change vars to bool, put comments inside block

Sebastian Gumprich · Sebastian Gumprich · commit 02d96bfae93b · 2017-06-04T18:48:27.000+02:00
diff --git a/.kitchen.yml b/.kitchen.yml
@@ -9,10 +9,6 @@ driver:
 transport:
   max_ssh_sessions: 5
 
-transport:
-  max_ssh_sessions: 5
-
-
 provisioner:
   name: ansible_playbook
   hosts: all
@@ -26,6 +22,7 @@ provisioner:
   http_proxy: <%= ENV['http_proxy'] || nil %>
   https_proxy: <%= ENV['https_proxy'] || nil %>
   playbook: default.yml
+  ansible_diff: true
   ansible_extra_flags:
     - "--skip-tags=sysctl"
 
diff --git a/default.yml b/default.yml
@@ -27,7 +27,7 @@
     ssh_client_cbc_required: true
     ssh_client_weak_kex: true
     ssh_challengeresponseauthentication: true
-    ssh_compression: 'yes'
+    ssh_compression: true
     ssh_allow_users: 'root kitchen vagrant'
     ssh_allow_groups: 'root kitchen vagrant'
     ssh_deny_users: 'foo bar'
@@ -55,7 +55,7 @@
     ssh_use_dns: true
     ssh_use_pam: true
 
-- name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
-  hosts: localhost
-  roles:
-    - ansible-ssh-hardening
+#- name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
+#  hosts: localhost
+#  roles:
+#    - ansible-ssh-hardening
diff --git a/templates/opensshd.conf.j2 b/templates/opensshd.conf.j2
@@ -7,7 +7,8 @@
 # ===================
 
 # Either disable or only allowssh root login via certificates.
-PermitRootLogin {{ 'without-password' if ssh_allow_root_with_key else 'no' }}
+PermitRootLogin {% if ssh_allow_root_with_key|bool %} without-password {% else %} no {% endif %}
+#PermitRootLogin {{ 'without-password' if ssh_allow_root_with_key else 'no' | bool }}
 
 # Define which port sshd should listen to. Default to `22`.
 {% for port in ssh_server_ports -%}
@@ -220,12 +221,13 @@ Banner {{ '/etc/ssh/banner.txt' if ssh_banner else 'none' }}
 DebianBanner {{ 'yes' if ssh_print_debian_banner else 'no' }}
 {% endif %}
 
+{% if sftp_enabled %}
 # SFTP matching configuration
 # ===========================
-{% if sftp_enabled %}
 # Configuration, in case SFTP is used
 # override default of no subsystems
 # Subsystem sftp /opt/app/openssh5/libexec/sftp-server
+
 Subsystem sftp internal-sftp -l INFO -f LOCAL6
 
 # These lines must appear at the *end* of sshd_config
@@ -239,23 +241,23 @@ PermitRootLogin no
 X11Forwarding no
 {% endif %}
 
+{% if ssh_server_match_group %}
 # Group matching configuration
 # ============================
 
-{% if ssh_server_match_group %}
 {% for item in ssh_server_match_group %}
 Match Group {{ item.group }}
     {{ item.rules | indent(4) }}
 {% endfor %}
 {% endif %}
 
+
+{% if ssh_server_match_user %}
 # User matching configuration
 # ===========================
 
-{% if ssh_server_match_user %}
 {% for item in ssh_server_match_user %}
 Match User {{ item.user }}
     {{ item.rules | indent(4) }}
 {% endfor %}
 {% endif %}
-
