crypto.yml b/tasks/crypto.yml
@@ -1,74 +1,80 @@
 ---
-- name: set hostkeys according to openssh-version
-  set_fact:
-    ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key']
-  when: sshd_version is version('6.3', '>=') and not ssh_host_key_files
+- name: set hostkeys to default
+  when: not ssh_host_key_files
+  block:
+    - name: set hostkeys according to openssh-version if openssh >= 5.3
+      set_fact:
+        ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key']
+      when: sshd_version is version('5.3', '>=')
 
-- name: set hostkeys according to openssh-version
-  set_fact:
-    ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key']
-  when: sshd_version is version('6.0', '>=') and not ssh_host_key_files
+    - name: set hostkeys according to openssh-version if openssh >= 6.0
+      set_fact:
+        ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key']
+      when: sshd_version is version('6.0', '>=')
 
-- name: set hostkeys according to openssh-version
-  set_fact:
-    ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key']
-  when: sshd_version is version('5.3', '>=') and not ssh_host_key_files
+    - name: set hostkeys according to openssh-version if openssh >= 6.3
+      set_fact:
+        ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key']
+      when: sshd_version is version('6.3', '>=')
 
-###
+- name: set macs to default
+  when: not ssh_macs
+  block:
+    - name: set macs according to openssh-version if openssh >= 5.3
+      set_fact:
+        ssh_macs: '{{ ssh_macs_53_default }}'
+      when: sshd_version is version('5.3', '>=')
 
-- name: set macs according to openssh-version if openssh >= 7.6
-  set_fact:
-    ssh_macs: '{{ ssh_macs_76_default }}'
-  when: sshd_version is version('7.6', '>=') and not ssh_macs
+    - name: set macs for Enterprise Linux >= 6.5 (openssh 5.3 with backports)
+      set_fact:
+        ssh_macs: '{{ ssh_macs_53_el_6_5_default }}'
+      when:
+        - ansible_facts.distribution in ['CentOS', 'OracleLinux', 'RedHat']
+        - ansible_facts.distribution_version is version('6.5', '>=')
 
-- name: set macs according to openssh-version if openssh >= 6.6
-  set_fact:
-    ssh_macs: '{{ ssh_macs_66_default }}'
-  when: sshd_version is version('6.6', '>=') and not ssh_macs
+    - name: set macs according to openssh-version if openssh >= 5.9
+      set_fact:
+        ssh_macs: '{{ ssh_macs_59_default }}'
+      when: sshd_version is version('5.9', '>=')
 
-- name: set macs according to openssh-version
-  set_fact:
-    ssh_macs: '{{ ssh_macs_59_default }}'
-  when: sshd_version is version('5.9', '>=') and not ssh_macs
+    - name: set macs according to openssh-version if openssh >= 6.6
+      set_fact:
+        ssh_macs: '{{ ssh_macs_66_default }}'
+      when: sshd_version is version('6.6', '>=')
 
-- name: set macs for Enterprise Linux >= 6.5 (openssh 5.3 with backports)
-  set_fact:
-    ssh_macs: '{{ ssh_macs_53_el_6_5_default }}'
-  when:
-    - ansible_facts.distribution in ['CentOS', 'OracleLinux', 'RedHat']
-    - ansible_facts.distribution_version is version('6.5', '>=')
-    - not ssh_macs
+    - name: set macs according to openssh-version if openssh >= 7.6
+      set_fact:
+        ssh_macs: '{{ ssh_macs_76_default }}'
+      when: sshd_version is version('7.6', '>=')
 
-- name: set macs according to openssh-version
-  set_fact:
-    ssh_macs: '{{ ssh_macs_53_default }}'
-  when: sshd_version is version('5.3', '>=') and not ssh_macs
 
-###
+- name: set ciphers to default
+  when: not ssh_ciphers
+  block:
+    - name: set ciphers according to openssh-version if openssh >= 5.3
+      set_fact:
+        ssh_ciphers: '{{ ssh_ciphers_53_default }}'
+      when: sshd_version is version('5.3', '>=')
 
-- name: set ciphers according to openssh-version if openssh >= 6.6
-  set_fact:
-    ssh_ciphers: '{{ ssh_ciphers_66_default }}'
-  when: sshd_version is version('6.6', '>=') and not ssh_ciphers
+    - name: set ciphers according to openssh-version if openssh >= 6.6
+      set_fact:
+        ssh_ciphers: '{{ ssh_ciphers_66_default }}'
+      when: sshd_version is version('6.6', '>=')
 
-- name: set ciphers according to openssh-version
-  set_fact:
-    ssh_ciphers: '{{ ssh_ciphers_53_default }}'
-  when: sshd_version is version('5.3', '>=') and not ssh_ciphers
+- name: set kex to default
+  when: not ssh_kex
+  block:
+    - name: set kex according to openssh-version if openssh >= 5.9
+      set_fact:
+        ssh_kex: '{{ ssh_kex_59_default }}'
+      when: sshd_version is version('5.9', '>=')
 
-###
+    - name: set kex according to openssh-version if openssh >= 6.6
+      set_fact:
+        ssh_kex: '{{ ssh_kex_66_default }}'
+      when: sshd_version is version('6.6', '>=')
 
-- name: set kex according to openssh-version if openssh >= 8.0
-  set_fact:
-    ssh_kex: '{{ ssh_kex_80_default }}'
-  when: sshd_version is version('8.0', '>=') and not ssh_kex
-
-- name: set kex according to openssh-version if openssh >= 6.6
-  set_fact:
-    ssh_kex: '{{ ssh_kex_66_default }}'
-  when: sshd_version is version('6.6', '>=') and not ssh_kex
-
-- name: set kex according to openssh-version
-  set_fact:
-    ssh_kex: '{{ ssh_kex_59_default }}'
-  when: sshd_version is version('5.9', '>=') and not ssh_kex
+    - name: set kex according to openssh-version if openssh >= 8.0
+      set_fact:
+        ssh_kex: '{{ ssh_kex_80_default }}'
+      when: sshd_version is version('8.0', '>=')
