add blocks to crypto.yml checks

[schurzi]

moved the check for user supplied settings to block head and reversed
order of assignments to compensate for the missing check on the set
variable

Signed-off-by: Martin Schurz Martin.Schurz@t-systems.com

[schurzi]

related to #256

At first I treid to order this by version, but that just destroyed the ordering of all common variables. Instead I tried to cut out the check for the base variable we want to set here. This made a lot more sense to me. What do you think @rndmh3ro ?

Also as a consequence te assignments are now reversed (in natural ascending order) since the last task will override all previous settings. That should pose no problem, since the highest version wins and is also more natural to extend by simply putting the new stuff at the end.

[rndmh3ro]

Also as a consequence te assignments are now reversed (in natural ascending order) since the last task will override all previous settings. That should pose no problem, since the highest version wins and is also more natural to extend by simply putting the new stuff at the end.

Sadly that's not the case with Ansible. The docs state: "In the example above, each of the 3 tasks will be executed after appending the when condition from the block and evaluating it in the task’s context. "

This means that the condidition when: not ssh_host_key_files gets added to all three tasks and then the tasks get executed.

So the first task runs like this after applying the block-condition:

    - name: set hostkeys according to openssh-version if openssh >= 5.3
      set_fact:
        ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key']
      when:
        - sshd_version is version('5.3', '>=')
        - not ssh_host_key_files

Since ssh_host_key_files is not set yet, the task successfully runs.

Then the second task runs:

    - name: set hostkeys according to openssh-version if openssh >= 6.0
      set_fact:
        ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key']
      when:
        - sshd_version is version('6.0', '>=')
        - not ssh_host_key_files

This task gets skipped because ssh_host_key_files is set from the previous task.

This means we have to reverse the order again so the task with the latest sshd_version runs first. Unless you can think of an even better idea.

[schurzi]

you are absolutely right! However I really like the natural ordering and want to preserve this.

One option would be to use include_task with a when condition and split this up in separate files, how about that?

[rndmh3ro]

One option would be to use include_task with a when condition and split this up in separate files, how about that?

We'd then have to create and include at least 6 new files (one for every version of ssh where ciphers, macs etc. change). Not to forget that the variables still have to be overrideable.
Does this make it easier to understand, read and debug?

[schurzi]

I'd rather not do this for versions, but for the differen variables, so one file for each: kex, hostkeys, macs and ciphers.
So 4 extra files with tightly coupled contents.

[rndmh3ro]

And how will do it with the ordering then? You can also just push some code to show what you mean.

[schurzi]

ok, so how about this way?

[rndmh3ro]

I like it that way. However could you please intergrate the include-tasks in the crypto.yml back into the hardening.yml? There's no need anymore for this additional layer.